General
-
Target
Lana_Rhoades_Photoos.zip
-
Size
1.9MB
-
Sample
241028-cfdk1ayarp
-
MD5
aaac1d8a5866626d21a15cc8473abdbc
-
SHA1
4558b9b274de81bf5662d51741b552a09b9b5f98
-
SHA256
6453d1e7bccbd170145d8565525fffd2f9d6f824dadbb91bc3d40e85ac75eca2
-
SHA512
c6a73ace2f4c51c29971a575509bea56ac5b01432acc99e218197e64ce88765d7d3944080a3c114a570b3ed8efe0040368bc64b7a028704a9267434aa93744f3
-
SSDEEP
49152:L3xaSpB8fn07tugzUlQFPglLM9kdnZFeHNsnWPZyp/7:L3UWB8v05UvlA9kJZFetJhW/7
Static task
static1
Behavioral task
behavioral1
Sample
'''.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
'''.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Lana_Rhoades_Photoos.js
Resource
win7-20240903-en
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
Extracted
asyncrat
1.0.7
CEZER
148.113.165.11:3236
eqwe2131ewqeqwe
-
delay
1
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
'''
-
Size
2.0MB
-
MD5
60b42e43178ad0ed1484e4afef56e740
-
SHA1
45d484903388cd149f9e2e5afbfe247c90a00031
-
SHA256
ed0cc4ec1b8de4c0e315f3caa855892f7ace7cccd3b8e98c7589316ef9fd1972
-
SHA512
1d397050fe7969993404ee0313ee071ec6a5bd316a40210c72404600057b9a7cca2c78302d28e9f576a42c74ddfec37856b7188c7dd64d173afce043d9b2bc7f
-
SSDEEP
49152:4VAbwcf0qplQ9rQ7JC+zQlQTLw9Lqb4tBr9mPrIdq1AT2v:0Aa+lQp85Q59mb47r9mDLm2v
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
Lana_Rhoades_Photoos.js
-
Size
548KB
-
MD5
ae498935d8a61b3008bd9393a2306dec
-
SHA1
b1858655d705e14c01cec8d008c3f3db0a09807b
-
SHA256
401f183d5553d4f01ff3a4df33524f39faa6138f40afb570300ae41ca31efc08
-
SHA512
8d9830e5ff3f09099ac1e1af2a585cad2a2ad287b75117741d5f940dc2dd934e7046d17881c93b0398917d1f42a9208ab17bede62a594b1a12997d2bba660a8b
-
SSDEEP
3072:0F8F8F8F8F8F8F8F8F8F8F8F8F8FjFoFoFoFoFoFoFoFoFoFoFoFoFoFoFoFoFod:X7HlvYPobr777lvrFI
-
Asyncrat family
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1