General
-
Target
Consignment Document PL&BL Draft.exe
-
Size
684KB
-
Sample
201203-gxt95cb6rn
-
MD5
b70ffeb2babbacb28b22411beccb4642
-
SHA1
3c096e92894c9ff7bfae0fcc0ce5f250cb4ebe9f
-
SHA256
623d707cab5c5dc378a5100018e29f88949f4ea4be4b34cc2fc36e1612b68100
-
SHA512
79471594362dcb6f5ecbddb34ce68ddbbfc2320fa088439a54a0dfba7c878d32e5715366808b7a7399f33c9b992e6ebac75d90d9cdc5d591b42e480f4874db41
Static task
static1
Behavioral task
behavioral1
Sample
Consignment Document PL&BL Draft.exe
Resource
win7v20201028
Malware Config
Extracted
nanocore
1.2.2.0
:5550
centurygift.myq-see.com:5550
a60f1e04-b281-49b0-9733-22b28c2ea6d7
-
activate_away_mode
true
-
backup_connection_host
centurygift.myq-see.com
-
backup_dns_server
centurygift.myq-see.com
-
buffer_size
65535
-
build_time
2020-09-08T01:46:57.095018036Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5550
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
a60f1e04-b281-49b0-9733-22b28c2ea6d7
-
mutex_timeout
5000
-
prevent_system_sleep
false
- primary_connection_host
-
primary_dns_server
centurygift.myq-see.com
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
asyncrat
0.5.7B
centurygift.myq-see.com:5500
AsyncMutex_6SI8OkPnk
-
aes_key
bWbB4qsIdUz0RazB3LzXObRAUS2SpbLy
-
anti_detection
false
-
autorun
true
-
bdos
false
-
delay
Default
-
host
centurygift.myq-see.com
-
hwid
3
- install_file
-
install_folder
%Temp%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
5500
-
version
0.5.7B
Targets
-
-
Target
Consignment Document PL&BL Draft.exe
-
Size
684KB
-
MD5
b70ffeb2babbacb28b22411beccb4642
-
SHA1
3c096e92894c9ff7bfae0fcc0ce5f250cb4ebe9f
-
SHA256
623d707cab5c5dc378a5100018e29f88949f4ea4be4b34cc2fc36e1612b68100
-
SHA512
79471594362dcb6f5ecbddb34ce68ddbbfc2320fa088439a54a0dfba7c878d32e5715366808b7a7399f33c9b992e6ebac75d90d9cdc5d591b42e480f4874db41
-
Async RAT payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-