General
-
Target
ctfmon.exe
-
Size
300.0MB
-
Sample
220630-sc1jcscacn
-
MD5
eb62cecfbe36eeaeab3ea25a65967f9d
-
SHA1
2a4eb3fc914111cf67939b28ae5833d16b3315db
-
SHA256
936f58b1813856c65f6206acce0b9711d4ac41598b5492b6951352ac04cc3c62
-
SHA512
d1239c3a0dc408ba4d7b605adc897bdd183b7b4085847559ba4586a3978c34f414176e680d325b8e50386b5d4366ff3f0edeeab7f04b139e8e6c5defbc87a7db
Static task
static1
Behavioral task
behavioral1
Sample
ctfmon.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ctfmon.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
asyncrat
1.0.7
Nigatex
nigatex.ml:25565
huieqwgehqweqduia
-
delay
1
-
install
false
-
install_file
MpCopyAccelerator.exe
-
install_folder
%AppData%
Targets
-
-
Target
ctfmon.exe
-
Size
300.0MB
-
MD5
eb62cecfbe36eeaeab3ea25a65967f9d
-
SHA1
2a4eb3fc914111cf67939b28ae5833d16b3315db
-
SHA256
936f58b1813856c65f6206acce0b9711d4ac41598b5492b6951352ac04cc3c62
-
SHA512
d1239c3a0dc408ba4d7b605adc897bdd183b7b4085847559ba4586a3978c34f414176e680d325b8e50386b5d4366ff3f0edeeab7f04b139e8e6c5defbc87a7db
Score10/10-
Async RAT payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-