General
-
Target
https://sell-production.7bca50a0c064d476bbd1b6bdb43135ad.r2.cloudflarestorage.com/store/39750/listings/deliverables/TPSPoxR1tjvrw3nqDARFwixDWzQkPxHBxmBosA17.zip?response-content-disposition=attachment%3B%20filename%20%3D%22TPSPoxR1tjvrw3nqDARFwixDWzQkPxHBxmBosA17.zip%22&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=968c8ef1669cf97adff907d50b2038b0%2F20240425%2Fauto%2Fs3%2Faws4_request&X-Amz-Date=20240425T182141Z&X-Amz-SignedHeaders=host&X-Amz-Expires=3600&X-Amz-Signature=912be15948c46a7ebbabffd74ae51fb92ebf673839a5f6d85b31ac54929b50ae
-
Sample
240425-w4psqade42
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://sell-production.7bca50a0c064d476bbd1b6bdb43135ad.r2.cloudflarestorage.com/store/39750/listings/deliverables/TPSPoxR1tjvrw3nqDARFwixDWzQkPxHBxmBosA17.zip?response-content-disposition=attachment%3B%20filename%20%3D%22TPSPoxR1tjvrw3nqDARFwixDWzQkPxHBxmBosA17.zip%22&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=968c8ef1669cf97adff907d50b2038b0%2F20240425%2Fauto%2Fs3%2Faws4_request&X-Amz-Date=20240425T182141Z&X-Amz-SignedHeaders=host&X-Amz-Expires=3600&X-Amz-Signature=912be15948c46a7ebbabffd74ae51fb92ebf673839a5f6d85b31ac54929b50ae
Resource
win10v2004-20240412-en
Behavioral task
behavioral2
Sample
https://sell-production.7bca50a0c064d476bbd1b6bdb43135ad.r2.cloudflarestorage.com/store/39750/listings/deliverables/TPSPoxR1tjvrw3nqDARFwixDWzQkPxHBxmBosA17.zip?response-content-disposition=attachment%3B%20filename%20%3D%22TPSPoxR1tjvrw3nqDARFwixDWzQkPxHBxmBosA17.zip%22&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=968c8ef1669cf97adff907d50b2038b0%2F20240425%2Fauto%2Fs3%2Faws4_request&X-Amz-Date=20240425T182141Z&X-Amz-SignedHeaders=host&X-Amz-Expires=3600&X-Amz-Signature=912be15948c46a7ebbabffd74ae51fb92ebf673839a5f6d85b31ac54929b50ae
Resource
win11-20240412-en
Malware Config
Extracted
asyncrat
Default
-
delay
1
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/z5PQ82wE
Targets
-
-
Target
https://sell-production.7bca50a0c064d476bbd1b6bdb43135ad.r2.cloudflarestorage.com/store/39750/listings/deliverables/TPSPoxR1tjvrw3nqDARFwixDWzQkPxHBxmBosA17.zip?response-content-disposition=attachment%3B%20filename%20%3D%22TPSPoxR1tjvrw3nqDARFwixDWzQkPxHBxmBosA17.zip%22&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=968c8ef1669cf97adff907d50b2038b0%2F20240425%2Fauto%2Fs3%2Faws4_request&X-Amz-Date=20240425T182141Z&X-Amz-SignedHeaders=host&X-Amz-Expires=3600&X-Amz-Signature=912be15948c46a7ebbabffd74ae51fb92ebf673839a5f6d85b31ac54929b50ae
-
Async RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-