Extracted

Extracted

• • Target

    c1f27ac59d8593cf793e62ca237d4628.jpg

  • Size

    37KB

  • MD5

    69ba026f767584e4ff4fbaeb75bfc371

  • SHA1

    f9e51ecce7c73711fa263705e309514473517964

  • SHA256

    417fffcbb33ed735a6dd12e454b5f8c76a7080bc65a9ac3bd1ca09e1e44ada8c

  • SHA512

    9a948cf6addc93148ab6d21678cfaf08ad10a6ae52d4a48cb8cd48138a32614f0d6f326923f299529788e5dcd360ccdf14d16c12a855565649f784a21a16332b

  • SSDEEP

    768:8oc8hZ439FuMvhmQPotSvDVAyS8z4AMkJf1BuOjKgTM5XYwCwVbi:8d39Fusj0Svu0z4AME1BuQhTMpYt

  Score

  10^/10

  asyncrattoxiceyedefagilenetpersistenceratspywarestealertrojan

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye

  • Async RAT payload

    rat

  • Downloads MZ/PE file

  • Modifies Installed Components in the registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Obfuscated with Agile.Net obfuscator

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet

  • Reads local data of messenger clients

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2