General
-
Target
losslessscaling.iso
-
Size
15.1MB
-
Sample
250226-q3aphs1qw7
-
MD5
d769ef9f13a704af959919fd3db3c828
-
SHA1
882f2d6fd493ba89d857d6a13d13a447d073add1
-
SHA256
736bea879e986c36afb173d9572975ce3206645e63002690912c3a9c9236d05b
-
SHA512
fe7d44c9f5e06de575888d0b2fa1cbe89095a7cc529e86010bcc71ad2d53aa783a738f43ff1c9cece68867b6911b83bd8f67e03b797804a4feeba59f2539cff3
-
SSDEEP
196608:1lTQNjs8j9B3v1FXXSQNLs8j9B3v1FXX:1lTg3THS43TH
Malware Config
Extracted
http://filegit.com/files/bat
http://filegit.com/files/nircmd
Extracted
asyncrat
A 14
Default
mlwoe.gleeze.com:403
polgen.kozow.com:403
polgen.linkpc.net:403
MaterxMutex_Egypt403
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
Registration (Crack)/Crack.bat
-
Size
2KB
-
MD5
e90e30e3c6697d870286c1a6831a135b
-
SHA1
1fa1f0d27f23fe364a2e0c198687ff3362d467fd
-
SHA256
b08aaa0b0319c50f5614419752f4c45fa30b5e48137018e009672791447f4e6f
-
SHA512
7feff998c5c7cf4e1cffbf8e654363168b10cd6b942116cb7ab04407ee0e3b40c523d5a273ce984a30ce7fdfb308a43e8ed41f7f3862faa0b25c083dd940ecb6
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
UAC bypass
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Suspicious use of SetThreadContext
-
-
-
Target
Registration (Crack)/language/en-US/Devn.exe
-
Size
7KB
-
MD5
857f8a07b6c9ad9bd3bb6e4c047fee45
-
SHA1
c2ded9a18bdb6cd2842db08354600a97cf90e032
-
SHA256
7083023d5ba4768a6398a92dfc6f8a7556efbeafb6a4d60347aea0f69b2e89af
-
SHA512
bbd176d8b6b46aa70a323e506a7d6ce671d14b79fc344cb0c4c8433ab761c9a7f6d2feed247276cda5503b6be529bd2e57c040a177725cc6ae7c100d76285e1f
-
SSDEEP
96:zv+Hdw2i7bAJZ932+dzw+xRKGm+fa1j9pEvvkfPXI0zNt:UeAJZZ2Iw0Rjda1jsvv0PXI+
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
-
-
Target
Registration (Crack)/language/en-US/HKCU.ps1
-
Size
451B
-
MD5
61784c5b761fd222f9fc4cd0aad1ce94
-
SHA1
ede36fbb733f67c2059dd9e6744f5a58913c139b
-
SHA256
c3b21f00fb1451aae184e534311bd368b5677b61da75e52df7c9dbad7bcf5be0
-
SHA512
76eeb2c26f0b36e56ac85b551410104ed3f5ca73a814af486f87ee213e86d57750a5c1546c77b49954f42aff9af631eca78de2e6cfa7dc8f700a7d06c16a023f
Score6/10-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
-
-
Target
Registration (Crack)/language/en-US/Lan.vbs
-
Size
432B
-
MD5
49af07d132592c9a62eaaef421e3e589
-
SHA1
cb7cc0a4a492dba5773506e816467975cabdc227
-
SHA256
487985d63734cd4828eaf03284e0d1d2fa684afc2d46da489c99d498f31a83ab
-
SHA512
7525522f2b648aaf94e52fd1c1787931c11ca03e656ccbcca5879d6132d383aa40228256cbf93d0e7741f0003de6fe94ca537151a2162d33c077943b90fe5908
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
Registration (Crack)/language/en-US/RAR.exe
-
Size
629KB
-
MD5
d3e9f98155c0faab869ccc74fb5e8a1e
-
SHA1
8e4feaad1d43306fdd8aa66efa443bca7afde710
-
SHA256
3e0fdb5c40336482dacef3496116053d7772a51720900141b3c6f35c6e9b351b
-
SHA512
