Extracted

• • Target

    3c0d368d28b89e894e6b568435b7e730N.exe

  • Size

    3.0MB

  • MD5

    3c0d368d28b89e894e6b568435b7e730

  • SHA1

    201419762e874bd24bbefd0dc4e896694432f3a0

  • SHA256

    246229260c7e76ec89aac6111b8eff0c843e9e9044c518fe16830ae37ec3c0ce

  • SHA512

    43d875cc04575ca5bd53bf86ce81082ee848be757da5625e844f7335ffcc7808dd1251e60fded9df564be7e9f9bde42b66b6ccde99b6fd4c8cf7550064df6182

  • SSDEEP

    49152:/r2d6pm/od2TOp/N63fNluPsd3Teg47/OhuGzrI1RgapIqYzC6aQD0+WmQXC/z/:6aErT6/N6PsY0zODzrFapfYzk+Wjgz

  Score

  10^/10

  asyncratdefaultdefense_evasiondiscoveryevasionrattrojan

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Async RAT payload

    rat

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Checks whether UAC is enabled

    evasiontrojan

  • Obfuscated Files or Information: Command Obfuscation

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2