Overview

overview

10

Static

static

URFT06GSBA...F.html

windows7-x64

10

URFT06GSBA...F.html

windows10-2004-x64

10

Resubmissions

30-09-2022 14:36

220930-ryr9faegar 10

30-09-2022 14:33

220930-rwy9zadgh5 1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    URFT06GSBAWRP_001_PDF.html

  • Size

    198B

  • Sample

    220930-ryr9faegar

  • MD5

    497443cc310648bda5f2a737147b8e7e

  • SHA1

    8b97df0f61c01d75dcc8c47f3a147f24a81538b9

  • SHA256

    22670bbf031cb76a3d98d4fe13e60fa0412401f4b40bc94e186048ddbf63ac26

  • SHA512

    bf19a9c3c6f3a0a118d3f425f00308b2478c1f11eb0ae9028a5c1891e1b71276aaae3b9eb8f6750df8345378820d69046563ceb94963e64ca8776e05d9cad641

Score
10/10
asyncratdefaultvenom clientsrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://20.7.14.99/dll/dll_ink.pdf

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

petersonsherian7.duckdns.org:6739

petersonsherian7.duckdns.org:7301

petersonsherian7.duckdns.org:7808

petersonsherian7.duckdns.org:8333

petersonsherian7.duckdns.org:6112

slpete1533.duckdns.org:6739

slpete1533.duckdns.org:7301

slpete1533.duckdns.org:7808

slpete1533.duckdns.org:8333

slpete1533.duckdns.org:6112
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT 5.0.5

Botnet

Venom Clients

C2

resulttoday2.duckdns.org:6111

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      URFT06GSBAWRP_001_PDF.html

    • Size

      198B

    • MD5

      497443cc310648bda5f2a737147b8e7e

    • SHA1

      8b97df0f61c01d75dcc8c47f3a147f24a81538b9

    • SHA256

      22670bbf031cb76a3d98d4fe13e60fa0412401f4b40bc94e186048ddbf63ac26

    • SHA512

      bf19a9c3c6f3a0a118d3f425f00308b2478c1f11eb0ae9028a5c1891e1b71276aaae3b9eb8f6750df8345378820d69046563ceb94963e64ca8776e05d9cad641

    Score
    10/10
    asyncratdefaultvenom clientsrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks