General
-
Target
hyphon_loader.exe
-
Size
2.9MB
-
Sample
230402-xle18sbc41
-
MD5
f507171192dd73378849dfb8250162cd
-
SHA1
9a7c58e5ed76de2d73d64ae872da6517ccc9d88f
-
SHA256
7b3e39a2100d7cc1ce61b8fa8c22f384a920aafd129747c56ca0fcb719122020
-
SHA512
c1a5a3ef7bbbab501ddae561cfd0485d491e5955e75027d3087fc2a10b2c8bbdfe7c37474c20bf10957ea0ed0c6d80d1c11c5ea5bde3e04e66da9638fa1ddd00
-
SSDEEP
49152:/Y2zrFhW97EqIm3JV38UlVUpIekMqhKy2F/wZbFTLhzpbEt2Gs3OAvUwn7lV5te6:/zy9Qqf3JVsUlVUFlybfhzi20AB59Cw
Behavioral task
behavioral1
Sample
hyphon_loader.exe
Resource
win7-20230220-en
Malware Config
Extracted
asyncrat
1.0.7
Legacy
legacyud.duckdns.org:55108
legacyud.duckdns.org:57913
4278904ry7saigfhjaksfgfshajkgfshkajfghkjsfghsksfahlgjlhgjfasdGLHSAFLGHJSAHJGEF7024TY4297T6497425642725244256742567567246724567245672436572436579ESFHJIFVGIUAFSGISAYGAFSGYUIAFSGYUAFSGYIUAFSGYUAFSGYSAFYGYUFAIYGAFSYGUIFASYGIFASGY216934624684768246782467824678924
-
delay
1
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Targets
-
-
Target
hyphon_loader.exe
-
Size
2.9MB
-
MD5
f507171192dd73378849dfb8250162cd
-
SHA1
9a7c58e5ed76de2d73d64ae872da6517ccc9d88f
-
SHA256
7b3e39a2100d7cc1ce61b8fa8c22f384a920aafd129747c56ca0fcb719122020
-
SHA512
c1a5a3ef7bbbab501ddae561cfd0485d491e5955e75027d3087fc2a10b2c8bbdfe7c37474c20bf10957ea0ed0c6d80d1c11c5ea5bde3e04e66da9638fa1ddd00
-
SSDEEP
49152:/Y2zrFhW97EqIm3JV38UlVUpIekMqhKy2F/wZbFTLhzpbEt2Gs3OAvUwn7lV5te6:/zy9Qqf3JVsUlVUFlybfhzi20AB59Cw
-
Async RAT payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-