General
-
Target
ORDER-02188.exe
-
Size
403KB
-
Sample
210408-ehq5rvrvvj
-
MD5
ac170d15a4107a0fd5982449c2a8d1ee
-
SHA1
da5b603c30d0f238ac19e9b32e6bc622dcbfa13b
-
SHA256
790024e6d1d28358876403d4b30aa4ff47c162bcd91db81776185ab88d20c511
-
SHA512
224e25782e75936b3ccc7b134b3f9b0faa6dfb49b749420273380cb3cadbdf6cfe44eebd2ce825f9ed0734f2cde328f1f0034f7a4ccd87f8cc5dddb8ef792689
Static task
static1
Behavioral task
behavioral1
Sample
ORDER-02188.exe
Resource
win7v20201028
Malware Config
Extracted
asyncrat
0.5.7B
chongmei33.publicvm.com:2703
chongmei33.publicvm.com:49703
chongmei33.publicvm.com:49746
185.165.153.116:2703
185.165.153.116:49703
185.165.153.116:49746
54.37.36.116:2703
54.37.36.116:49703
54.37.36.116:49746
185.244.30.92:2703
185.244.30.92:49703
185.244.30.92:49746
dongreg202020.duckdns.org:2703
dongreg202020.duckdns.org:49703
dongreg202020.duckdns.org:49746
178.33.222.241:2703
178.33.222.241:49703
178.33.222.241:49746
rahim321.duckdns.org:2703
rahim321.duckdns.org:49703
rahim321.duckdns.org:49746
79.134.225.92:2703
79.134.225.92:49703
79.134.225.92:49746
37.120.208.36:2703
37.120.208.36:49703
37.120.208.36:49746
178.33.222.243:2703
178.33.222.243:49703
178.33.222.243:49746
87.98.245.48:2703
87.98.245.48:49703
87.98.245.48:49746
AsyncMutex_6SI8OkPnk
-
aes_key
hGScKRB0VrlS4WpFo0N7AmnZQApV4qsi
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
FEB
-
host
chongmei33.publicvm.com,185.165.153.116,54.37.36.116,185.244.30.92,dongreg202020.duckdns.org,178.33.222.241,rahim321.duckdns.org,79.134.225.92,37.120.208.36,178.33.222.243,87.98.245.48
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
2703,49703,49746
-
version
0.5.7B
Targets
-
-
Target
ORDER-02188.exe
-
Size
403KB
-
MD5
ac170d15a4107a0fd5982449c2a8d1ee
-
SHA1
da5b603c30d0f238ac19e9b32e6bc622dcbfa13b
-
SHA256
790024e6d1d28358876403d4b30aa4ff47c162bcd91db81776185ab88d20c511
-
SHA512
224e25782e75936b3ccc7b134b3f9b0faa6dfb49b749420273380cb3cadbdf6cfe44eebd2ce825f9ed0734f2cde328f1f0034f7a4ccd87f8cc5dddb8ef792689
Score10/10-
Turns off Windows Defender SpyNet reporting
-
Async RAT payload
-
Nirsoft
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-