General
-
Target
Infected.exe
-
Size
63KB
-
Sample
231129-nkzjtafh7t
-
MD5
0d5f683e10eb28000597e3c3d2594741
-
SHA1
a2fe5ca6ce2d9c3ff7fb733ee6a707c0dda17667
-
SHA256
bf7a53c5db252212663303fd5492a75244b43beabbcc5a59b131ee46f8bbeb40
-
SHA512
4d6341e43f3001c5ae6d38e7645d58f09849e6caf58f9879f52f1ec220bc0f306fab3d63c1c3f91b182f31b48d7d5f449654a32d103bc197102ea464e2525e56
-
SSDEEP
768:Qv0M2UM/978aQC8A+XjlazcBRL5JTk1+T4KSBGHmDbD/ph0oXn9Nd9QeSu0dpqKX:b1/k/dSJYUbdh9nn/Su0dpqKmY7
Behavioral task
behavioral1
Sample
Infected.exe
Resource
win10v2004-20231127-en
Malware Config
Extracted
asyncrat
Default
127.0.0.1:3232
127.0.0.1:13116
4.tcp.eu.ngrok.io:3232
4.tcp.eu.ngrok.io:13116
弗吾9g吾吉ΔdgTXBG杰Η诶k7
-
delay
1
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
Infected.exe
-
Size
63KB
-
MD5
0d5f683e10eb28000597e3c3d2594741
-
SHA1
a2fe5ca6ce2d9c3ff7fb733ee6a707c0dda17667
-
SHA256
bf7a53c5db252212663303fd5492a75244b43beabbcc5a59b131ee46f8bbeb40
-
SHA512
4d6341e43f3001c5ae6d38e7645d58f09849e6caf58f9879f52f1ec220bc0f306fab3d63c1c3f91b182f31b48d7d5f449654a32d103bc197102ea464e2525e56
-
SSDEEP
768:Qv0M2UM/978aQC8A+XjlazcBRL5JTk1+T4KSBGHmDbD/ph0oXn9Nd9QeSu0dpqKX:b1/k/dSJYUbdh9nn/Su0dpqKmY7
-
Async RAT payload
-
Renames multiple (1263) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-