General
-
Target
53F956128D25A910F9B7BD8461C547B3.exe
-
Size
580KB
-
Sample
210802-98f68hqwgs
-
MD5
53f956128d25a910f9b7bd8461c547b3
-
SHA1
ccffaa842d73e179bd7cef67a4365a938c801b2a
-
SHA256
ce9ab261ed9af4a7e758e80ab1134f43a97cc7d4a3579ecd64bc03b873511010
-
SHA512
7fe6392539ce3d252a71073631963b6b28f85e792477327bf38c5c91ea8371e4d4d55e189e94f8095c0c281e4fc1d61bc20ea60770caf3f2c4b125f987639ebf
Static task
static1
Behavioral task
behavioral1
Sample
53F956128D25A910F9B7BD8461C547B3.exe
Resource
win7v20210410
Malware Config
Extracted
asyncrat
0.5.7B
jeazerx.duckdns.org:6606
jeazerx.duckdns.org:7707
jeazerx.duckdns.org:8808
AsyncMutex_6SI8OkPnk
-
aes_key
PgTuKivaePpq0opJl6Yxd3r0ifHfxcqG
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
CRAFTRISE7
-
host
jeazerx.duckdns.org
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6606,7707,8808
-
version
0.5.7B
Targets
-
-
Target
53F956128D25A910F9B7BD8461C547B3.exe
-
Size
580KB
-
MD5
53f956128d25a910f9b7bd8461c547b3
-
SHA1
ccffaa842d73e179bd7cef67a4365a938c801b2a
-
SHA256
ce9ab261ed9af4a7e758e80ab1134f43a97cc7d4a3579ecd64bc03b873511010
-
SHA512
7fe6392539ce3d252a71073631963b6b28f85e792477327bf38c5c91ea8371e4d4d55e189e94f8095c0c281e4fc1d61bc20ea60770caf3f2c4b125f987639ebf
-
Modifies security service
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-