General
-
Target
Real Grabber AttemptX.exe
-
Size
49KB
-
Sample
230730-rm8r2she68
-
MD5
c0f3be5eb43f4fc4cbbe6aea2e0cf60c
-
SHA1
4c8405c753319c761d96829b97588dda7b3d60c9
-
SHA256
04a255c99fa4ef127648d896641a42e7aaa7c3bcdbef9ab0410195ebabab7ddc
-
SHA512
bc856e2c416294c4fc6f4e170eae3b2818ea344e578d60fae1299d25ebffc2fda4316040ec31fea3b33edd942c3d892cc55bf26c7018dc286219d9322f008395
-
SSDEEP
1536:vuiD1TUKg2cwP66IoFblXSlEUhuV0dSEfE:vuixTUKg2cwPaoFblM9hBAWE
Malware Config
Extracted
asyncrat
0.5.7B
svhost
5.tcp.eu.ngrok.io:4824
5.tcp.eu.ngrok.io:14829
Discord Inc
-
delay
3
-
install
true
-
install_file
svhost.exe
-
install_folder
%AppData%
Targets
-
-
Target
Real Grabber AttemptX.exe
-
Size
49KB
-
MD5
c0f3be5eb43f4fc4cbbe6aea2e0cf60c
-
SHA1
4c8405c753319c761d96829b97588dda7b3d60c9
-
SHA256
04a255c99fa4ef127648d896641a42e7aaa7c3bcdbef9ab0410195ebabab7ddc
-
SHA512
bc856e2c416294c4fc6f4e170eae3b2818ea344e578d60fae1299d25ebffc2fda4316040ec31fea3b33edd942c3d892cc55bf26c7018dc286219d9322f008395
-
SSDEEP
1536:vuiD1TUKg2cwP66IoFblXSlEUhuV0dSEfE:vuixTUKg2cwPaoFblM9hBAWE
-
Async RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Legitimate hosting services abused for malware hosting/C2
-