asyncrat

General

Target

URFT06GSBAWRP_001_PDF.zip
Size

485KB
Sample

220930-r2nenaegbr
MD5

cafaa060fd7c48f5dd75fd9542062622
SHA1

ee891d615c83b2e3eebdc3e859d975348659ce9f
SHA256

9c3b123bf5be1332f7b3727c8f6c352887437b5329ffc083d0b65833cfe5678c
SHA512

5aa310ed1fb5d5b959ce8a212866859be6ed3ec9bd81dfe47e33c486423402ce2709274098ebc71661622c413c5f9d60d110a29989c8932d1439e92fb5cb052f
SSDEEP

3072:5QBgL8npOntBnNOTUMBF6kI1hCRFukPxHOhTUV7f:5QBg7t7OQkF6dw3KTy7f

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://20.7.14.99/dll/dll_ink.pdf

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

petersonsherian7.duckdns.org:6739

petersonsherian7.duckdns.org:7301

petersonsherian7.duckdns.org:7808

petersonsherian7.duckdns.org:8333

petersonsherian7.duckdns.org:6112

slpete1533.duckdns.org:6739

slpete1533.duckdns.org:7301

slpete1533.duckdns.org:7808

slpete1533.duckdns.org:8333

slpete1533.duckdns.org:6112

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT 5.0.5

Botnet

Venom Clients

C2

resulttoday2.duckdns.org:6111

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  URFT06GSBAWRP_001_PDF/RQK02HVBPO_002_PDF.vbs
- Size
  
  219KB
- MD5
  
  86d9cdbe85e0b345c00063cb59efda75
- SHA1
  
  6990625fff03cdc505a7c9a224c39fb9c1b1ab80
- SHA256
  
  541752eae29c171bb8ab3f5851b6f58ba58035298b8781990998d22cd4982f6e
- SHA512
  
  0f39d5b741cb5fc822f17306537a4659c5ff191f18ef47e18aa3f604eb9d4598f1c01316068285531916a57bd0410b27fd8d44adb3bda41ee691098cd5b1bc2f
- SSDEEP
  
  48:DVK0hbQvuivLvyvTxYvsvuiv7vu2vJR2vFvvvfv1KvFvDv2UfHvrvUvgYvc2vGgu:xKWdUIlVc8WGvXimF
Score

10^/10

asyncrat default rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Async RAT payload
  rat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  URFT06GSBAWRP_001_PDF/URFT06GSBAWRP_001_PDF.exe
- Size
  
  300.0MB
- MD5
  
  464753cd8a6523de0fba921ce6846177
- SHA1
  
  6b3b77af1129f9ad86acc31163d8450eacb4dbd3
- SHA256
  
  3221a50204afcf59f4a836680d1e484903ac3aa389c2105d059efc51b8461092
- SHA512
  
  589d0919ddf11d1e8e8eff15a0f78623742e5ab6b16e2b754f519f3bfc7912ccd6c43ad5ffe5c0e11c315f9835936b6b2039dc579527d50cb25333844b0876f2
- SSDEEP
  
  3072:1iJZ3k2p8jrvVIYkwur2JMBZ6kINhCRFuaABOUEs64BRg40nOFblHTgr4:1OyRr9u1KJkZ6dIYBUeBRgOlWU
Score

10^/10

asyncrat venom clients rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Async RAT payload
  rat
- Executes dropped EXE
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral3 behavioral4