General
-
Target
b7f237af7f3c1bd7901f85cc53fdf576b06b7002726ef37c52c8c97befe283dd
-
Size
520KB
-
Sample
220521-cpzvlahchj
-
MD5
c03eb96768d6abf032c076fcb4d3a63a
-
SHA1
def4cbb521b879552c23366a850c05306ea3e979
-
SHA256
b7f237af7f3c1bd7901f85cc53fdf576b06b7002726ef37c52c8c97befe283dd
-
SHA512
b0e7f80d588854271da40dd22d246379af8cd04c6d458bd1d3447db818e2374d63a0efcb947ff1c86a583544066f83a01cc14a2af2dcba4a43344227abdac270
Static task
static1
Behavioral task
behavioral1
Sample
PPDF-110820.exe
Resource
win7-20220414-en
Malware Config
Extracted
asyncrat
0.5.7B
newjob1
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/eeJq8Ku6
Targets
-
-
Target
PPDF-110820.exe
-
Size
459KB
-
MD5
e762f388b8bc44a3fa8c080bdb690805
-
SHA1
651b43634bc5233b486e67ce13095fbdd8ccbe12
-
SHA256
5a5563d6a39f3753b0f18c7abcdb4a9a4fefa7ddef33e3758a51797ad72ed804
-
SHA512
15ddcba0202109a8d0854df1957ca17da5c5ed9725253b1b3e1b7f5427b28542c5169e0ee84f4f65e41f5511dce483b82dda6e870f4a11dce98915201728d5ea
-
Async RAT payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-