Extracted

• • Target

    support.Client.exe

  • Size

    84KB

  • MD5

    2b85c04408d16bd6e493eb59b87c54f2

  • SHA1

    0c543e947d75e040795227e5e8106897a63f23a8

  • SHA256

    fe4345e927352f9ef225d59bb664aafd838f028c569d074509351899a009e3f4

  • SHA512

    a8474cbd214664abd7fa0ac8fc14fcf3bbd8561d7fbae2339ae92c63490d2247ca76b0c60fde37e16bc17a276e7168baaae172364ac12110534b92810166396d

  • SSDEEP

    1536:bazWlKzJVcNp++yQNS6xNNCT2l8NE8llbpTaCJRpsWr6cdaQTJSvYY27QkPx3S:pFNpo6rIKlUE8fbkqRfbaQlaYY2Lx3S

  Score

  10^/10

  discoveryasyncratzekzekpersistenceprivilege_escalationratspywarestealer

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Downloads MZ/PE file

  • Manipulates Digital Signatures

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory

  behavioral1behavioral2