MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebb4dedf0806b2b7ec4cdd0e685c38333d2669a8dab614721c0eb81c7333c68a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebb4dedf0806b2b7ec4cdd0e685c38333d2669a8dab614721c0eb81c7333c68a
SHA3-384 hash: d95a59fb9b9068e3b4e3f812c25036ead82ddac468bdfff88a993bcf155bfb72834a62a5825cc7f2c8050365f10cc03f
SHA1 hash: 26eeb8aa442d078b435ee9c5445e126c4677a73b
MD5 hash: 8f307a5db76ea7573f1824d852178c0c
humanhash: golf-four-spaghetti-robert
File name:8f307a5db76ea7573f1824d852178c0c
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:5'141'464 bytes
First seen:2024-07-31 04:16:58 UTC
Last seen:2024-07-31 06:18:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b1c5b1beabd90d9fdabd1df0779ea832 (11 x CoinMiner, 10 x QuasarRAT, 8 x AsyncRAT)
ssdeep 98304:0qwZBLUlpN/YrZIuVZpLIyT2blKOiTlraDKQf7pRHwawycS:0qwZBwlpKZIYux4rZM7pRXCS
TLSH T1F8362309E79904F9D4BBEA3CD9974952E27A3C8A037196EF13B1061E1F673809D3D722
TrID 76.9% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
16.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
3.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.5% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter zbetcheckin
Tags:64 AsyncRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
405
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8f307a5db76ea7573f1824d852178c0c
Verdict:
Malicious activity
Analysis date:
2024-07-31 04:20:45 UTC
Tags:
xworm remote
Link:
https://app.any.run/tasks/114d6f2e-5804-47b1-a971-d2d71f4b5fb5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a9bac2c06bd32e596e8a32
Tags:
Encryption Infostealer Network Static Stealth Trojan Malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Creating a file
Launching a process
Creating a file in the %AppData% directory
DNS request
Connecting to a non-recommended domain
Connection attempt
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm crypto fingerprint installer keylogger lolbin microsoft_visual_cc overlay packed redcap setupapi sfx shdocvw shell32
Link:
https://www.filescan.io/uploads/66a9babf9149fd55f992c14c/reports/e96bb4f0-1f39-46a3-a812-f82ac857ef48/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/ebb4dedf0806b2b7ec4cdd0e685c38333d2669a8dab614721c0eb81c7333c68a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a94bf0e3-b961-487e-a434-53f3dca16b71
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1485107
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates multiple autostart registry keys
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1485107 Sample: CvK3nrYTRQ.exe Startdate: 31/07/2024 Architecture: WINDOWS Score: 100 68 hithitlwer.zapto.org 2->68 70 time.windows.com 2->70 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 Multi AV Scanner detection for dropped file 2->84 86 8 other signatures 2->86 8 CvK3nrYTRQ.exe 31 2->8         started        11 cmd.exe 1 2->11         started        13 cmd.exe 2->13         started        15 2 other processes 2->15 signatures3 process4 file5 58 C:\Users\user\AppData\Local\...\zlib1.dll, PE32+ 8->58 dropped 60 C:\Users\user\AppData\Local\Temp\...\zip.dll, PE32+ 8->60 dropped 62 C:\Users\user\AppData\Local\...\xpdApi.dll, PE32+ 8->62 dropped 64 19 other files (15 malicious) 8->64 dropped 17 NOO.exe 1 25 8->17         started        21 NOO.exe 1 11->21         started        23 conhost.exe 11->23         started        25 NOO.exe 1 13->25         started        27 conhost.exe 13->27         started        29 conhost.exe 15->29         started        31 conhost.exe 15->31         started        process6 file7 48 C:\Users\user\Document\zlib1.dll, PE32+ 17->48 dropped 50 C:\Users\user\Document\zip.dll, PE32+ 17->50 dropped 52 C:\Users\user\Document\xpdApi.dll, PE32+ 17->52 dropped 54 19 other malicious files 17->54 dropped 72 Creates multiple autostart registry keys 17->72 74 Writes to foreign memory regions 17->74 76 Allocates memory in foreign processes 17->76 33 RegAsm.exe 1 4 17->33         started        38 conhost.exe 17->38         started        78 Injects a PE file into a foreign processes 21->78 40 MSBuild.exe 1 21->40         started        42 conhost.exe 21->42         started        44 jsc.exe 1 25->44         started        46 conhost.exe 25->46         started        signatures8 process9 dnsIp10 66 hithitlwer.zapto.org 185.196.10.132, 49699, 7004 SIMPLECARRIERCH Switzerland 33->66 56 C:\Users\user\AppData\Roaming\Chromes.exe, PE32 33->56 dropped 88 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 33->88 90 Creates multiple autostart registry keys 33->90 file11 signatures12
Score:
77%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ebb4dedf0806b2b7ec4cdd0e685c38333d2669a8dab614721c0eb81c7333c68a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ebb4dedf0806b2b7ec4cdd0e685c38333d2669a8dab614721c0eb81c7333c68a/
Threat name:
Win64.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2024-07-22 17:20:38 UTC
File Type:
PE+ (Exe)
Extracted files:
53
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5o2n5xyia2zlp3cm3uhgqxbygm6sm2ni3k3bi4q4b24by4zty2fa._file
Verdict:
malicious
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm persistence rat trojan
Link:
https://tria.ge/reports/240731-ewdbaazgla/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detect Xworm Payload
Xworm
Malware Config
C2 Extraction:
hithitlwer.zapto.org:7004
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e86ecd2e-c26e-4500-a452-25e013a1b83a
Unpacked files
SH256 hash:
d8ca3cf209eec87e8e9f1ce63917a2bce05ea136fce5f1e2b17fe80f02c914dd
MD5 hash:
9556c9ce5194f7090b05211b460251c7
SHA1 hash:
ce754a0a170e6f57cf1d76a82fec16ac6b27e379
Link:
https://www.unpac.me/results/1c34a2c2-4fb8-4988-a5f4-4097a6515bcd/
SH256 hash:
0a91e0f75557e5f1e0bc08f566b322a0f1d3760043f6f2e042b59d8faa5d0e95
MD5 hash:
7550af24829a88f3fe4d8460747269c3
SHA1 hash:
3907f1ab7fbd21be432d87d5d10d3793db8fc03e
Link:
https://www.unpac.me/results/1c34a2c2-4fb8-4988-a5f4-4097a6515bcd/
SH256 hash:
ebb4dedf0806b2b7ec4cdd0e685c38333d2669a8dab614721c0eb81c7333c68a
MD5 hash:
8f307a5db76ea7573f1824d852178c0c
SHA1 hash:
26eeb8aa442d078b435ee9c5445e126c4677a73b
Link:
https://www.unpac.me/results/1c34a2c2-4fb8-4988-a5f4-4097a6515bcd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ebb4dedf0806b2b7ec4cdd0e685c38333d2669a8dab614721c0eb81c7333c68a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe ebb4dedf0806b2b7ec4cdd0e685c38333d2669a8dab614721c0eb81c7333c68a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3080419/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments


Avatar
zbet commented on 2024-07-31 04:16:59 UTC

url : hxxp://185.196.10.124/NO.exe