General
-
Target
TV06KSFYOU_002_PDF.vbs
-
Size
577KB
-
Sample
220927-ygp63secf9
-
MD5
92be06b804449682d272f3afc76aca5f
-
SHA1
f575b8712aa0f0720b6ad981ca8bbe682badd1d8
-
SHA256
e596d827af9b25d8348caffa981f5ef4a6ea88bfcfb35e5a5d2d337d6bf90aa9
-
SHA512
09b067ad4507a7efbd075a3d8400e63627d62d4bf9e542fb527755eac71240e556ae9b4f45e408e2b4d9dfe42688c18b9dd0a4007ca23dc77d8d16449808068c
-
SSDEEP
96:vHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHA:cKLosxvRG
Static task
static1
Behavioral task
behavioral1
Sample
TV06KSFYOU_002_PDF.vbs
Resource
win7-20220812-en
Malware Config
Extracted
http://20.7.14.99/dll/dll_ink.pdf
Extracted
asyncrat
0.5.7B
Default
petersonsherian7.duckdns.org:6739
petersonsherian7.duckdns.org:7301
petersonsherian7.duckdns.org:7808
petersonsherian7.duckdns.org:8333
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
TV06KSFYOU_002_PDF.vbs
-
Size
577KB
-
MD5
92be06b804449682d272f3afc76aca5f
-
SHA1
f575b8712aa0f0720b6ad981ca8bbe682badd1d8
-
SHA256
e596d827af9b25d8348caffa981f5ef4a6ea88bfcfb35e5a5d2d337d6bf90aa9
-
SHA512
09b067ad4507a7efbd075a3d8400e63627d62d4bf9e542fb527755eac71240e556ae9b4f45e408e2b4d9dfe42688c18b9dd0a4007ca23dc77d8d16449808068c
-
SSDEEP
96:vHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHA:cKLosxvRG
-
Async RAT payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Suspicious use of SetThreadContext
-