General
-
Target
PO_2018251-2693.js
-
Size
485KB
-
Sample
220701-lv3ccacdgm
-
MD5
5fb3d78208c1d07e6885f33487e36897
-
SHA1
cbbdeeab3106f915e8dbf682bd86e4fe8ece677d
-
SHA256
92f7bd1fed09000ed86f84f0f83e81050320b9551fc3683aef4872ee6f9c3fd3
-
SHA512
e10866a0bac222f32136a871d249e37cf11e89d66ea24c7e92e5cf0e4bf967ce6447eb869c59aadf242141b1fca9b9fb9f91f068cbb4d5af08022874951d6965
Static task
static1
Behavioral task
behavioral1
Sample
PO_2018251-2693.js
Resource
win7-20220414-en
Malware Config
Extracted
asyncrat
0.5.7B
Default
franmhort.duia.ro:8153
Mutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
win.exe
-
install_folder
%AppData%
Extracted
xloader
2.9
vs8g
xEVEsySadSMf8UUC
H8ZbYtGKWPCfp91+uS3TFo/F7tYacwDqHw==
L/St5UjIhTMzEHsb
8h8tDvq0nl8JCWoagxa0MVyvnA==
7bml44z9jZsZx8Co2T8=
EwH88ZtcOu8ehs2P2o6wv78FEe4+xRQ=
bTn3LpE1HfpPAXI=
nYxT+9GLhS1d3zzGJuTDlgpT
HxonIwh8TesenMCo2T8=
Ki83MiehhC9e1i7YQ/Wd32JsGcun
wHcUByFRMuEGh8Co2T8=
86tqpg/Jy60eFmMRPefDlgpT
grSUYa5yahUf8UUC
HVviVsk7Cb6Elc571pnSWCJ93G17PkiI
6LJ1qBPUtGNIl8Co2T8=
AYuWD33xt44VxsCo2T8=
/smXvLMh868VzQqs99/DlgpT
1kEMNVtaMw6KmN+YANYm+kA=
daarti3nbFVKnsCo2T8=
0EJM6cFFHvawA2U=
WZmLjeanlDoDRmMJeRfM
CAnpqoPMmEdBmsCo2T8=
S7NRSknz2IDxrfexzMWcXg==
hbhFvI9GHbYe6lDkMNYm+kA=
ZDYJSK5aKMqTmgGwC9pyCcxc
WBqkiYw6Cq0R1EEHeRbNVMfUWPW+
nDdqqAaRcAQ=
lsLX1cM9FrbMFXIZc/m0MVyvnA==
YceJrx3/7aDcctOaFZQygvVPcl0=
S7Byvh2dXnV5TF0kfw==
zaBZEvt6+etgHQ==
zwcVn349GMs38kfqNPO/MVyvnA==
wi/0NwnAbRwf8UUC
8vYWUbleFPawA2U=
lllK3cr5kDsC
QwHKGfaybiUf8UUC
gGk69u/TalUKIoyTx6PE
6lstUki4iTx4TF0kfw==
1hwVGQl6+etgHQ==
55QxLhZ++etgHQ==
XpUZkHZSGPpPAXI=
b/rRDHMmDMn8lQu9I93DlgpT
grW5q74PiWDh3b3TzoJzZd9Z
HctUSLGkTy0gaK06mjc=
742P/3XnqmZMnMCo2T8=
SwOlZ8q6chM=
XMtX4gaRcAQ=
gqO80CPQo05EmsCo2T8=
jDfY4dVROPVVTF0kfw==
HBcQ9d1lQvL/PYEEPefDlgpT
1FkgSrtsNNTKIJuTx6PE
KKNX0Knpqz0V
JNPadlPYyGVkscCo2T8=
+a2vJgnRyHi2SZJOyJlQn07X7s0acwDqHw==
IE9RTrmihShQ4jrezMWcXg==
+FPcOAZW3vawA2U=
XSH8PZEHwmk2Tp+Tx6PE
0odKiwftyW2aAUnfM9WPZ/RK
Ih8VBfKimjFn/24iVgcM8/VPcl0=
JYeAApzpqz0V
mQGklYL+yXHRpCHTLtYm+kA=
aduCh9uUg2zu60oK
1QcE/VwM0bhnrwCbzzw=
6NujcFnPuV5MnMCo2T8=
madeinfrance.plus
Targets
-
-
Target
PO_2018251-2693.js
-
Size
485KB
-
MD5
5fb3d78208c1d07e6885f33487e36897
-
SHA1
cbbdeeab3106f915e8dbf682bd86e4fe8ece677d
-
SHA256
92f7bd1fed09000ed86f84f0f83e81050320b9551fc3683aef4872ee6f9c3fd3
-
SHA512
e10866a0bac222f32136a871d249e37cf11e89d66ea24c7e92e5cf0e4bf967ce6447eb869c59aadf242141b1fca9b9fb9f91f068cbb4d5af08022874951d6965
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Async RAT payload
-
Xloader Payload
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-