Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
8c8aee950d1420d409169010b6a9e475c2d0d78ecf9c6d31a3a7542c15735e4f_JC.exe
-
Size
666KB
-
Sample
231004-wrmslaff96
-
MD5
07478a5c4795897c09745378c750f8ca
-
SHA1
1ae0911fd5fa57d1b94ecef287af30d4845c3019
-
SHA256
8c8aee950d1420d409169010b6a9e475c2d0d78ecf9c6d31a3a7542c15735e4f
-
SHA512
5af0fde061350ee63b8e0b31104397c4be2ceacbba2ba08557c9872b6fefc676676f18b0f51d4d2504d1b0f5c8123d004e262e77cb4697867cb6406e26ce56b2
-
SSDEEP
12288:JcrNS33L10QdrX4FBojL8DPNYnzENFuUftj8Y+JxeIlTPYQZjDa321uz:0NA3R5drX4GcPNYo7vljEUIlLY+Da34K
Static task
static1
Behavioral task
behavioral1
Sample
8c8aee950d1420d409169010b6a9e475c2d0d78ecf9c6d31a3a7542c15735e4f_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
8c8aee950d1420d409169010b6a9e475c2d0d78ecf9c6d31a3a7542c15735e4f_JC.exe
Resource
win10v2004-20230915-en
Malware Config
Extracted
asyncrat
0.5.7B
Default10
qpurrybeatmecamtest.ddns.net:5987
qpurrybeatmecamtest.ddns.net:6978
AsyncMutex_4SI8ObPTc
-
delay
3
-
install
true
-
install_file
cestm.exe
-
install_folder
%AppData%
Targets
-
-
Target
8c8aee950d1420d409169010b6a9e475c2d0d78ecf9c6d31a3a7542c15735e4f_JC.exe
-
Size
666KB
-
MD5
07478a5c4795897c09745378c750f8ca
-
SHA1
1ae0911fd5fa57d1b94ecef287af30d4845c3019
-
SHA256
8c8aee950d1420d409169010b6a9e475c2d0d78ecf9c6d31a3a7542c15735e4f
-
SHA512
5af0fde061350ee63b8e0b31104397c4be2ceacbba2ba08557c9872b6fefc676676f18b0f51d4d2504d1b0f5c8123d004e262e77cb4697867cb6406e26ce56b2
-
SSDEEP
12288:JcrNS33L10QdrX4FBojL8DPNYnzENFuUftj8Y+JxeIlTPYQZjDa321uz:0NA3R5drX4GcPNYo7vljEUIlLY+Da34K
-
Async RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-