MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f20f7a895d3c4004241bbe4d9084b93fcc5183356aceacfb75b4f8e89f246f69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f20f7a895d3c4004241bbe4d9084b93fcc5183356aceacfb75b4f8e89f246f69
SHA3-384 hash: 26e533e9ec2ac08cfbff564377921a39a14dffef676555196330e5d22098a09134d5a054a9a7e1adedd459db7412ba1b
SHA1 hash: 9f0393fb7f03bdfc4037199d548afa161e1014f8
MD5 hash: 13810bd006d43bf95581933f5db7b875
humanhash: comet-hot-table-juliet
File name:svchost.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:110'592 bytes
First seen:2024-07-30 06:49:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (250 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 1536:yxqjQ+P04wsZLnDrCeuXYCsptxJ6YOm0S3MryjDDMEaQ4NRfPGwBfb0:zr8WDrCeBLOm0NrynD9+f+wxb0
Threatray 143 similar samples on MalwareBazaar
TLSH T1F1B3BF5CFBD08935E1BE2FF84CA67216C639B7332D13966F74D5098A6A27AC0CD042D9
TrID 79.6% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.9% (.SCR) Windows screen saver (13097/50/3)
3.1% (.EXE) Win64 Executable (generic) (10523/12/4)
3.0% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
Reporter lontze7
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
372
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
svchost.exe
Verdict:
Malicious activity
Analysis date:
2024-07-30 06:51:09 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/9938c855-f7b2-447d-89c5-ed13bf8b9d12

