General
-
Target
lol.chm
-
Size
234KB
-
Sample
221009-yshalshfd6
-
MD5
29984ec9b0bef9d92e9a2fec99e9b7d0
-
SHA1
701cdf5b2419f4da8247e6af9eaa376cdf6e2dc4
-
SHA256
9ad14a020dc9a937bbe2c2dcd63991e424fe174b96f0131962e24bdd9f823fa3
-
SHA512
be7703f487bccba2e473411288d1a2919358c49d18355f48aa5d73adb652550c33eeb9ca87dd786dbd46748c64c1af11e40ae6e342ef1b38dbe5fecdb667fe08
-
SSDEEP
6144:KveS9vg8qKoqjkqNdoYzgOS9vg8qKoqjkqDyoaF73:VSBg8iqjkCKUgOSBg8iqjkWaFT
Static task
static1
Behavioral task
behavioral1
Sample
lol.chm
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
lol.chm
Resource
win10v2004-20220901-en
Malware Config
Extracted
https://skynetx.com.br/tarefa.html
Extracted
asyncrat
| Edit 3LOSH RAT
AAAAAAAAAAAA+++AAAAAAAAAAAA
chromedata.accesscam.org:7707
chromedata.accesscam.org:4404
chromedata.accesscam.org:5505
chromedata.accesscam.org:3303
chromedata.accesscam.org:2222
chromedata.accesscam.org:6606
chromedata.accesscam.org:8808
chromedata.accesscam.org:5155
chromedata.accesscam.org:5122
chromedata.accesscam.org:8001
chromedata.accesscam.org:9000
chromedata.accesscam.org:9999
chromedata.accesscam.org:8888
cdt.3utilities.com:7707
cdt.3utilities.com:4404
cdt.3utilities.com:5505
cdt.3utilities.com:3303
cdt.3utilities.com:2222
cdt.3utilities.com:6606
cdt.3utilities.com:8808
cdt.3utilities.com:5155
cdt.3utilities.com:5122
cdt.3utilities.com:8001
cdt.3utilities.com:9000
cdt.3utilities.com:9999
cdt.3utilities.com:8888
adobedata.webredirect.org:7707
adobedata.webredirect.org:4404
adobedata.webredirect.org:5505
adobedata.webredirect.org:3303
adobedata.webredirect.org:2222
adobedata.webredirect.org:6606
adobedata.webredirect.org:8808
adobedata.webredirect.org:5155
adobedata.webredirect.org:5122
adobedata.webredirect.org:8001
adobedata.webredirect.org:9000
adobedata.webredirect.org:9999
adobedata.webredirect.org:8888
127.0.0.1:7707
127.0.0.1:4404
127.0.0.1:5505
127.0.0.1:3303
127.0.0.1:2222
127.0.0.1:6606
127.0.0.1:8808
127.0.0.1:5155
127.0.0.1:5122
127.0.0.1:8001
127.0.0.1:9000
127.0.0.1:9999
127.0.0.1:8888
dimascu.duckdns.org:7707
dimascu.duckdns.org:4404
dimascu.duckdns.org:5505
dimascu.duckdns.org:3303
dimascu.duckdns.org:2222
dimascu.duckdns.org:6606
dimascu.duckdns.org:8808
dimascu.duckdns.org:5155
dimascu.duckdns.org:5122
dimascu.duckdns.org:8001
dimascu.duckdns.org:9000
dimascu.duckdns.org:9999
dimascu.duckdns.org:8888
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
DesbravadorUpdata.exe
-
install_folder
%AppData%
Targets
-
-
Target
lol.chm
-
Size
234KB
-
MD5
29984ec9b0bef9d92e9a2fec99e9b7d0
-
SHA1
701cdf5b2419f4da8247e6af9eaa376cdf6e2dc4
-
SHA256
9ad14a020dc9a937bbe2c2dcd63991e424fe174b96f0131962e24bdd9f823fa3
-
SHA512
be7703f487bccba2e473411288d1a2919358c49d18355f48aa5d73adb652550c33eeb9ca87dd786dbd46748c64c1af11e40ae6e342ef1b38dbe5fecdb667fe08
-
SSDEEP
6144:KveS9vg8qKoqjkqNdoYzgOS9vg8qKoqjkqDyoaF73:VSBg8iqjkCKUgOSBg8iqjkWaFT
Score10/10-
Async RAT payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-