Extracted

• • Target

    Loader.exe

  • Size

    74KB

  • MD5

    7a545dbf06e65f7f17f04ae0f5153e0e

  • SHA1

    ab20193637edd250eac59fd71b6ea2b7a0faaad4

  • SHA256

    c3556cd1169de28cb9f6ba3a06a875f756b1bbadfb51b7ce00c92f23d2cd4f5d

  • SHA512

    98a56663c90195b0b22df4dcfd72cc4717e445d5eaa2f4571443becbe38a77121835073cbf56377f5cc11849e160dbe9e156fcff8a3fab2efd9aa97a1876d0d1

  • SSDEEP

    1536:wUKUcxoyR1CriPMVzrqVBYgImH1bz/mmB4Qzc2EVclN:wUzcxoyXkiPMVzrqVHH1bz/4QD2Y

  Score

  10^/10

  asyncratdefaultdiscoveryevasionexecutionpersistencerattrojan

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Asyncrat family

    asyncrat

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Async RAT payload

    rat

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext

  behavioral1