General
-
Target
27d5e1f8e49a537ecbd834bf1fa4ed193cba9401cedcc85232b82ef0aaf1b217.exe
-
Size
362KB
-
Sample
240630-bfzmssvckq
-
MD5
46019f266084534e1c19c1204e62a618
-
SHA1
a5bbe2c21328c1f6e4f6498e2f1f30743b5883e9
-
SHA256
27d5e1f8e49a537ecbd834bf1fa4ed193cba9401cedcc85232b82ef0aaf1b217
-
SHA512
e936bbdb21ca49a5bed8e088bd53f5faffd3cdd6df1b1179f0fe3830e3cc46d591f4f5b4f5e2ba96559ec042ba72efc6b63f1b406c469831664e14c6efdbb8e3
-
SSDEEP
6144:GBx7iw0qvLJXnlUGujCtjno6itQl+REw6FMG/UHQS8PUHIRA8yVYtFmCaxHU0bM:GTkqjVnl36ud0zR/6CtQ9PUHIG8Dn
Static task
static1
Behavioral task
behavioral1
Sample
27d5e1f8e49a537ecbd834bf1fa4ed193cba9401cedcc85232b82ef0aaf1b217.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
27d5e1f8e49a537ecbd834bf1fa4ed193cba9401cedcc85232b82ef0aaf1b217.exe
Resource
win10v2004-20240611-en
Malware Config
Extracted
asyncrat
0.5.8
T
20.199.8.16:1726
31FGTEWnaxDE
-
delay
3
-
install
false
-
install_file
SeacrhIndexer
-
install_folder
%AppData%
Extracted
asyncrat
0.5.8
Y
20.199.8.16:1726
eYLuHMmPZK7A
-
delay
3
-
install
false
-
install_file
SeacrhIndexer
-
install_folder
%AppData%
Targets
-
-
Target
27d5e1f8e49a537ecbd834bf1fa4ed193cba9401cedcc85232b82ef0aaf1b217.exe
-
Size
362KB
-
MD5
46019f266084534e1c19c1204e62a618
-
SHA1
a5bbe2c21328c1f6e4f6498e2f1f30743b5883e9
-
SHA256
27d5e1f8e49a537ecbd834bf1fa4ed193cba9401cedcc85232b82ef0aaf1b217
-
SHA512
e936bbdb21ca49a5bed8e088bd53f5faffd3cdd6df1b1179f0fe3830e3cc46d591f4f5b4f5e2ba96559ec042ba72efc6b63f1b406c469831664e14c6efdbb8e3
-
SSDEEP
6144:GBx7iw0qvLJXnlUGujCtjno6itQl+REw6FMG/UHQS8PUHIRA8yVYtFmCaxHU0bM:GTkqjVnl36ud0zR/6CtQ9PUHIG8Dn
-
Detects file containing reversed ASEP Autorun registry keys
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Hide Artifacts: Hidden Files and Directories
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1