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a88d1dc06bd32e596e6b9d
Tags:
Discovery Encryption Network Spreading Static Stealth Delf Neshta
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the Windows directory
Modifying an executable file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Creating a process with a hidden window
Creating a file in the Program Files subdirectories
Unauthorized injection to a recently created process
Enabling autorun with the shell\open\command registry branches
Infecting executable files
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
Virus.Neshta
Link:
https://www.hybrid-analysis.com/sample/f20f7a895d3c4004241bbe4d9084b93fcc5183356aceacfb75b4f8e89f246f69
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ac8abfde-4be9-4524-91ba-d046665c88b7
Result
Threat name:
Neshta, XWorm
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1484513
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Drops PE files with a suspicious file extension
Drops PE files with benign system names
Found malware configuration
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
Yara detected Neshta
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1484513 Sample: svchost.exe Startdate: 30/07/2024 Architecture: WINDOWS Score: 100 76 ip-api.com 2->76 82 Multi AV Scanner detection for domain / URL 2->82 84 Found malware configuration 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 21 other signatures 2->88 10 svchost.exe 4 2->10         started        14 svchost.com 2->14         started        16 svchost.com 2->16         started        18 svchost.exe 2->18         started        signatures3 process4 file5 60 C:\Windows\svchost.com, PE32 10->60 dropped 62 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 10->62 dropped 64 C:\Users\user\AppData\Local\...\svchost.exe, PE32 10->64 dropped 66 19 other malicious files 10->66 dropped 100 Creates an undocumented autostart registry key 10->100 102 Drops PE files with a suspicious file extension 10->102 104 Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS) 10->104 106 2 other signatures 10->106 20 svchost.exe 7 6 10->20         started        25 svchost.exe 14->25         started        27 svchost.exe 16->27         started        signatures6 process7 dnsIp8 78 ip-api.com 208.95.112.1, 49711, 80 TUT-ASUS United States 20->78 80 45.83.207.67, 53348, 6969 CLOUVIDERClouvider-GlobalASNGB Netherlands 20->80 56 C:\Users\user\AppData\Roaming\svchost.exe, PE32 20->56 dropped 90 System process connects to network (likely due to code injection or exploit) 20->90 92 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->92 94 Protects its processes via BreakOnTermination flag 20->94 96 5 other signatures 20->96 29 svchost.com 2 20->29         started        33 svchost.com 20->33         started        35 svchost.com 20->35         started        37 svchost.com 20->37         started        58 C:\Users\user\AppData\...\svchost.exe.log, CSV 25->58 dropped file9 signatures10 process11 file12 68 C:\...\maintenanceservice.exe, PE32 29->68 dropped 70 C:\Program Files (x86)\...\Uninstall.exe, PE32 29->70 dropped 72 C:\...\MicrosoftEdgeUpdateSetup.exe, PE32 29->72 dropped 74 151 other malicious files 29->74 dropped 108 Bypasses PowerShell execution policy 29->108 110 Adds a directory exclusion to Windows Defender 29->110 112 Sample is not signed and drops a device driver 29->112 114 2 other signatures 29->114 39 powershell.exe 29->39         started        42 powershell.exe 33->42         started        44 powershell.exe 35->44         started        46 powershell.exe 37->46         started        signatures13 process14 signatures15 98 Loading BitLocker PowerShell Module 39->98 48 conhost.exe 39->48         started        50 conhost.exe 42->50         started        52 conhost.exe 44->52         started        54 conhost.exe 46->54         started        process16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f20f7a895d3c4004241bbe4d9084b93fcc5183356aceacfb75b4f8e89f246f69
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f20f7a895d3c4004241bbe4d9084b93fcc5183356aceacfb75b4f8e89f246f69/
Threat name:
Win32.Virus.Neshuta
Create hunting rule
Status:
Malicious
First seen:
2024-07-29 15:21:29 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
36 of 37 (97.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ihxvck5hraaija3xzgzbbfzh7gfdazvnlhkz63vwt4orhzen5uq._file
Verdict:
malicious
Similar samples:
68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f
AsyncRAT
6df33c856858c03f62d5a67a7bc69499db91a1405e67b83907dcabfe9bd31d40
AsyncRAT
b771a64bbfce8232710851ea13f5408cc28133ac0537ff1309c749ce85f42633
AsyncRAT
b9806db6959eaf756dd803b51495ab2d9b2ef4aa0b7a902b268d07ab7af15748
AsyncRAT
d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0
AsyncRAT
f20f7a895d3c4004241bbe4d9084b93fcc5183356aceacfb75b4f8e89f246f69
AsyncRAT
+ 133 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:neshta family:xworm discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/240730-hlx5gsvcrk/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Neshta
Xworm
Malware Config
C2 Extraction:
45.83.207.67:6969
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b38758ed-7779-4c29-a989-9d03265eb3a8
Unpacked files
SH256 hash:
c4238a5528333aecf29ec90830d8fc0ed889e9a1762c5281a23f7d571458bbd2
MD5 hash:
042eb0c1cbc3904bc42c0f1a037a611f
SHA1 hash:
4d2e84c6a56d2460bc0cd0a86425f38d4af552d0
Link:
https://www.unpac.me/results/e48a75fd-41a8-42f1-a296-65b76285d1ce/
SH256 hash:
f20f7a895d3c4004241bbe4d9084b93fcc5183356aceacfb75b4f8e89f246f69
MD5 hash:
13810bd006d43bf95581933f5db7b875
SHA1 hash:
9f0393fb7f03bdfc4037199d548afa161e1014f8
Detections:
win_neshta_auto
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
MAL_Neshta_Generic
Create hunting rule
Link:
https://www.unpac.me/results/e48a75fd-41a8-42f1-a296-65b76285d1ce/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f20f7a895d3c4004241bbe4d9084b93fcc5183356aceacfb75b4f8e89f246f69

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:ByteCode_MSIL_Backdoor_AsyncRAT
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects AsyncRAT backdoor.
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:win_neshta_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe f20f7a895d3c4004241bbe4d9084b93fcc5183356aceacfb75b4f8e89f246f69

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3066033/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play Multimediagdi32.dll::StretchDIBits
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::GetDriveTypeA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programskernel32.dll::WinExec
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::DeleteFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetFileAttributesA
kernel32.dll::FindFirstFileA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
advapi32.dll::RegSetValueExA

Comments