General
-
Target
Document#4443-2525-2461.iso
-
Size
544KB
-
Sample
220926-qn8b8sahd7
-
MD5
af81692bd7a3fd6b7a6ee02f0c7ebcb7
-
SHA1
43ede2a0efbac1192b2e5917dfff79a5c5e46964
-
SHA256
64ed36c7f960badf5ddbc305800988f28e6e3fbc43698a4385bade60ea922237
-
SHA512
136dd184e1cc6cefc968d1460e2ac2d3e911fce95f1039e3cb2782d110f6d4e9185c6cd436acbf3e236ceff47150c8d48a25c9ab912bdc33fc3ec8a4fad6d5c5
-
SSDEEP
96:5dn3NHrq6cocqajqnloDRRxhmmLCCWG6MG69G6ZG6AG6DG69G65G6QG69G6FG6l3:poh7on3UkvDke16
Static task
static1
Behavioral task
behavioral1
Sample
Document#4443-2525-2461.bat
Resource
win7-20220901-en
Malware Config
Extracted
https://cibremustofrltrixifiqislfrus3ldrunaxiwokuro.s3.eu-west-3.amazonaws.com/Document.pdf
Extracted
asyncrat
| Edit 3LOSH RAT
27/9
d1x3x.selfip.com:6666
d1x3x.linkpc.net:6666
AsyncMutex_WithNewHost
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
Document#4443-2525-2461.bat
-
Size
11KB
-
MD5
c9b538891dc3400a88149c458de9cf5f
-
SHA1
b1a2360126727576f03869d2d91d3ce16603cd16
-
SHA256
8f9a07191ed4133d3d4a282c3469f47e8976724256297951fdfbccdea9f1462d
-
SHA512
8fa871679922eb507fa16196ca18f3c545e6586f2021d520837863c6659b84d879df93e2d4b890e7e52677129e419e16f6083cde371e2102cccf76b10e334ec2
-
SSDEEP
96:kG6MG69G6ZG6AG6DG69G65G6QG69G6FG6lk9G6bG64G6mG6rDTG6rG6tG697IkIc:2n3UkvDke166
-
Async RAT payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-