General
-
Target
VhDMUS0I_s2fzHm6OttwA-M9zHN2oWAUImZx-UxRpRo.bin
-
Size
38KB
-
Sample
240125-zbw8wafggm
-
MD5
eb88cef471240cc3a0dc91d7f741fae4
-
SHA1
2d675a54746ae329a5aedabb6aa41028c1095279
-
SHA256
5610cc512d08facd9fcc79ba3adb7003f33dcc7376a16014226671fd4c51a51a
-
SHA512
b4286d9916e572d1adea24e23eb2449ed629386448bad1a407348002a7998ee7b24c17be86410b6db26e9aa20b8af94894f7607d0d59c76694e966f6c2a436ee
-
SSDEEP
768:pWuVt1xvGA31VGhhy4Vm/D6owtYrezXmTWuVt1xvGA31VGhhy4Vm/D6owtYrezXR:Ys++IXBs++IXR
Static task
static1
Behavioral task
behavioral1
Sample
VhDMUS0I_s2fzHm6OttwA-M9zHN2oWAUImZx-UxRpRo.wsf
Resource
win7-20231215-en
Malware Config
Extracted
https://nodejs.org/download/release/v6.17.1/win-x64/node.exe
Extracted
asyncrat
AWS | 3Losh
Default
boty.theworkpc.com:6606
boty.theworkpc.com:7707
boty.theworkpc.com:8808
AsyncMutex_alo47
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
VhDMUS0I_s2fzHm6OttwA-M9zHN2oWAUImZx-UxRpRo.bin
-
Size
38KB
-
MD5
eb88cef471240cc3a0dc91d7f741fae4
-
SHA1
2d675a54746ae329a5aedabb6aa41028c1095279
-
SHA256
5610cc512d08facd9fcc79ba3adb7003f33dcc7376a16014226671fd4c51a51a
-
SHA512
b4286d9916e572d1adea24e23eb2449ed629386448bad1a407348002a7998ee7b24c17be86410b6db26e9aa20b8af94894f7607d0d59c76694e966f6c2a436ee
-
SSDEEP
768:pWuVt1xvGA31VGhhy4Vm/D6owtYrezXmTWuVt1xvGA31VGhhy4Vm/D6owtYrezXR:Ys++IXBs++IXR
-
Detect ZGRat V1
-
Async RAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-