MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d53a7df671c51cfcbe6526e499e50664d129e9c80dfd44dde860bae39542c4e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d53a7df671c51cfcbe6526e499e50664d129e9c80dfd44dde860bae39542c4e1
SHA3-384 hash: b0bdea32ffc9606e1a7fd59de6e0c2b2c05b252a49b07f63c68c6e4bbb0600dbb6ed38815ff478b2894ae033fa8baec0
SHA1 hash: b0f22b21c7838faed0b97403daadd490bafb4dff
MD5 hash: 823b46c72b9a26d40782034e4ba4b758
humanhash: december-april-pizza-cat
File name:d53a7df671c51cfcbe6526e499e50664d129e9c80dfd44dde860bae39542c4e1.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:925'696 bytes
First seen:2024-10-19 23:29:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bff31fd858da5b637661732125d186c3 (1 x AsyncRAT)
ssdeep 12288:Jb1IpKCPnar229ziUB8QmeHHOCVj9SXHTOy1jYbrn4l2VrR0VH2K27bLgUic1BT:Jb1rCnarZ9+UTmiHZzHbLpiczT
TLSH T14B159F12BAC280F3C509253254B6733AFA74E6174B25CBD79364DE3DBC33581AA3B15A
TrID 41.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.6% (.EXE) Win64 Executable (generic) (10522/11/4)
4.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika pebin
File icon (PE):PE icon
dhash icon 6192a6a6a6a6c433 (1 x AsyncRAT)
Reporter Chainskilabs
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
436
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d53a7df671c51cfcbe6526e499e50664d129e9c80dfd44dde860bae39542c4e1.exe
Verdict:
Malicious activity
Analysis date:
2024-10-19 23:32:05 UTC
Tags:
xworm
Link:
https://app.any.run/tasks/524aa120-4087-4698-b17f-2251564a83ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.njRAT-10002074-1
Create hunting rule

Win.Packed.Msilzilla-10002982-0
Create hunting rule

Win.Packed.Msilzilla-10019837-0
Create hunting rule

Win.Packed.Loveletter-10023052-0
Create hunting rule

Win.Packed.Loveletter-10024677-0
Create hunting rule

Win.Packed.Msilzilla-10026193-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Launching cmd.exe command interpreter
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm asyncrat backdoor blackworm cmd flystudio hook keylogger lolbin microsoft_visual_cc njrat njrat obfuscated packed rat schtasks shell32 worm
Link:
https://www.filescan.io/uploads/671441107184660038525751/reports/6f36b26d-82bc-44aa-ad51-a76811b8a237/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/d53a7df671c51cfcbe6526e499e50664d129e9c80dfd44dde860bae39542c4e1
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d0509da8-f340-41d5-a39d-daefd4b70128
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1537994
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1537994 Sample: uNL935M6O8.exe Startdate: 20/10/2024 Architecture: WINDOWS Score: 100 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for dropped file 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 9 other signatures 2->53 8 uNL935M6O8.exe 5 2->8         started        process3 file4 33 C:\Users\user\AppData\...\uNL935M6O8.exe, PE32 8->33 dropped 35 C:\Users\...\uNL935M6O8.exe:Zone.Identifier, ASCII 8->35 dropped 55 Writes to foreign memory regions 8->55 57 Allocates memory in foreign processes 8->57 59 Injects a PE file into a foreign processes 8->59 61 Contains functionality to detect sleep reduction / modifications 8->61 12 cmd.exe 12 8->12         started        15 cmd.exe 1 8->15         started        signatures5 process6 signatures7 63 Uses schtasks.exe or at.exe to add and modify task schedules 12->63 17 chrome.exe 9 12->17         started        20 chrome.exe 12->20         started        22 cmd.exe 1 15->22         started        24 conhost.exe 15->24         started        process8 dnsIp9 37 192.168.2.8, 138, 443, 49703 unknown unknown 17->37 39 239.255.255.250 unknown Reserved 17->39 26 chrome.exe 17->26         started        29 chrome.exe 20->29         started        31 schtasks.exe 1 22->31         started        process10 dnsIp11 41 s-part-0017.t-0009.t-msedge.net 13.107.246.45, 443, 49705, 49727 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->41 43 s-part-0032.t-0009.t-msedge.net 13.107.246.60, 443, 49728, 49733 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->43 45 8 other IPs or domains 26->45
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d53a7df671c51cfcbe6526e499e50664d129e9c80dfd44dde860bae39542c4e1
Detection:
xworm
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d53a7df671c51cfcbe6526e499e50664d129e9c80dfd44dde860bae39542c4e1/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-10-17 17:08:24 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
21 of 24 (87.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2u5h35tryuopzptfe3sjtzigmtist2oibx6ujxpimc5ohfkcytqq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
error
AsyncRAT
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery rat trojan
Link:
https://tria.ge/reports/241019-3hbsasxeqr/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Detect Xworm Payload
Xworm
Malware Config
C2 Extraction:
liuweidragon.tpddns.cn:7000
Verdict:
Malicious
Tags:
rat xworm asyncrat trojan
YARA:
win_mal_XWorm ByteCode_MSIL_Backdoor_AsyncRAT MALWARE_Win_XWorm Windows_Generic_Threat_b509dfc8
Link:
https://app.threat.zone/submission/b1cffcf6-8ad4-4f90-a02f-7c03ed2e5804
Unpacked files
SH256 hash:
c9b0dd742a95576c9926f0c663c8d3a515eec0871a7d05adf3b5c71d409bde12
MD5 hash:
2f525179a3c77e1c350c5709fdb0bec1
SHA1 hash:
8becbb83647ee80068b54d5cd1a43f04eb14483a
Detections:
win_xworm_w0
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
win_xworm_bytestring
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
Link:
https://www.unpac.me/results/f7e1794c-d752-4163-bfc6-9ea9e2f6fbf7/
SH256 hash:
d53a7df671c51cfcbe6526e499e50664d129e9c80dfd44dde860bae39542c4e1
MD5 hash:
823b46c72b9a26d40782034e4ba4b758
SHA1 hash:
b0f22b21c7838faed0b97403daadd490bafb4dff
Detections:
win_xworm_w0
Create hunting rule
Link:
https://www.unpac.me/results/f7e1794c-d752-4163-bfc6-9ea9e2f6fbf7/
Malware family:
BlackWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d53a7df671c5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d53a7df671c51cfcbe6526e499e50664d129e9c80dfd44dde860bae39542c4e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ByteCode_MSIL_Backdoor_AsyncRAT
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects AsyncRAT backdoor.
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Hacktools_CN_Panda_andrew
Create hunting rule
Author:Florian Roth
Description:Disclosed hacktool set - file andrew.exe - sethc.exe Debugger backdoor
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Generic_Threat_b509dfc8
Create hunting rule
Author:Elastic Security
Rule name:win_xworm_w0
Create hunting rule
Author:jeFF0Falltrades
Description:Detects win.xworm.
Rule name:without_attachments
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:without_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any url
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:xworm
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play MultimediaWINMM.dll::midiOutPrepareHeader
WINMM.dll::midiOutReset
WINMM.dll::midiOutUnprepareHeader
WINMM.dll::midiStreamClose
WINMM.dll::midiStreamOpen
WINMM.dll::midiStreamOut
RAS_APIUses Remote AccessRASAPI32.dll::RasGetConnectStatusA
RASAPI32.dll::RasHangUpA
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::CloseHandle
WININET.dll::InternetCloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WinExec
KERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments