General
-
Target
f6bcf841be92d6f3dd70342ac47d7656.bin
-
Size
1KB
-
Sample
230324-cxw4nsdf9s
-
MD5
2af2df145c69c19bee317226b1f6f295
-
SHA1
b7d6339469a277e82078b073cb3de9e820af6812
-
SHA256
6737ae8ed6a0d6b805471633b074a54e6d1282b74441a3bcc58cf3b953ecac09
-
SHA512
a6c388f9f73563e0c8dbfc7668c9a49ec926e7645852e99c5a49ba60ba7be90c350d78fc65af800e0161bb6b093b9c8dee9ed0fed44f35328b2a67b64eb0fa35
Static task
static1
Behavioral task
behavioral1
Sample
ac9b68f6b0036e76adad58e6d1fd4c2d043e9ef53ac516ca38945bdfa3283312.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ac9b68f6b0036e76adad58e6d1fd4c2d043e9ef53ac516ca38945bdfa3283312.js
Resource
win10v2004-20230220-en
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
newmekha
pop11.linkpc.net:6606
pop11.linkpc.net:6666
pop11.linkpc.net:7707
pop11.linkpc.net:8808
198.244.206.24:6606
198.244.206.24:6666
198.244.206.24:7707
198.244.206.24:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
ac9b68f6b0036e76adad58e6d1fd4c2d043e9ef53ac516ca38945bdfa3283312.js
-
Size
92KB
-
MD5
f6bcf841be92d6f3dd70342ac47d7656
-
SHA1
8c45f916b43b3f689f290a3a340432d06c10e317
-
SHA256
ac9b68f6b0036e76adad58e6d1fd4c2d043e9ef53ac516ca38945bdfa3283312
-
SHA512
6e68532f29e5b8e8a874677f3fdefa1d3d600090dd369e113bcd849229b28ccbdccc0e2b092dc27f0491581c9db8b013f347319154cd906f333642a05337d215
-
SSDEEP
1536:xkkkkkkkkkkk+kkkkkkkkkkk4Wkkkkkkkkkkkekkkkkkkkkkk6kkkkkkkkkkk56O:xkkkkkkkkkkk+kkkkkkkkkkkrkkkkkk0
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Async RAT payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Registers COM server for autorun
-
Suspicious use of SetThreadContext
-