General
-
Target
58f504cc1df08a7184980c8b795e0fb96994d9c396e6e5f957f627ab044b4c16
-
Size
169KB
-
Sample
220521-dfzc5safhr
-
MD5
433efe7d94d05c6b154e192924717de0
-
SHA1
d01cb136a270f5309a9e339acdcebcb26ceea74b
-
SHA256
58f504cc1df08a7184980c8b795e0fb96994d9c396e6e5f957f627ab044b4c16
-
SHA512
ad2f7dff82ca8981d3dccd8c29531774a57ed3803833a54191d083da4fcead793c7ec71df46e6d2ca0373a230dfb96ee45a4269994ac81084f471080bf988d7c
Static task
static1
Behavioral task
behavioral1
Sample
swift message.exe
Resource
win7-20220414-en
Malware Config
Extracted
asyncrat
0.5.7B
Forwork
sack517.ddns.net:6565
sack517.duckdns.org:6565
AsyncMutex_dgh6775Pxz
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
swift message.exe
-
Size
324KB
-
MD5
93859a46557699b2689840de0df68318
-
SHA1
2f8c20dfc3fa635c5a4c88b4edee85c18b08a94d
-
SHA256
d2795ed096e7331d84947a9ba6a1c3fae5203b50f5a3563bda0382ab84e1c8bb
-
SHA512
bf1b3bcc1564e1c22095926f8eb9848ad740685d4744af56e1fe0487f52a20ff64a9732ff1933cafddf86959db56f34034b6e1d0bc85088b3a259be64ed79ec5
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Async RAT payload
-
CoreCCC Packer
Detects CoreCCC packer used to load .NET malware.
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-