General

  • Target

    RFQ_ORDER484425083-NJQ.exe

  • Size

    832KB

  • Sample

    220124-q67tesehc8

  • MD5

    9e83077fd628fefd80f9abcdc025e648

  • SHA1

    faaeb0ce7ee4e268b699ebd57d3af36c8c20cee4

  • SHA256

    70cd7f8c5818b4bbec9b33b3518736bd0627d8e92570c015dd630a461d074262

  • SHA512

    943fb244cc8e5fc96fc19e5734ce32803e7f2f1c006eb372336db2fc4b5ac112972f468c24605e004f6d04ed27f035253e7b43fb49ea449140dff87c63b79916

Malware Config

Extracted

Family

asyncrat

Version

VenomRAT 5.0.3

Botnet

Venom Clients

C2

194.5.98.120:4449

Mutex

Venom_RAT_Mutex_Venom_RAT

Attributes
  • anti_vm

    false

  • bsod

    false

  • delay

    0

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Targets

    • Target

      RFQ_ORDER484425083-NJQ.exe

    • Size

      832KB

    • MD5

      9e83077fd628fefd80f9abcdc025e648

    • SHA1

      faaeb0ce7ee4e268b699ebd57d3af36c8c20cee4

    • SHA256

      70cd7f8c5818b4bbec9b33b3518736bd0627d8e92570c015dd630a461d074262

    • SHA512

      943fb244cc8e5fc96fc19e5734ce32803e7f2f1c006eb372336db2fc4b5ac112972f468c24605e004f6d04ed27f035253e7b43fb49ea449140dff87c63b79916

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Windows security bypass

    • Async RAT payload

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Account Manipulation

1
T1098

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

3
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks