General
-
Target
a7adeed2290a6e7d4b061a44337ebbcdc91a9800e40cc96a31632e3e52d710ff.zip
-
Size
63.1MB
-
Sample
240402-qhb2vabc65
-
MD5
a3c9bd712dbfc7d32a72f3c18ef39742
-
SHA1
10acba02e18819f8363a454c1540a1fdd1705de2
-
SHA256
c4130272ae568854d135f55878fa1a40d8f659b0e48d570d1f0999f81548ed09
-
SHA512
c8dca78e5ac4f916480afe6af3b247dd897555aaae560586e183ac8df0c9b06988bc51ac6f0ebab71775396a20f7a8bd85fb45a1150e9fdcd5983619e2c33032
-
SSDEEP
786432:Y2oSmLnsGqlkaN6iVHDsb40Rcg8EMh8b04HiaiumvBiByxLsPrbw34tUytBl1lZ0:Y24MVnMSEMhm7iaixt4bwgUwlBWGXkUG
Static task
static1
Behavioral task
behavioral1
Sample
a7adeed2290a6e7d4b061a44337ebbcdc91a9800e40cc96a31632e3e52d710ff.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
a7adeed2290a6e7d4b061a44337ebbcdc91a9800e40cc96a31632e3e52d710ff.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
Exodus_Market
leetboy.dynuddns.net:1339
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
svchos.exe
-
install_folder
%AppData%
Extracted
asyncrat
5.0.5
WDKILLER
blue.o7lab.me:4449
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
a7adeed2290a6e7d4b061a44337ebbcdc91a9800e40cc96a31632e3e52d710ff.exe
-
Size
63.2MB
-
MD5
0b459466e3619d2a29bb93ea2dac077a
-
SHA1
b55a18a2d13589b81cae82c691d83e7961799d44
-
SHA256
a7adeed2290a6e7d4b061a44337ebbcdc91a9800e40cc96a31632e3e52d710ff
-
SHA512
ab1bd6465ce9e956bf4d9576552ab85541a6b6595817ca68e651264630d728388938b8f0b85353e2278bbee73b6ca427027fdfc8e1fc041a19467b41d29f320c
-
SSDEEP
1572864:iFffrC4ndj0tJT5vMiaUMeRBFGkdWEeJFj3w:gf24dj6T5TaUTBbdheXw
-
Async RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-