General
-
Target
Arrival_notification.pdf.exe
-
Size
865KB
-
Sample
220918-2tx91ahdcn
-
MD5
0ed67c55751379da8cb3af2bf95115e8
-
SHA1
67e368232c61e6fe72faf60de77789dbad08157e
-
SHA256
1b369655f627c3dd2f7cfc06f8cac5c9a91152b1286608fd03f78c26ce62029c
-
SHA512
fdf581884b79ddee84fe3a419f64ba519f82abc13f3a9c1676ccfd819709cc6346ec0f8a2103410d4e02c489eb8f2a014290961b888691b180a52e4745d0e300
-
SSDEEP
12288:I/eSmRoZ9BgMEWRCb3TV7uikFgdrVlO4ip9FrvNsW75ecwTWKx+1vs4CRpp:+63TlubgITrl59wTWK8vs4Wp
Static task
static1
Behavioral task
behavioral1
Sample
Arrival_notification.pdf.exe
Resource
win7-20220901-en
Malware Config
Extracted
asyncrat
0.5.7B
Java
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:2406
niiarmah.kozow.com:6606
niiarmah.kozow.com:7707
niiarmah.kozow.com:8808
niiarmah.kozow.com:2406
Mutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
Arrival_notification.pdf.exe
-
Size
865KB
-
MD5
0ed67c55751379da8cb3af2bf95115e8
-
SHA1
67e368232c61e6fe72faf60de77789dbad08157e
-
SHA256
1b369655f627c3dd2f7cfc06f8cac5c9a91152b1286608fd03f78c26ce62029c
-
SHA512
fdf581884b79ddee84fe3a419f64ba519f82abc13f3a9c1676ccfd819709cc6346ec0f8a2103410d4e02c489eb8f2a014290961b888691b180a52e4745d0e300
-
SSDEEP
12288:I/eSmRoZ9BgMEWRCb3TV7uikFgdrVlO4ip9FrvNsW75ecwTWKx+1vs4CRpp:+63TlubgITrl59wTWK8vs4Wp
-
Async RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-