General
-
Target
BUOSdmqXoY_bin.js
-
Size
478KB
-
Sample
220629-tkvthsahek
-
MD5
c9328234265a979cf27338a10177294e
-
SHA1
f0670d7702b94a89c221a0a644d53be6e2a6c787
-
SHA256
d7e2a4d27dc5acf5fd79691978b79889a88b260b1c5f0a5b9d0578aa62fa2195
-
SHA512
1abaac12f3a0c1cec20073a3cb5ad0b391b353708614c45ca3fb8d5b8a7016619dfdbbbb54d037a4412658415cba1bbe790b22a65b1a1ee53ce454751b63ab7f
Static task
static1
Behavioral task
behavioral1
Sample
BUOSdmqXoY_bin.js
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.6
mdzq
leop.red
actoconcept.fr
doesmee.com
goplygolf.com
cqshki.net
leflegme.com
wgamersport.xyz
4513367.com
shpoweronline.com
ingeniousconsultingservices.com
dentaldenalia.com
saaraba.net
artnow.media
sbwyt.com
nortonrosefulbrigiht.com
autorad.xyz
clergyfundingandinsurance.com
boarko.com
xn--zoom-kh4j.com
739lakemuirdr.com
nhcabling.com
la-bites.com
bostoncleaners.net
q5p0ih89ufw9q5a.site
davincimarblle.com
albite.xyz
earaproperties.com
xn--vsqs7b5yfhum230a.xn--55qx5d
marketreservation.com
n5ply9.com
bestquest.club
hs8068.com
uniqloot.com
arcadestatus.com
seidsaleh.com
a4africa.com
renchies.com
sunilrpatel.com
pdbet168.com
yzshm.com
zhongheyouzhi.com
citraudaysinfinity.com
dk2arnw64qr9vd.life
bornean.website
italianchef.menu
slotdanatanpapotongan.com
aplomber.com
strictlyusedgolfokc.com
westfargo.xyz
46magic.com
desenvolvimento-curso.online
bynicholls.com
wintegrative.com
help-dunya-international.com
swindonconcretepumps.com
ghantasaala.com
fishgaudy.space
hml.email
colwoodrealtyauction.com
markjfinlay.com
madelineagnes.site
thecoastalgranddaughter.com
kreditrechner.pro
thebolingerfamily.com
marijevanrijn.site
Extracted
asyncrat
0.5.7B
Default
franmhort.duia.ro:8153
Mutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
win.exe
-
install_folder
%AppData%
Targets
-
-
Target
BUOSdmqXoY_bin.js
-
Size
478KB
-
MD5
c9328234265a979cf27338a10177294e
-
SHA1
f0670d7702b94a89c221a0a644d53be6e2a6c787
-
SHA256
d7e2a4d27dc5acf5fd79691978b79889a88b260b1c5f0a5b9d0578aa62fa2195
-
SHA512
1abaac12f3a0c1cec20073a3cb5ad0b391b353708614c45ca3fb8d5b8a7016619dfdbbbb54d037a4412658415cba1bbe790b22a65b1a1ee53ce454751b63ab7f
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload
-
Xloader Payload
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-