Extracted

• • Target

    Nova.rar

  • Size

    2.1MB

  • MD5

    50ee1cf21948c6015354e9c1a94ca5db

  • SHA1

    f2f6fb19a2db75d2d5515fd3a20c66eb8f3e6d42

  • SHA256

    8fe639c3cbdcb49a5246f85ce136f14c8c0ad5150c6e38b5eb66eced9d4c4329

  • SHA512

    46c8a6e2818972ec363b5905838e05828a87b10c7991ae5124c485ccf625da0cff4985d675bbda08a9eccf1fc1027c5db0a22f8e99c732f7593f66c68f3654dc

  • SSDEEP

    49152:OWYU2F4Tu9YiDuTnlvraYTi04JIBv1WteMcP+1HFFNFwAAnv4qy+d:ZYLCiDuDluYe0cUwp31bN1Aj

  Score

  10^/10

  asyncratdefaultevasionexecutionpersistenceratupxxmrigminer

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Asyncrat family

    asyncrat

  • Xmrig family

    xmrig

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • Async RAT payload

    rat

  • XMRig Miner payload

    miner

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Creates new service(s)

    persistenceexecution

  • Stops running service(s)

    evasionexecution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Power Settings

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2