MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6e07cde3550631edba2fdf14825cb64f97a06715fca13cea78e6f85a0481f14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6e07cde3550631edba2fdf14825cb64f97a06715fca13cea78e6f85a0481f14
SHA3-384 hash: 98ad5e1c71c33e70057b60e14385c82c2232bbcabd89b99a93a43d5bd60f8c59ce5a838c6578bb72ea733f9e0c8aa434
SHA1 hash: cf406b114a9e7a45029f1dfa756943513fe6d8bc
MD5 hash: ce0639cb84857bd4ad992206e7369cb9
humanhash: romeo-quiet-romeo-cardinal
File name:file
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'029'632 bytes
First seen:2024-09-21 06:29:47 UTC
Last seen:2024-09-22 15:23:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8d489fb407dee81072c055a97f32e2d1 (1 x AsyncRAT, 1 x RustyStealer)
ssdeep 24576:1Hm7GnfHOGiTGzXzJ0Zduvfv5/iM6eBvOeMxRXm98tyMq0:pm7GfuGia0Zduvfv6wGeyla8ty
Threatray 4 similar samples on MalwareBazaar
TLSH T1E8259E5BF5A6A6BCC556C07443279A76B636B88D0231ADBF02D0D6303E99D620F3DB1C
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:AsyncRAT exe


Avatar
Bitsight
url: https://tmpfiles.org/dl/13121783/inst_4wky_x.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
460
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-09-21 06:30:03 UTC
Tags:
pastebin crypto-regex xworm ims-api generic telegram remote
Link:
https://app.any.run/tasks/f119d256-cce1-46bd-981f-1c4b446be23a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66ee67ed1db25d66857c5da2
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug
Link:
https://www.filescan.io/uploads/66ee67eb5e9303a294236834/reports/2b849839-7cfa-44e4-bfb5-4f02fb12c843/overview
Verdict:
Malicious
Labled as:
Win64/Agent_AGeneric.CFS trojan
Link:
https://www.hybrid-analysis.com/sample/e6e07cde3550631edba2fdf14825cb64f97a06715fca13cea78e6f85a0481f14
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/062f2cc1-1b64-40f4-9787-538ba804a19f
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1514870
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Yara detected Telegram RAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e6e07cde3550631edba2fdf14825cb64f97a06715fca13cea78e6f85a0481f14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6e07cde3550631edba2fdf14825cb64f97a06715fca13cea78e6f85a0481f14/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=43qhzxrvkbrr5w5c7xyuqjolmt4xubtrl7fbhtvhrzxylicid4ka._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
donutloader
Create hunting rule
Similar samples:
b5d70d76b45b0544d3a35075704e9cc6cfc710f26ba4428f5cb771e4447bee5b
AsyncRAT
e6e07cde3550631edba2fdf14825cb64f97a06715fca13cea78e6f85a0481f14
AsyncRAT
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm rat trojan
Link:
https://tria.ge/reports/240921-g9glzaygrq/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Legitimate hosting services abused for malware hosting/C2
Contains code to disable Windows Defender
Detect Xworm Payload
Xworm
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/edae10fb-7013-4868-a71e-c233d6dd4b93
Unpacked files
SH256 hash:
e6e07cde3550631edba2fdf14825cb64f97a06715fca13cea78e6f85a0481f14
MD5 hash:
ce0639cb84857bd4ad992206e7369cb9
SHA1 hash:
cf406b114a9e7a45029f1dfa756943513fe6d8bc
Link:
https://www.unpac.me/results/8de7cd71-fa74-4060-bdb1-a5ab55acd10e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e6e07cde3550/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e6e07cde3550631edba2fdf14825cb64f97a06715fca13cea78e6f85a0481f14

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe e6e07cde3550631edba2fdf14825cb64f97a06715fca13cea78e6f85a0481f14

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3183986/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
CHECK_TRUST_INFORequires Elevated Execution (uiAccess:None)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
ntdll.dll::NtCreateFile
KERNEL32.dll::CreateFileMappingA
KERNEL32.dll::CreateFileW
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::accept
WS2_32.dll::bind
WS2_32.dll::closesocket
WS2_32.dll::connect
WS2_32.dll::freeaddrinfo
WS2_32.dll::getaddrinfo

Comments