Overview

overview

10

Static

static

URFT06GSBA...DF.exe

windows7-x64

10

URFT06GSBA...DF.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    160s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    04-10-2022 13:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    URFT06GSBAWRP_001_PDF.exe

  • Size

    300.0MB

  • MD5

    464753cd8a6523de0fba921ce6846177

  • SHA1

    6b3b77af1129f9ad86acc31163d8450eacb4dbd3

  • SHA256

    3221a50204afcf59f4a836680d1e484903ac3aa389c2105d059efc51b8461092

  • SHA512

    589d0919ddf11d1e8e8eff15a0f78623742e5ab6b16e2b754f519f3bfc7912ccd6c43ad5ffe5c0e11c315f9835936b6b2039dc579527d50cb25333844b0876f2

  • SSDEEP

    3072:1iJZ3k2p8jrvVIYkwur2JMBZ6kINhCRFuaABOUEs64BRg40nOFblHTgr4:1OyRr9u1KJkZ6dIYBUeBRgOlWU

Score
10/10
asyncratvenom clientsrat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT 5.0.5

Botnet

Venom Clients

C2

resulttoday2.duckdns.org:6111

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 10 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\URFT06GSBAWRP_001_PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\URFT06GSBAWRP_001_PDF.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\opetr.exe'" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:936
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\opetr.exe'" /f
        3⤵
        • Creates scheduled task(s)
        PID:1688
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\URFT06GSBAWRP_001_PDF.exe" "C:\Users\Admin\AppData\Roaming\opetr.exe"
      2⤵
        PID:1492
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1348
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {394466D6-04AC-4F7F-B2AB-869DF92E83DA} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Users\Admin\AppData\Roaming\opetr.exe
        C:\Users\Admin\AppData\Roaming\opetr.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1756
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\opetr.exe'" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1280
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\opetr.exe'" /f
            4⤵
            • Creates scheduled task(s)
            PID:880
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c copy "C:\Users\Admin\AppData\Roaming\opetr.exe" "C:\Users\Admin\AppData\Roaming\opetr.exe"
          3⤵
            PID:1676
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1052
        • C:\Users\Admin\AppData\Roaming\opetr.exe
          C:\Users\Admin\AppData\Roaming\opetr.exe
          2⤵
          • Executes dropped EXE
          PID:1172

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scripting

      1
      T1064

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Scripting

      1
      T1064

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\opetr.exe
        Filesize

        300.0MB

        MD5

        464753cd8a6523de0fba921ce6846177

        SHA1

        6b3b77af1129f9ad86acc31163d8450eacb4dbd3

        SHA256

        3221a50204afcf59f4a836680d1e484903ac3aa389c2105d059efc51b8461092

        SHA512

        589d0919ddf11d1e8e8eff15a0f78623742e5ab6b16e2b754f519f3bfc7912ccd6c43ad5ffe5c0e11c315f9835936b6b2039dc579527d50cb25333844b0876f2

        Download Submit
      • C:\Users\Admin\AppData\Roaming\opetr.exe
        Filesize

        297.1MB

        MD5

        f783ceaa9a807a7e0a4d78a945f6172c

        SHA1

        a708795b615203113a7135a2b29390a8b8853137

        SHA256

        a459805823555053937b510624d2064df3fd435175b1bf37d24bafafb8f643d1

        SHA512

        c125643cce09b4f6290c1e529a857d185fb4aa57d7ba3bfd297ab9e190040679b4692cea9eb9f3589bfe34d4b96fad13b6c265ea427389f27c859275408bffc6

        Download Submit
      • C:\Users\Admin\AppData\Roaming\opetr.exe
        Filesize

        96.5MB

        MD5

        888b3efabb2d0d1beb2e38aada2bc168

        SHA1

        cefc6bf602eafc289098f4d2c6d7c0414b35ebdc

        SHA256

        6bc6fab4b6ce68d56eec5ce7139ad48ab0596a64b3b523d8600cf5c538a9cbbf

        SHA512

        5189be8ae88e8596265a2d1d45bc81aa42c2bfee004a1d9565c3b30d1b683f9c16d4fded8abf5866935efd82f3aa54b18c83d4d81e79665c2332fc2ea6ddb223

        Download Submit
      • memory/880-83-0x0000000000000000-mapping.dmp
        Download
      • memory/936-56-0x0000000000000000-mapping.dmp
        Download
      • memory/1052-94-0x0000000000400000-0x0000000000416000-memory.dmp
        Filesize

        88KB

        Download
      • memory/1052-92-0x0000000000400000-0x0000000000416000-memory.dmp
        Filesize

        88KB

        Download
      • memory/1052-90-0x00000000004109DE-mapping.dmp
        Download
      • memory/1172-96-0x0000000000000000-mapping.dmp
        Download
      • memory/1280-81-0x0000000000000000-mapping.dmp
        Download
      • memory/1348-60-0x0000000000080000-0x0000000000096000-memory.dmp
        Filesize

        88KB

        Download
      • memory/1348-62-0x0000000000080000-0x0000000000096000-memory.dmp
        Filesize

        88KB

        Download
      • memory/1348-71-0x0000000000080000-0x0000000000096000-memory.dmp
        Filesize

        88KB

        Download
      • memory/1348-74-0x0000000000080000-0x0000000000096000-memory.dmp
        Filesize

        88KB

        Download
      • memory/1348-66-0x0000000000080000-0x0000000000096000-memory.dmp
        Filesize

        88KB

        Download
      • memory/1348-59-0x0000000000080000-0x0000000000096000-memory.dmp
        Filesize

        88KB

        Download
      • memory/1348-65-0x00000000004109DE-mapping.dmp
        Download
      • memory/1348-67-0x0000000000080000-0x0000000000096000-memory.dmp
        Filesize

        88KB

        Download
      • memory/1348-63-0x0000000000080000-0x0000000000096000-memory.dmp
        Filesize

        88KB

        Download
      • memory/1492-58-0x0000000000000000-mapping.dmp
        Download
      • memory/1676-82-0x0000000000000000-mapping.dmp
        Download
      • memory/1688-57-0x0000000000000000-mapping.dmp
        Download
      • memory/1756-79-0x0000000001300000-0x0000000001332000-memory.dmp
        Filesize

        200KB

        Download
      • memory/1756-77-0x0000000000000000-mapping.dmp
        Download
      • memory/2036-54-0x0000000000940000-0x0000000000972000-memory.dmp
        Filesize

        200KB

        Download
      • memory/2036-55-0x0000000075521000-0x0000000075523000-memory.dmp
        Filesize

        8KB

        Download