General
-
Target
ONAYLA.gz.zip
-
Size
974KB
-
Sample
230526-ntewrsfc38
-
MD5
84d06fb1c7e2ac6556e9dc48cb2ec4be
-
SHA1
a5d22d83d2ba5fd71308e1f95d26920db8f81d24
-
SHA256
0a0d29e382423a87fc883e03c6e198ed06ee337bc28ee8c42e405f4ecad4759f
-
SHA512
1da258cf5bf9ee0dcc5cd6c809ad28a14ff5a36bded30902c3e435575cf41889f8d18ece1bcf086ab03223130d7379722cd0248ae1a5d462ed1b907c299dd283
-
SSDEEP
24576:WgfXvAS6uwJ36KrtjGcE9L+qzfDe6HHAUf1ZBK:t4JKKrty2q1HE
Static task
static1
Behavioral task
behavioral1
Sample
ONAYLA.exe
Resource
win7-20230220-en
Malware Config
Extracted
asyncrat
0.5.7B
MxGroup
frontbrockmepronto.ddns.net:4343
frontbrockmepronto.ddns.net:5757
frontbrockmepronto.sytes.net:4343
frontbrockmepronto.sytes.net:5757
AsyncMutex_6SI8OkPtD
-
delay
3
-
install
true
-
install_file
procs.exe
-
install_folder
%AppData%
Targets
-
-
Target
ONAYLA.exe
-
Size
1.1MB
-
MD5
481070cd319071d67812ffc598ebf3a6
-
SHA1
8fd7e4efaca5aee63d72265d4373b1bf7bd9c4de
-
SHA256
7570583507a88122beae60126d30e6ef9a0ecdf6d6e5cbfa5eadfbf2beea1f6f
-
SHA512
dde0a9c0bf6314431d08cfb2c9bfa1a65e2c29a9f1a7d1fddff3c7db0451de7541bc586cf7bcca8347773f81847e0fb80b035d05944373060eb1b07edba76ca0
-
SSDEEP
24576:wNA3R5drXwDhUSW6wJ3KKltLCco9ReqdfDeWH5AOPbZCw:p5WuJaKltWCqB5T
-
Async RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-