General
-
Target
beni_test.docx
-
Size
37KB
-
Sample
250424-jtgyxaxqx7
-
MD5
a0784159a907f7d18bde916bdd06601d
-
SHA1
94ced939d60ec506f2429c2351bd8c114e40fb03
-
SHA256
e381adb39096ac506b79df588f95d9000f4af02fac26c67473a6141bffbb6ad5
-
SHA512
982ff2cfa74536275df68caf30451f24863828618a453b9770f14924ec8972e852faa9234f4f06e75945d48f6038347c6b0d76e05a9c76f92471d160b9689d6d
-
SSDEEP
768:oMOCI58J4cAOsR2hiXUyQBs0cuZQLCau+I9hn5X18yrRq1wt:o57rzcwmZQ2II9ht1q1wt
Static task
static1
Behavioral task
behavioral1
Sample
beni_test.docx
Resource
win11-20250410-en
Malware Config
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
WNXvOPvDxmVf
-
delay
3
-
install
true
-
install_file
test.exe
-
install_folder
%AppData%
Extracted
C:\IxZTrhDEk.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Targets
-
-
Target
beni_test.docx
-
Size
37KB
-
MD5
a0784159a907f7d18bde916bdd06601d
-
SHA1
94ced939d60ec506f2429c2351bd8c114e40fb03
-
SHA256
e381adb39096ac506b79df588f95d9000f4af02fac26c67473a6141bffbb6ad5
-
SHA512
982ff2cfa74536275df68caf30451f24863828618a453b9770f14924ec8972e852faa9234f4f06e75945d48f6038347c6b0d76e05a9c76f92471d160b9689d6d
-
SSDEEP
768:oMOCI58J4cAOsR2hiXUyQBs0cuZQLCau+I9hn5X18yrRq1wt:o57rzcwmZQ2II9ht1q1wt
-
Asyncrat family
-
Lockbit family
-
Async RAT payload
-
Renames multiple (702) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1