General
-
Target
a25384a50bece6cefbc853d787d65ab8688bca6d30da116fe16e6b1a3f6095eb
-
Size
1.2MB
-
Sample
220521-phd1rsfcg4
-
MD5
8912bc744f7dcea9e2defff02a15ca24
-
SHA1
a26dae9e5b5e71ccb5321e28b07ae63bc2ee62ab
-
SHA256
a25384a50bece6cefbc853d787d65ab8688bca6d30da116fe16e6b1a3f6095eb
-
SHA512
eb510bf65b60c3326834cb370e9a2a1de5e7847069a0f8043af63ffa62230d3d08870969c3a7512cc834a0cf9e93ffc8db5cd6606551cb0e3f47df49c63a723b
Behavioral task
behavioral1
Sample
PO_45_13.scr
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO_45_13.scr
Resource
win10v2004-20220414-en
Malware Config
Extracted
asyncrat
0.5.7B
Default
206.123.129.103:5456
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
windows.exe
-
install_folder
%AppData%
Targets
-
-
Target
PO_45_13.SCR
-
Size
479KB
-
MD5
50c3085963b5fdc5a9c00d10d1b4f960
-
SHA1
6529e11136560ad369d1b443a6e60f4e1f85c71e
-
SHA256
2c8c5c5e5990da4a2af218cfece6afda3f4830be6605b9767adbfbde2e5cd276
-
SHA512
36318d8dd2f4cd844fd8e1c47356d98c2af9df85646009b8d1cce97de834740f703a1770ed8770261c42cfe52eda5f52a43a7379f577754c1ea2ec723afbe837
Score10/10-
Async RAT payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-