General
-
Target
Re-2181718.exe
-
Size
172KB
-
Sample
220630-pdqtrsahhm
-
MD5
be2d1ca01da2a323960e94dcae0d4696
-
SHA1
a0a404c6ef2dcb77f65ddf072402eeeecdd1dc2e
-
SHA256
f1ff4fbaa6991440428ea8b228268b6ba82595aa8cdbcf2e7bb8a69835753b31
-
SHA512
883cb35116de50ee923fb5101aa1a6b3dea61897d96a73a51e1bc351dc7181f116dc1e290bf86946300b8998f53e106a064b73e1ebf3f503e1e5e65e2a5ed27c
Static task
static1
Behavioral task
behavioral1
Sample
Re-2181718.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Re-2181718.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
blustealer
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
t.liaen@yandex.com - Password:
@vZe#$#28990
Extracted
asyncrat
0.5.7B
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:1111
62.197.136.167:6606
62.197.136.167:7707
62.197.136.167:8808
62.197.136.167:1111
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
Re-2181718.exe
-
Size
172KB
-
MD5
be2d1ca01da2a323960e94dcae0d4696
-
SHA1
a0a404c6ef2dcb77f65ddf072402eeeecdd1dc2e
-
SHA256
f1ff4fbaa6991440428ea8b228268b6ba82595aa8cdbcf2e7bb8a69835753b31
-
SHA512
883cb35116de50ee923fb5101aa1a6b3dea61897d96a73a51e1bc351dc7181f116dc1e290bf86946300b8998f53e106a064b73e1ebf3f503e1e5e65e2a5ed27c
-
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-