General
-
Target
URFT06GSBAWRP_001_PDF.html
-
Size
198B
-
Sample
220930-ryr9faegar
-
MD5
497443cc310648bda5f2a737147b8e7e
-
SHA1
8b97df0f61c01d75dcc8c47f3a147f24a81538b9
-
SHA256
22670bbf031cb76a3d98d4fe13e60fa0412401f4b40bc94e186048ddbf63ac26
-
SHA512
bf19a9c3c6f3a0a118d3f425f00308b2478c1f11eb0ae9028a5c1891e1b71276aaae3b9eb8f6750df8345378820d69046563ceb94963e64ca8776e05d9cad641
Static task
static1
Behavioral task
behavioral1
Sample
URFT06GSBAWRP_001_PDF.html
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
URFT06GSBAWRP_001_PDF.html
Resource
win10v2004-20220812-en
Malware Config
Extracted
http://20.7.14.99/dll/dll_ink.pdf
Extracted
asyncrat
0.5.7B
Default
petersonsherian7.duckdns.org:6739
petersonsherian7.duckdns.org:7301
petersonsherian7.duckdns.org:7808
petersonsherian7.duckdns.org:8333
petersonsherian7.duckdns.org:6112
slpete1533.duckdns.org:6739
slpete1533.duckdns.org:7301
slpete1533.duckdns.org:7808
slpete1533.duckdns.org:8333
slpete1533.duckdns.org:6112
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
Venom RAT 5.0.5
Venom Clients
resulttoday2.duckdns.org:6111
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
URFT06GSBAWRP_001_PDF.html
-
Size
198B
-
MD5
497443cc310648bda5f2a737147b8e7e
-
SHA1
8b97df0f61c01d75dcc8c47f3a147f24a81538b9
-
SHA256
22670bbf031cb76a3d98d4fe13e60fa0412401f4b40bc94e186048ddbf63ac26
-
SHA512
bf19a9c3c6f3a0a118d3f425f00308b2478c1f11eb0ae9028a5c1891e1b71276aaae3b9eb8f6750df8345378820d69046563ceb94963e64ca8776e05d9cad641
Score10/10-
Async RAT payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-