General
-
Target
updater.exe
-
Size
11.0MB
-
Sample
240509-ejg4pshd8v
-
MD5
2aef09aa9d8c5abc0efc5ecdffe3d989
-
SHA1
a88b9c34bdd7fb19157be127daae59e82e206b7c
-
SHA256
873b8e34ed1b21cbcda6a874999ddb1e7a5513405b9e9327fcddc7965e79da8a
-
SHA512
006ca7e278eeb0a827e91722974ba6aa9aa5fdfa6c250eedce5bd6d7012dedbdd80b363f17847114bfd9a044131f44465c6d155b26a6170d109df240dab9cd5d
-
SSDEEP
196608:grk0YXXOshoKMuIkhVastRL5Di3unSE3OQMAgtrQn/CsMPNRRT:6YnOshouIkPftRL54Xnwg5iCsWN
Malware Config
Extracted
asyncrat
Xoshnaw
1877
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:1877
nerakar.duckdns.org:6606
nerakar.duckdns.org:7707
nerakar.duckdns.org:8808
nerakar.duckdns.org:1877
3YeYWvX7BQIk
-
delay
3
-
install
true
-
install_file
chroma.exe
-
install_folder
%AppData%
Targets
-
-
Target
updater.exe
-
Size
11.0MB
-
MD5
2aef09aa9d8c5abc0efc5ecdffe3d989
-
SHA1
a88b9c34bdd7fb19157be127daae59e82e206b7c
-
SHA256
873b8e34ed1b21cbcda6a874999ddb1e7a5513405b9e9327fcddc7965e79da8a
-
SHA512
006ca7e278eeb0a827e91722974ba6aa9aa5fdfa6c250eedce5bd6d7012dedbdd80b363f17847114bfd9a044131f44465c6d155b26a6170d109df240dab9cd5d
-
SSDEEP
196608:grk0YXXOshoKMuIkhVastRL5Di3unSE3OQMAgtrQn/CsMPNRRT:6YnOshouIkPftRL54Xnwg5iCsWN
-
Async RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-