General
-
Target
0f9edaa5134778747af05306ca0620cc.exe
-
Size
213KB
-
Sample
200701-aqxem1zkfx
-
MD5
0f9edaa5134778747af05306ca0620cc
-
SHA1
32872c1265e8b5e2fd1062bc33ab715decf1bafb
-
SHA256
ff86462f1b1ab86a5283785ac242e2bcf6fcf46a39e7d2a712eceba8c0c47627
-
SHA512
9e8a5d5aca21fa30b0d8982a16adfb9ecaa7d8f39ea6f3fa1a80271fa9344e1ee956bc9547c1feb8d0e5772f5225054c7f21fbdb48756ba33d0958d96ea0f6f4
Static task
static1
Behavioral task
behavioral1
Sample
0f9edaa5134778747af05306ca0620cc.exe
Resource
win7
Behavioral task
behavioral2
Sample
0f9edaa5134778747af05306ca0620cc.exe
Resource
win10
Malware Config
Extracted
asyncrat
0.5.7B
migracion.linkpc.net:3468
AsyncMutex_6SI8OkPnk
-
aes_key
OZ5Vq4Ybn4BuUPvvVZZKEF20GdI2yi3y
-
anti_detection
false
-
autorun
true
-
bdos
false
-
delay
Nuevas
-
host
migracion.linkpc.net
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
3468
-
version
0.5.7B
Targets
-
-
Target
0f9edaa5134778747af05306ca0620cc.exe
-
Size
213KB
-
MD5
0f9edaa5134778747af05306ca0620cc
-
SHA1
32872c1265e8b5e2fd1062bc33ab715decf1bafb
-
SHA256
ff86462f1b1ab86a5283785ac242e2bcf6fcf46a39e7d2a712eceba8c0c47627
-
SHA512
9e8a5d5aca21fa30b0d8982a16adfb9ecaa7d8f39ea6f3fa1a80271fa9344e1ee956bc9547c1feb8d0e5772f5225054c7f21fbdb48756ba33d0958d96ea0f6f4
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies security service
-
Async RAT payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-