General
-
Target
Hidden-Malware-BuilderV5-main.zip
-
Size
2.6MB
-
Sample
240530-qt7mwsac7v
-
MD5
d3de7ff429c8d05cb7ff4b1941d8bb0a
-
SHA1
e70963f512a73ad46a0be2ec31e6e7d30fe6365b
-
SHA256
60d598cba87775c68774967bfeeebc98cc01315f294872e417cccdd3e5c869ed
-
SHA512
1f3035dc16c66b7e97ffd01f0cfe02ee0c466d74e4aebe7dfa9978d6a310cef564e29d8237710dd5d539ace0e86828c6219f7f432515ceb49a9ff08f414d23c8
-
SSDEEP
49152:xeCBCiv3I9yUfFH9Py82t+OfzfSQSCaP52pNI7RnIWUMskmkekgVZmQC1kzcLbE8:pBCUY9rF5OfTdnaxwN+RnIWs2eOQYYc3
Static task
static1
Behavioral task
behavioral1
Sample
Hidden-Malware-BuilderV5-main/H-Malware Builder V5.exe
Resource
win7-20240508-en
Malware Config
Extracted
https://github.com/MalwareTeam/SecurityHealthService/raw/main/SecurityHealthService.exe
https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat
Extracted
asyncrat
1.0.7
Default
bay-helps.gl.at.ply.gg:36538
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
Hidden-Malware-BuilderV5-main/H-Malware Builder V5.exe
-
Size
407KB
-
MD5
c8f6d76b4ae82978272bde392561c4f4
-
SHA1
80447d36fcf88cc9caa806db53e22d9468cc31ee
-
SHA256
c981ebcf0c0cf857162ae35b9385c22d3198c2ec9ea00e37fcfe74a79eb3510e
-
SHA512
10fa87f050a9ceb658e443317158ef8b1dbaa9e183ec61b5e5e42adb562f7918d996134aba7f0bbad852def4d6b0824c7b9716628b554194d0fd95974de6b2ad
-
SSDEEP
12288:r5p4UNBN3aqeKNoRfwoZrHMBV9EwEcb8+DvtuWUb:r9N3aqPCRooZwBjEhcYcvYWUb
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Async RAT payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-