2760c139ef276f406770675d89fb667f3369a9e1943a6eff2c18f391114018ad6fdce9daf0b499b18081ef22243ef04d74ff21cbd346eb31a1ddbcb79756697d
-
SSDEEP
12288:BAUCA29m2PltZB6Tpc3lrf8Z+insP8q8wjwNAxwy3NjF:iA29vPl7EteZftis2wcN+/3NjF
Score3/10 -
-
-
Target
Registration (Crack)/language/en-US/RU.dll
-
Size
327B
-
MD5
83bf9ba8becac139cb05c1ab68468e62
-
SHA1
8fab7c51fb2a340af6ed6cd03e1c546479e14239
-
SHA256
7bfd69bdd83904d39a4e09c55fe6e380f027a2f13593c167acf92160bb9cf125
-
SHA512
b3f19d613db7067cfc87c6c7e341f189c99fe1849ee67f18b4b63d65b6299612cd1c935fb713f274dfaf837b5dee17bde20f04e8682f85d75f42b1838ee04f04
Score3/10 -
-
-
Target
Registration (Crack)/language/en-US/UK.dll
-
Size
5KB
-
MD5
b573eb820a0233acba7b6e33d1d8ed28
-
SHA1
81b96b594ff7f1c9e607ff712e78be821e60c491
-
SHA256
919c8006bcf5c03ac8b4d83dfc824e4f918a6d3d2fcabd6bd905494ec79513ae
-
SHA512
9d19d1042e82d064fb8d019b0af8c9fd9ddb931dda702998226c0df7ee7bc6c9c0c7b501c09637fccf0a8a9407ae4f7ec8a6f7afd3162236f7b244d3bd105b4d
-
SSDEEP
96:H3wOoP426GKP9+NZ+5wmhmXhHmd3z/9hMoP426j:H3wTwpHVwZ+0SRhxwpj
Score10/10-
UAC bypass
-
-
-
Target
Registration (Crack)/language/en-US/Win.ps1
-
Size
6KB
-
MD5
c17ff3fc676cc3831caf77b9d29c028b
-
SHA1
587a424213854dff3a6192e84ae820b9222f707f
-
SHA256
ff5df2563ec6aceb0649b9be8a7326b2c6b48bd4f22e8238fc33fcba38a50498
-
SHA512
efc6d80fe5b6f7f85189c3530797783292ad920ae2e384641da4e1a268d7668af681a8dfb878b8e31977fbd38893f2c84c61b55b72578a1236dd58e96ce7e138
-
SSDEEP
96:g6HwOoP426SoP426bKP9+NZ+5cmhmXhHmd+z/9hHoP426Fw:g6HwTwpXwpOVwZ+USmhIwpFw
Score10/10-
UAC bypass
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
Registration (Crack)/language/uk-UA/Lan.vbs
-
Size
432B
-
MD5
49af07d132592c9a62eaaef421e3e589
-
SHA1
cb7cc0a4a492dba5773506e816467975cabdc227
-
SHA256
487985d63734cd4828eaf03284e0d1d2fa684afc2d46da489c99d498f31a83ab
-
SHA512
7525522f2b648aaf94e52fd1c1787931c11ca03e656ccbcca5879d6132d383aa40228256cbf93d0e7741f0003de6fe94ca537151a2162d33c077943b90fe5908
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
Registration (Crack)/language/uk-UA/Lossless.dll
-
Size
4.3MB
-
MD5
7969a2cbc4c31ccfb1ab8213f19501b9
-
SHA1
06a24af6e922ba2cd7fccb76ce2f43271a9af8b6
-
SHA256
486a48562504a274e984599a5931de200ea73bf6bc4c83bf6ca8daa651e80a68
-
SHA512
935988a39c1af479e971850f6758ee94098b35f173da609206312deeabeb3bc9466f93d1dad4e6d7938235f65fc52fdbd56058d46c1ba775d31718358eb6d8fa
-
SSDEEP
24576:lZtIcM0Gpls8jl9vLFR/cGRgPEuZIiZ8ay7R5vZf7gjxPWwf:re0Gbs8jsGBM4l7R5vZjUWw
Score1/10 -
-
-
Target
Registration (Crack)/language/uk-UA/LosslessScaling.exe
-
Size
953KB
-
MD5
2c98d33096e97094cbbbd19f27f40883
-
SHA1
7e28af9d119d2658f962e3b28140c6081be1612b
-
SHA256
010ac1120a88a772e87d9e9018aa5db034a9bac9399803d4a7c4db3c47a71df6
-
SHA512
f9070ad6b2e3295fdde13aa8d7486147a7f9a675a924ad3bf117479baf5b573cf92650199e58378dd8345a28ab890bbd5021d374030c24836bfa65bb037dddc7
