General
-
Target
ORDER-MTC04RFQGENZAK1220637501220524622023.exe
-
Size
887KB
-
Sample
230307-jqedlshc62
-
MD5
95ac8bb99267f46e20857b7caf76a6e0
-
SHA1
3182546c9062b070561dab1962898a4c0dca6087
-
SHA256
6a9fbdd219a7ccbb64cdc17ab06f17f2964414c3b4ed5dfe69dac4aafe308300
-
SHA512
b9edf8b879511d544c37129872081ec6b4273f53a57c285052d9aec0a742898173b098c8e0e18679eb9ad563f0ad42a997ca910a17f38ee93099ceb05b823526
-
SSDEEP
12288:jUrXlUMk+/FF7phaWVLuIwlAfDbAbg5dMS7TYH5Z8h4R2Yb4cXBZ:jUzlUMkgF7pxVLxDj5dM1H5yYb7XBZ
Static task
static1
Behavioral task
behavioral1
Sample
ORDER-MTC04RFQGENZAK1220637501220524622023.exe
Resource
win7-20230220-en
Malware Config
Extracted
asyncrat
0.5.7B
Default
milanooffice.hopto.org:6606
milanooffice.hopto.org:7707
milanooffice.hopto.org:8808
milanooffice.hopto.org:4040
milanooffice.hopto.org:5058
milanooffice.hopto.org:80
51.68.180.4:6606
51.68.180.4:7707
51.68.180.4:8808
51.68.180.4:4040
51.68.180.4:5058
51.68.180.4:80
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
adobe.exe
-
install_folder
%AppData%
Targets
-
-
Target
ORDER-MTC04RFQGENZAK1220637501220524622023.exe
-
Size
887KB
-
MD5
95ac8bb99267f46e20857b7caf76a6e0
-
SHA1
3182546c9062b070561dab1962898a4c0dca6087
-
SHA256
6a9fbdd219a7ccbb64cdc17ab06f17f2964414c3b4ed5dfe69dac4aafe308300
-
SHA512
b9edf8b879511d544c37129872081ec6b4273f53a57c285052d9aec0a742898173b098c8e0e18679eb9ad563f0ad42a997ca910a17f38ee93099ceb05b823526
-
SSDEEP
12288:jUrXlUMk+/FF7phaWVLuIwlAfDbAbg5dMS7TYH5Z8h4R2Yb4cXBZ:jUzlUMkgF7pxVLxDj5dM1H5yYb7XBZ
-
Async RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-