General
-
Target
AsyncClient.exe
-
Size
45KB
-
Sample
230323-vjteqsba3w
-
MD5
396113eb702441f9d4377425caa87188
-
SHA1
cdb100adec115eab8239f8d14da3ea3e64c1570c
-
SHA256
ec93adc0594e2c2fb8360d594d434bd5a217f2fb7d4184e086220fcae3886c9f
-
SHA512
daf3c73adbde89d21b4928a541712843d9423c355a74013ac222df3d08f763862f31e31a1e110d683d063f2ce7b208dd6c64d4665a4f088c001d68d0fcf1b34e
-
SSDEEP
768:LudbM1T1fzFPWUDCytmo2qIWKjGKG6PIyzjbFgX3i89bccImEpJp8Mf2uFd0BDZV:LudbM1T1b12qKYDy3bCXS8JcBTpJiuF4
Behavioral task
behavioral1
Sample
AsyncClient.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
AsyncClient.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
asyncrat
0.5.7B
COM Surrogate
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:1604
127.0.0.1:14576
127.0.0.1:15074
127.0.0.1:15018
4.tcp.eu.ngrok.io:6606
4.tcp.eu.ngrok.io:7707
4.tcp.eu.ngrok.io:8808
4.tcp.eu.ngrok.io:1604
4.tcp.eu.ngrok.io:14576
4.tcp.eu.ngrok.io:15074
4.tcp.eu.ngrok.io:15018
7.tcp.eu.ngrok.io:6606
7.tcp.eu.ngrok.io:7707
7.tcp.eu.ngrok.io:8808
7.tcp.eu.ngrok.io:1604
7.tcp.eu.ngrok.io:14576
7.tcp.eu.ngrok.io:15074
7.tcp.eu.ngrok.io:15018
6.tcp.eu.ngrok.io:6606
6.tcp.eu.ngrok.io:7707
6.tcp.eu.ngrok.io:8808
6.tcp.eu.ngrok.io:1604
6.tcp.eu.ngrok.io:14576
6.tcp.eu.ngrok.io:15074
6.tcp.eu.ngrok.io:15018
COM Surrogate
-
delay
3
-
install
true
-
install_file
Microsoftfixer.exe
-
install_folder
%AppData%
Targets
-
-
Target
AsyncClient.exe
-
Size
45KB
-
MD5
396113eb702441f9d4377425caa87188
-
SHA1
cdb100adec115eab8239f8d14da3ea3e64c1570c
-
SHA256
ec93adc0594e2c2fb8360d594d434bd5a217f2fb7d4184e086220fcae3886c9f
-
SHA512
daf3c73adbde89d21b4928a541712843d9423c355a74013ac222df3d08f763862f31e31a1e110d683d063f2ce7b208dd6c64d4665a4f088c001d68d0fcf1b34e
-
SSDEEP
768:LudbM1T1fzFPWUDCytmo2qIWKjGKG6PIyzjbFgX3i89bccImEpJp8Mf2uFd0BDZV:LudbM1T1b12qKYDy3bCXS8JcBTpJiuF4
Score10/10-
Async RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-