General
-
Target
MEDICAL ORDER-MTC04RFQGENZAK1220637501220524622023.zip
-
Size
591KB
-
Sample
230307-jscb2ahc73
-
MD5
8bd7320fa277aeeb9d3724fce742a732
-
SHA1
a002457fe25aff92c7eaf95f362990c65ff1d98a
-
SHA256
a16b5f3c6b4f73563ed5f276337c0bc59319dcfafce5273a7b75a080bc20ca1a
-
SHA512
bd94e25fe5f785d04a2c46a49f93b4911c75ac3c8775f170bbd2615d0e3f2e657d9fd3cee97ccd1331d8e9051d74f0e6c19023f8744fcd29d221a24b369dd1ff
-
SSDEEP
12288:tNLqRQU/pF7pX0WVVusmrr8fj5y1wBdMI7TYb5Z2NgR2Ybgc9hZJ:7LgQ6F7p5VVzjTBdMDb5kYbD9hZJ
Static task
static1
Behavioral task
behavioral1
Sample
ORDER-MTC04RFQGENZAK1220637501220524622023.exe
Resource
win7-20230220-en
Malware Config
Extracted
asyncrat
0.5.7B
Default
milanooffice.hopto.org:6606
milanooffice.hopto.org:7707
milanooffice.hopto.org:8808
milanooffice.hopto.org:4040
milanooffice.hopto.org:5058
milanooffice.hopto.org:80
51.68.180.4:6606
51.68.180.4:7707
51.68.180.4:8808
51.68.180.4:4040
51.68.180.4:5058
51.68.180.4:80
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
adobe.exe
-
install_folder
%AppData%
Targets
-
-
Target
ORDER-MTC04RFQGENZAK1220637501220524622023.exe
-
Size
887KB
-
MD5
95ac8bb99267f46e20857b7caf76a6e0
-
SHA1
3182546c9062b070561dab1962898a4c0dca6087
-
SHA256
6a9fbdd219a7ccbb64cdc17ab06f17f2964414c3b4ed5dfe69dac4aafe308300
-
SHA512
b9edf8b879511d544c37129872081ec6b4273f53a57c285052d9aec0a742898173b098c8e0e18679eb9ad563f0ad42a997ca910a17f38ee93099ceb05b823526
-
SSDEEP
12288:jUrXlUMk+/FF7phaWVLuIwlAfDbAbg5dMS7TYH5Z8h4R2Yb4cXBZ:jUzlUMkgF7pxVLxDj5dM1H5yYb7XBZ
-
Async RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-