General
-
Target
2505_AIMr.exe_obf.zip
-
Size
7.8MB
-
Sample
241223-wsg9hawrhs
-
MD5
eb2284f1d4b0c80a4af120bf08805d9d
-
SHA1
5e396d73217368604e9c4fbb26885be3a0fc2516
-
SHA256
2f8c83e9e893db21cc705847f9716706c34f714de4a28006d3fc83c3b8e5a56c
-
SHA512
96edbb42f8aa95871d61e1fde718caf0f90da4e201afa7cce88d658979c193ac85c7fa92b9d3b218874f67262a7ea757b27f1c013ff3418b97fa01ceef67844d
-
SSDEEP
196608:1wpzUSmk48xc1N+lyafUoE/ML7YfVoNcYkR100cr5m:10WX1AevU3cAbkReU
Static task
static1
Behavioral task
behavioral1
Sample
4971_output.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
4971_output.exe
Resource
win10ltsc2021-20241211-en
Malware Config
Extracted
asyncrat
0.5.8
Default
jt8iyre.localto.net:2101
jt8iyre.localto.net:55644
AbAUwI3PK3e3
-
delay
3
-
install
false
-
install_file
winserve.exe
-
install_folder
%AppData%
Targets
-
-
Target
4971_output.exe
-
Size
10.9MB
-
MD5
3081ad9d2fb1f02a8cddd261ed95c27a
-
SHA1
06d417baa8a51b0ce5abda41585ec5bd1387df01
-
SHA256
78c7160b3deab315fa79208f9f144f59cb25001cac18354b11050393c8bf9675
-
SHA512
60baba1096d8efd05ec911e737ee5ede8e844266c23eb12a00bd1ce003ae53539dcf1378990790150f0a14a92fe32be17d3772659d0acaede2593c5572b7a23b
-
SSDEEP
49152:HcrQofT6qeSsPJhDx8IhdyFNOPHf0fR0K049XwIVhaT6hAp1uMmRgDidZL4mb8F2:8rIqeSsP
-
Asyncrat family
-
Async RAT payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-