General
-
Target
Invoices_Paid.exe
-
Size
206KB
-
Sample
220125-tfydvaadfp
-
MD5
8f5bdc03c40f3b229a6b701382d752cc
-
SHA1
f33ffdb1be12ed5ba8485a0947a4ac8aec1ef1ac
-
SHA256
3372f25780aedadbffd5d74b9b8f1d6464f97d2083288cce50738fe3a51cb582
-
SHA512
f16b97af5437b0513adb551f4bb6a56d8db9c8e1a1431acd93eff5a7a828fc46ea1f7747ed305970a173121a0731feee2bce8286189e1fc1b23638d041fff661
Static task
static1
Behavioral task
behavioral1
Sample
Invoices_Paid.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Invoices_Paid.exe
Resource
win10-en-20211208
Malware Config
Extracted
asyncrat
0.5.7B
Default
192.210.214.230:6606
AbggsyDCDCDAncMuAtexee_6SI8OkPnk
-
anti_vm
false
-
bsod
false
-
delay
3
-
install
false
-
install_file
asyn.exe
-
install_folder
%AppData%
-
pastebin_config
null
Targets
-
-
Target
Invoices_Paid.exe
-
Size
206KB
-
MD5
8f5bdc03c40f3b229a6b701382d752cc
-
SHA1
f33ffdb1be12ed5ba8485a0947a4ac8aec1ef1ac
-
SHA256
3372f25780aedadbffd5d74b9b8f1d6464f97d2083288cce50738fe3a51cb582
-
SHA512
f16b97af5437b0513adb551f4bb6a56d8db9c8e1a1431acd93eff5a7a828fc46ea1f7747ed305970a173121a0731feee2bce8286189e1fc1b23638d041fff661
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload
-
Executes dropped EXE
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-