General

  • Target

    URFT06GSBAWRP_001_PDF.zip

  • Size

    485KB

  • Sample

    220930-r2nenaegbr

  • MD5

    cafaa060fd7c48f5dd75fd9542062622

  • SHA1

    ee891d615c83b2e3eebdc3e859d975348659ce9f

  • SHA256

    9c3b123bf5be1332f7b3727c8f6c352887437b5329ffc083d0b65833cfe5678c

  • SHA512

    5aa310ed1fb5d5b959ce8a212866859be6ed3ec9bd81dfe47e33c486423402ce2709274098ebc71661622c413c5f9d60d110a29989c8932d1439e92fb5cb052f

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
ps1.dropper

http://20.7.14.99/dll/dll_ink.pdf

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

petersonsherian7.duckdns.org:6739

petersonsherian7.duckdns.org:7301

petersonsherian7.duckdns.org:7808

petersonsherian7.duckdns.org:8333

petersonsherian7.duckdns.org:6112

slpete1533.duckdns.org:6739

slpete1533.duckdns.org:7301

slpete1533.duckdns.org:7808

slpete1533.duckdns.org:8333

slpete1533.duckdns.org:6112

Attributes
delay
3
install
false
install_folder
%AppData%
aes.plain

Extracted

Family

asyncrat

Version

Venom RAT 5.0.5

Botnet

Venom Clients

C2

resulttoday2.duckdns.org:6111

Attributes
delay
1
install
false
install_folder
%AppData%
aes.plain

Targets

    • Target

      URFT06GSBAWRP_001_PDF/RQK02HVBPO_002_PDF.vbs

    • Size

      219KB

    • MD5

      86d9cdbe85e0b345c00063cb59efda75

    • SHA1

      6990625fff03cdc505a7c9a224c39fb9c1b1ab80

    • SHA256

      541752eae29c171bb8ab3f5851b6f58ba58035298b8781990998d22cd4982f6e

    • SHA512

      0f39d5b741cb5fc822f17306537a4659c5ff191f18ef47e18aa3f604eb9d4598f1c01316068285531916a57bd0410b27fd8d44adb3bda41ee691098cd5b1bc2f

    Score
    10/10
    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Async RAT payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Suspicious use of SetThreadContext

    • Target

      URFT06GSBAWRP_001_PDF/URFT06GSBAWRP_001_PDF.exe

    • Size

      300MB

    • MD5

      464753cd8a6523de0fba921ce6846177

    • SHA1

      6b3b77af1129f9ad86acc31163d8450eacb4dbd3

    • SHA256

      3221a50204afcf59f4a836680d1e484903ac3aa389c2105d059efc51b8461092

    • SHA512

      589d0919ddf11d1e8e8eff15a0f78623742e5ab6b16e2b754f519f3bfc7912ccd6c43ad5ffe5c0e11c315f9835936b6b2039dc579527d50cb25333844b0876f2

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Async RAT payload

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                  Privilege Escalation