Extracted

• • Target

    woofer.exe

  • Size

    63KB

  • MD5

    e15497d7443c2dee4cf4ae3bbbc344f9

  • SHA1

    ed863f95cf9701ccde2db4119d65aa1bf1060b54

  • SHA256

    aca0856176e5bdbe4e93fb853855fe20b8317942910b5ac97b200575f0862fa9

  • SHA512

    1c6dedcbfc88ec03a8b6a7031e10381ec26eba0df7083a636555b28a752792c72774d5add0378e944f1d646d5abf7e328f57c19fe1ede5d87f04cad3b0f2ec5e

  • SSDEEP

    768:Z951Fn3n9P78zQC8A+XvdvnOLJk7074EhfW1+T4OSBGHmDbDfphKoX55anSuMdph:RX9x6k7ScZYUbVhj5TuMdpqKmY7

  Score

  10^/10

  asyncratdefaultratstealeriumcollectioncredential_accessdiscoverypersistenceprivilege_escalationransomwarespywarestealer

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Asyncrat family

    asyncrat

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

    stealerstealerium

  • Stealerium family

    stealerium

  • Async RAT payload

    rat

  • Renames multiple (3191) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Sets desktop wallpaper using registry

    ransomware
  behavioral1behavioral2