General
-
Target
4acff71261109827fda28799ed22a3e6.rar
-
Size
8KB
-
Sample
241022-2ayreszbjj
-
MD5
4acff71261109827fda28799ed22a3e6
-
SHA1
74b21e1d49f60f953595481557c88b0f15962b4d
-
SHA256
c09f4150d563b4f27fd5939dbcacad7e547b90c527ceec50f1fe477fc4db35ea
-
SHA512
c3e1c4d8f34c3dd33ebf8c10a3415f4beb93d884e021d579e941b3f52494898e790a84ef1767974fb3e23ff10ccf08bd0afb2ae904c16faf421d1cdf8624f001
-
SSDEEP
192:X2plLuEvTz4uphSjrSkrEIFxPLr7XrBKH6+:GfRvHxphSjOkrx/XrBo
Static task
static1
Behavioral task
behavioral1
Sample
NOTIFICACIONES_ACTIVA_EMITIDA_CORREO_SOPORTE_COBROS_563894584748375947934767489367904769840674769038.vbs
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
NOTIFICACIONES_ACTIVA_EMITIDA_CORREO_SOPORTE_COBROS_563894584748375947934767489367904769840674769038.vbs
Resource
win10v2004-20241007-en
Malware Config
Extracted
https://pastebin.com/raw/Adv9gBHa
https://pastebin.com/raw/Adv9gBHa
Extracted
asyncrat
| CRACKED BY https://t.me/xworm_v2
zDefaultREN
deadpoolstart2029.con-ip.com:6090
WinCookies
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
NOTIFICACIONES_ACTIVA_EMITIDA_CORREO_SOPORTE_COBROS_5638945847483759479347674893679047698406747690384674398609409673904698798476948694698968986PDF.vbs
-
Size
8.9MB
-
MD5
199449f2ef2026f61889f3259d30f387
-
SHA1
253f7b5e019ff159b10844d662b9d2b9331acf62
-
SHA256
80ba2478e4695de6db6ee1bed092eab38cc6c4243f3ba6e6a16ca180a68520ed
-
SHA512
9151040021d577a3b76192d128d2c1a3d22ba74cd38ee82662681914fb1d466ac88e40fd592c606f6f84fb36ac13b1dd2ec7091ab07613a1bc3fb0ee9293743a
-
SSDEEP
96:c6G7MI/Gs/iYNRTz3vnqAJ4QrE2zzdRfpb7jhI6QP39g7d5qI:bqyYNRTz3vqyjdRR/jhI6k39e5X
Score10/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-