General
-
Target
e91d02519dfb511754d45bd0ea6761ab41b0c96336ceb5b7ebf4d946e576bed8
-
Size
860KB
-
Sample
221130-snzffaeb8t
-
MD5
1c4b81dc51aba18efdb7ca0018e57ee9
-
SHA1
928e62adc64e8c72b16f9f62a18447df87d5a8cb
-
SHA256
e91d02519dfb511754d45bd0ea6761ab41b0c96336ceb5b7ebf4d946e576bed8
-
SHA512
6865583489f879a90d642be21460bcd359d29ebfbf1654d0fe740b2443c625f59ab057b15b005c09c57ae0a739b6f98c8782fbf0daa46df0192195ce3cfd998d
-
SSDEEP
768:WHuiL/OGH4e//KTGr/EwlqhrQcZdOjFV5gVwkz0EuHel9LEEXk+B4aqg1eXkDu1J:EzzZO1nMkQdkxBaLIhnyvzB
Static task
static1
Behavioral task
behavioral1
Sample
e91d02519dfb511754d45bd0ea6761ab41b0c96336ceb5b7ebf4d946e576bed8.exe
Resource
win7-20221111-en
Malware Config
Extracted
asyncrat
0.5.7B
Default
hgjvhnfgg.duckdns.org:8057
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
e91d02519dfb511754d45bd0ea6761ab41b0c96336ceb5b7ebf4d946e576bed8
-
Size
860KB
-
MD5
1c4b81dc51aba18efdb7ca0018e57ee9
-
SHA1
928e62adc64e8c72b16f9f62a18447df87d5a8cb
-
SHA256
e91d02519dfb511754d45bd0ea6761ab41b0c96336ceb5b7ebf4d946e576bed8
-
SHA512
6865583489f879a90d642be21460bcd359d29ebfbf1654d0fe740b2443c625f59ab057b15b005c09c57ae0a739b6f98c8782fbf0daa46df0192195ce3cfd998d
-
SSDEEP
768:WHuiL/OGH4e//KTGr/EwlqhrQcZdOjFV5gVwkz0EuHel9LEEXk+B4aqg1eXkDu1J:EzzZO1nMkQdkxBaLIhnyvzB
-
Modifies WinLogon for persistence
-
Turns off Windows Defender SpyNet reporting
-
Async RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-