General

  • Target

    URFT06GSBAWRP_001_PDF.html

  • Size

    198B

  • Sample

    220930-ryr9faegar

  • MD5

    497443cc310648bda5f2a737147b8e7e

  • SHA1

    8b97df0f61c01d75dcc8c47f3a147f24a81538b9

  • SHA256

    22670bbf031cb76a3d98d4fe13e60fa0412401f4b40bc94e186048ddbf63ac26

  • SHA512

    bf19a9c3c6f3a0a118d3f425f00308b2478c1f11eb0ae9028a5c1891e1b71276aaae3b9eb8f6750df8345378820d69046563ceb94963e64ca8776e05d9cad641

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
ps1.dropper

http://20.7.14.99/dll/dll_ink.pdf

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

petersonsherian7.duckdns.org:6739

petersonsherian7.duckdns.org:7301

petersonsherian7.duckdns.org:7808

petersonsherian7.duckdns.org:8333

petersonsherian7.duckdns.org:6112

slpete1533.duckdns.org:6739

slpete1533.duckdns.org:7301

slpete1533.duckdns.org:7808

slpete1533.duckdns.org:8333

slpete1533.duckdns.org:6112

Attributes
delay
3
install
false
install_folder
%AppData%
aes.plain

Extracted

Family

asyncrat

Version

Venom RAT 5.0.5

Botnet

Venom Clients

C2

resulttoday2.duckdns.org:6111

Attributes
delay
1
install
false
install_folder
%AppData%
aes.plain

Targets

    • Target

      URFT06GSBAWRP_001_PDF.html

    • Size

      198B

    • MD5

      497443cc310648bda5f2a737147b8e7e

    • SHA1

      8b97df0f61c01d75dcc8c47f3a147f24a81538b9

    • SHA256

      22670bbf031cb76a3d98d4fe13e60fa0412401f4b40bc94e186048ddbf63ac26

    • SHA512

      bf19a9c3c6f3a0a118d3f425f00308b2478c1f11eb0ae9028a5c1891e1b71276aaae3b9eb8f6750df8345378820d69046563ceb94963e64ca8776e05d9cad641

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Async RAT payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                  Privilege Escalation