-
SSDEEP
12288:ApDJEDS4MCLSyf6mOuGyW38yHJc+CKtOaO5Z7WhawnzE4ZbuRCwmhI2J+0sDgwl1:btMCLPf1Oi32OvzGo4ZiRlT/sN0
Score3/10 -
-
-
Target
Registration (Crack)/language/uk-UA/ar/LosslessScaling.resources.dll
-
Size
24KB
-
MD5
ed6f1b887abd06c83ecb9c6ad4b6ddae
-
SHA1
595f4748ee9f088d6c87281ba822c2e023cea9f2
-
SHA256
e078d3fe1e5c3ef3ae5a22da414b33d29c3ae335397fd699a35f0b767e20ab29
-
SHA512
c16bb876c0c6bf5f016a476649c4f99aa7a8679fbc7d356f33d13b65667878369a8aeadd010f828650385ce7783226505219a3b6adba22e33cbf30bcb706fcd0
-
SSDEEP
384:As9chlOF09DRNWxSZD0JxNcwmxxyYThlSzIxvuDv0GWOfRt+Watm:YOm9DeaAJz7mx0YThleIvEhfRtdaA
Score1/10 -
-
-
Target
Registration (Crack)/language/uk-UA/bg/LosslessScaling.resources.dll
-
Size
25KB
-
MD5
82deb57274920ad713665b7ecdd1f1b4
-
SHA1
b3518aefb76fcf435cc2685dcbeb8aba46b29a04
-
SHA256
2b62df6f0d46492562a7f2cb04e45c429e09fcbe76fb2faf7e275cbe29101ca3
-
SHA512
1539f43d7d5333bd52c52b5b617aed69fcd1fa6a9b6e6ba07f0c09507c388eb6d9781d8de413fa3910f3177233346d4bdc8e4d53ba7e04e1862607c41924fc95
-
SSDEEP
384:dQ4yQrLDnD4mIfp7plw4ha09cQQdd6wjrQMYMUm:2QHDnD4mip7vwH0R46rMYMP
Score1/10 -
-
-
Target
Registration (Crack)/language/uk-UA/cs/LosslessScaling.resources.dll
-
Size
20KB
-
MD5
0009b54449d6ee8d723be5266cb96c32
-
SHA1
53162779acc73b9a0cfb53a7b5b5917664958073
-
SHA256
6f4cd5d91edee8dbc547a6f914f1441c5a55d559b784893a98b9ab3a1c96ee62
-
SHA512
2e94a4a54cc2aad1df5be548722bc7d8266d60cde55e8187994f203474518d1faf66ae61ef3a19dc14c11b001038df6339ad3e8cb428faf3726c54086b0e0050
-
SSDEEP
192:u/sZD9SrXqkOK93VPfYFXh9uuTP17gw92v3DSRKMmhL14DArCwVQSScHoR1J0o9K:Qs98qZhgkCTSRKPVaDLjfZRT1bFm
Score1/10 -
-
-
Target
Registration (Crack)/language/uk-UA/de/LosslessScaling.resources.dll
-
Size
18KB
-
MD5
bea43c84cdc466ddea1398d4026c3ef9
-
SHA1
737b176c58d870acb9383b11c8d553c064ec2aff
-
SHA256
7bdb17bfa2e73143efcd5bdaf089a2127c6175daf0ced23c9c4102011d09a89a
-
SHA512
b9bbf206baef969d3960e9fa56b7edc320351698f66893dfa42897a7350e4e9d575e8cc4205ae28f2b8946d0f7f48fa2a550a30e7454423ec9d3812f5cb026e3
-
SSDEEP
192:x/gqOfbbfga5oP2jk8AieIAcL+Xkd10VN0gGgPGqMyXsfCOY/VRiiCEaLKWrYkQs:RgNkEjGIAcL+XkAiqhsqOs7T6LQyzYm
Score1/10 -
-
-
Target
Registration (Crack)/language/uk-UA/es-ES/LosslessScaling.resources.dll
-
Size
20KB
-
MD5
f6dd78c7f97a469c75152ec53d79bf8d
-
SHA1
d96ce434f64b8a52475a91ddf6dc7c8086e38869
-
SHA256
8f0222d248a18119d84822a851fbfd0d844e6cf58642e5132d96e3c75940ebf7
-
SHA512
dc5c86a2182f591ba0fe1807138a05fb8bdbe6a0e1bcac43e3101f150bb2bd5c8132f201c5607e367436be9a9ba10e55db3e0084a359149e7f345ae5dfdd836b
-
SSDEEP
192:LQ/XQFsZ7giyU3qLQVCxSaqu7XBRD6pzIABGwB93Mi7UB+4cj4UBd1ejxKgz6:LQ4FsOQVKHv7XvD6xtf8i7o5cjFRzgm
Score1/10 -
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
4PowerShell
3Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1