asyncrat | b6f3db88b8c6070f8d31d9c36caa59ac7fbdf99b9eeb741ec3e25c73b23bc822 | Triage

Submit
Reports

Overview

overview

Static

static

251b4cf0.exe

windows7_x64

251b4cf0.exe

windows10-2004_x64

Sharing

General

Target

251b4cf0.exe
Size

250KB
Sample

220120-qqh55aabdr
MD5

0c4d308254cea8285969f26023123a46
SHA1

54ffda34ec3766b837d04b36987c01facf183098
SHA256

b6f3db88b8c6070f8d31d9c36caa59ac7fbdf99b9eeb741ec3e25c73b23bc822
SHA512

8bea7e137f9de38254bf0fe7dbb4d02e4ed1f9ad83be608d0441b8116108ea3a1aa8158aa37a45fdaa38ad9386cbfa50123238deb6afcb03f371df501c36a661

Score

10^/10

asyncrat smokeloader venom clients backdoor persistence rat suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

251b4cf0.exe

Resource

win7-en-20211208

smokeloader backdoor trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

251b4cf0.exe

Resource

win10v2004-en-20220112

asyncrat smokeloader venom clients backdoor persistence rat suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://abpa.at/upload/

http://emaratghajari.com/upload/

http://d7qw.cn/upload/

http://alumik-group.ru/upload/

http://zamkikurgan.ru/upload/

rc4.i32

rc4.i32

Extracted

Family

asyncrat

Version

VenomRAT_HVNC 5.0.4

Botnet

Venom Clients

C2

127.0.0.1:4449

91.92.136.123:4449

Mutex

Venom_RAT_Mutex_Venom_RAT

Attributes

anti_vm
false
bsod
false
delay
0
install
false
install_folder
%AppData%
pastebin_config
null

aes.plain

Targets

- Target
  
  251b4cf0.exe
- Size
  
  250KB
- MD5
  
  0c4d308254cea8285969f26023123a46
- SHA1
  
  54ffda34ec3766b837d04b36987c01facf183098
- SHA256
  
  b6f3db88b8c6070f8d31d9c36caa59ac7fbdf99b9eeb741ec3e25c73b23bc822
- SHA512
  
  8bea7e137f9de38254bf0fe7dbb4d02e4ed1f9ad83be608d0441b8116108ea3a1aa8158aa37a45fdaa38ad9386cbfa50123238deb6afcb03f371df501c36a661
Score

10^/10

smokeloader backdoor trojan asyncrat venom clients persistence rat suricata
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Async RAT payload
  rat
- Downloads MZ/PE file
- Executes dropped EXE
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

smokeloaderbackdoortrojan

behavioral2

asyncratsmokeloadervenom clientsbackdoorpersistenceratsuricatatrojan

© 2018-2024

Terms | Privacy