General
-
Target
a.ps1
-
Size
567B
-
Sample
220927-klzdnadad2
-
MD5
b3cd9511ce088df0735164e5f5e7761e
-
SHA1
7ce808db75239f6931c3551d8ba96cc6d668967d
-
SHA256
5f19a9226fad05ac74b065bf8691daf121a04c33469e712e684dc9162e67b2fb
-
SHA512
30a023f496fcc2b43b0aba8ce113293cb902c17a1ab3f85848ecf66d35309faae3ba4d148efa4753ea75bb3fc97369db85235cec36de0017e132eadedfe20e7b
Static task
static1
Behavioral task
behavioral1
Sample
a.ps1
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
a.ps1
Resource
win10v2004-20220812-en
Malware Config
Extracted
https://pastbin.net/raw/installutil
Extracted
asyncrat
1.0.7
Default
zerocool888.duckdns.org:8848
zerocool888.duckdns.org:8898
DcRatMutex_imlegion
-
delay
1
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
a.ps1
-
Size
567B
-
MD5
b3cd9511ce088df0735164e5f5e7761e
-
SHA1
7ce808db75239f6931c3551d8ba96cc6d668967d
-
SHA256
5f19a9226fad05ac74b065bf8691daf121a04c33469e712e684dc9162e67b2fb
-
SHA512
30a023f496fcc2b43b0aba8ce113293cb902c17a1ab3f85848ecf66d35309faae3ba4d148efa4753ea75bb3fc97369db85235cec36de0017e132eadedfe20e7b
Score10/10-
Async RAT payload
-
Blocklisted process makes network request
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-