General
-
Target
invoice#976542164311.wsf
-
Size
59KB
-
Sample
231116-zh55csfd47
-
MD5
7cdd28a5731bf8172666651cdd542957
-
SHA1
c1fd4c2ab361adc25f8494b7e3ad238f7db070e3
-
SHA256
8a29a4ea9ef7b922eb5134e49c6427c1732ed277f8eee14c20262ad6ef8c4495
-
SHA512
26446f986a1676a21b07fbb30abfb2a88a6c440115bc3438e9d694da4dc44eafd0d6f8eedf59ffcb77606f81e8925af5b3732202f7c39196a7c5f975a139d96f
-
SSDEEP
384:ERRRRRRRRRRRFRRRRRRRRRRRERRRRRRRRRRR9gqT3z5aJpIV6F53RRRRRRRRRRRv:j/rz52pIy5d
Static task
static1
Behavioral task
behavioral1
Sample
invoice#976542164311.wsf
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
invoice#976542164311.wsf
Resource
win10-20231023-en
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
Sended@
hexrxr.duckdns.org:6606
hexrxr.duckdns.org:7707
hexrxr.duckdns.org:8808
AsyncMutex_85&$nkeo4%hifbe
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
invoice#976542164311.wsf
-
Size
59KB
-
MD5
7cdd28a5731bf8172666651cdd542957
-
SHA1
c1fd4c2ab361adc25f8494b7e3ad238f7db070e3
-
SHA256
8a29a4ea9ef7b922eb5134e49c6427c1732ed277f8eee14c20262ad6ef8c4495
-
SHA512
26446f986a1676a21b07fbb30abfb2a88a6c440115bc3438e9d694da4dc44eafd0d6f8eedf59ffcb77606f81e8925af5b3732202f7c39196a7c5f975a139d96f
-
SSDEEP
384:ERRRRRRRRRRRFRRRRRRRRRRRERRRRRRRRRRR9gqT3z5aJpIV6F53RRRRRRRRRRRv:j/rz52pIy5d
-
Detect ZGRat V1
-
Async RAT payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-