General
-
Target
f111e483a57a3b7eb2ab0d1e773445796106e411f98482e8ff12c0da3b673e2c
-
Size
43KB
-
Sample
231124-hp5zhahd51
-
MD5
21bc89b62236a92090a9b9732ce09b5e
-
SHA1
c5f64406c8ebe694d853a867d32e0f0912f86272
-
SHA256
f111e483a57a3b7eb2ab0d1e773445796106e411f98482e8ff12c0da3b673e2c
-
SHA512
4d56041226a4b14c94a9e05a4217e7dfff403c6b2c23f1067f0a7e6ed352477668594f74e9ddf3b86cd155c40939cb71002abc9c124fc73faa746dfc257bc1c3
-
SSDEEP
96:jvZm8MrZx3iwSndBq4H5kdc6PkBNNlRGGadekHytUZfLJh6OZZR/YmWZrzNt:j4R1VXcM/G7qfLJh6OZ4mWD
Static task
static1
Behavioral task
behavioral1
Sample
f111e483a57a3b7eb2ab0d1e773445796106e411f98482e8ff12c0da3b673e2c.exe
Resource
win10v2004-20231023-en
Malware Config
Extracted
asyncrat
0.5.7B
MicrosoftEdg
46.1.103.69:9371
MicrosoftEdg
-
delay
3
-
install
false
-
install_file
MicrosoftEdge
-
install_folder
%AppData%
Extracted
asyncrat
0.5.7B
MicrosoftEdge
46.1.103.69:9371
MicrosoftEdge
-
delay
3
-
install
false
-
install_file
MicrosoftEdge
-
install_folder
%AppData%
Extracted
asyncrat
0.5.7B
Winlogon
46.1.103.69:2341
Winlogon
-
delay
3
-
install
false
-
install_file
Winlogon
-
install_folder
%AppData%
Targets
-
-
Target
f111e483a57a3b7eb2ab0d1e773445796106e411f98482e8ff12c0da3b673e2c
-
Size
43KB
-
MD5
21bc89b62236a92090a9b9732ce09b5e
-
SHA1
c5f64406c8ebe694d853a867d32e0f0912f86272
-
SHA256
f111e483a57a3b7eb2ab0d1e773445796106e411f98482e8ff12c0da3b673e2c
-
SHA512
4d56041226a4b14c94a9e05a4217e7dfff403c6b2c23f1067f0a7e6ed352477668594f74e9ddf3b86cd155c40939cb71002abc9c124fc73faa746dfc257bc1c3
-
SSDEEP
96:jvZm8MrZx3iwSndBq4H5kdc6PkBNNlRGGadekHytUZfLJh6OZZR/YmWZrzNt:j4R1VXcM/G7qfLJh6OZ4mWD
-
Detect ZGRat V1
-
Async RAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-