General
-
Target
Geno_Quotation,pdf.exe
-
Size
929KB
-
Sample
210913-pyel8sggbr
-
MD5
fbf75396fc5ed9d7555effe393035109
-
SHA1
be62388c45754b3497e8eda1d501031fa2ca7cbf
-
SHA256
77cc0ec039c99a695a94081d8462ee42b5b526a1da92bf05c65f3ff8fd40ec0c
-
SHA512
7069b9080b288bb292fdd6fc513a3c9ac40593bc63b2631ff7214256999455369379e0e05deeabe6139bd65964db37cace8ecb1c23853496340f77e663fe5671
Static task
static1
Behavioral task
behavioral1
Sample
Geno_Quotation,pdf.exe
Resource
win7-jp
Behavioral task
behavioral2
Sample
Geno_Quotation,pdf.exe
Resource
win7v20210408
Behavioral task
behavioral3
Sample
Geno_Quotation,pdf.exe
Resource
win10-jp
Malware Config
Extracted
asyncrat
0.5.7B
billion
null:null
AsyncMutex_6SI8OkPnk
-
anti_vm
false
-
bsod
false
-
delay
3
-
install
false
-
install_file
billionaire.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/Q5Dxj1fY
Targets
-
-
Target
Geno_Quotation,pdf.exe
-
Size
929KB
-
MD5
fbf75396fc5ed9d7555effe393035109
-
SHA1
be62388c45754b3497e8eda1d501031fa2ca7cbf
-
SHA256
77cc0ec039c99a695a94081d8462ee42b5b526a1da92bf05c65f3ff8fd40ec0c
-
SHA512
7069b9080b288bb292fdd6fc513a3c9ac40593bc63b2631ff7214256999455369379e0e05deeabe6139bd65964db37cace8ecb1c23853496340f77e663fe5671
Score10/10-
Modifies system executable filetype association
-
Registers COM server for autorun
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Async RAT payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-