General
-
Target
d651267983ddfaf1e86e4cf0a90c0d79.exe
-
Size
553KB
-
Sample
220106-jw54hsbah5
-
MD5
d651267983ddfaf1e86e4cf0a90c0d79
-
SHA1
ea986acc881d0a7d50050a5fb1d31eefa0fbfb0a
-
SHA256
597fe94395dcd3432d4ddf6c26524a5554c8dbcc48573936203b48df42ef5e02
-
SHA512
e25a435797f26c7966f790bf7d38ae0a6d725739a97d83a66e0fc50884a85c8078df7f08bf073538d654df4b5f33402a9a2e2071b2315f3e3312627df6551eae
Static task
static1
Behavioral task
behavioral1
Sample
d651267983ddfaf1e86e4cf0a90c0d79.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d651267983ddfaf1e86e4cf0a90c0d79.exe
Resource
win10-en-20211208
Malware Config
Extracted
asyncrat
0.5.7B
Default
79.134.225.72:2233
AsyncMutex_6SI8OkPnk
-
anti_vm
false
-
bsod
false
-
delay
3
-
install
true
-
install_file
Asyn.exe
-
install_folder
%AppData%
-
pastebin_config
null
Extracted
snakekeylogger
https://api.telegram.org/bot1982610890:AAFCcNp1Tl28ILhhdWKR-lR4Xpa_V1kwvCk/sendMessage?chat_id=860277004
Extracted
warzonerat
23.105.131.207:1024
Targets
-
-
Target
d651267983ddfaf1e86e4cf0a90c0d79.exe
-
Size
553KB
-
MD5
d651267983ddfaf1e86e4cf0a90c0d79
-
SHA1
ea986acc881d0a7d50050a5fb1d31eefa0fbfb0a
-
SHA256
597fe94395dcd3432d4ddf6c26524a5554c8dbcc48573936203b48df42ef5e02
-
SHA512
e25a435797f26c7966f790bf7d38ae0a6d725739a97d83a66e0fc50884a85c8078df7f08bf073538d654df4b5f33402a9a2e2071b2315f3e3312627df6551eae
-
Snake Keylogger Payload
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Async RAT payload
-
Warzone RAT Payload
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-