Overview

overview

10

Static

static

3

BinUS API ...er.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Binance API Balance Checker.zip

  • Size

    13.8MB

  • Sample

    221202-tsatbadd39

  • MD5

    28f7dbdbb0c52a813f3cb6c2a7e65add

  • SHA1

    8b2e66124ef3ffad0abef2b2c319277f8864cdaa

  • SHA256

    7bd52690c3ab8f05186fc3198a9e98435fac36874c00e1f6caa4439b3712f167

  • SHA512

    beca5d5f7fcc67b686aee51989efdefcd294f2ad59a5d7c9d3ca65c7bf6045196c3798dfd2fc6cf3895f0b4d088114f9cc3010a5f3f9518f2de2ae001263d906

  • SSDEEP

    393216:0hsbxVJEeCHEF/XAi/N1/6Qj09dBj/57T/MNexHyZGW:0SbxQeCHc/Qi/n9j09QexS0W

Score
10/10
asyncratauthenticatorevasionpersistencepyinstallerrattrojan

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT 5.0.5

Botnet

Authenticator

C2

194.180.48.177:4449

Mutex

minecraft_fortnite

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      BinUS API Balance Checker.exe

    • Size

      14.2MB

    • MD5

      6f5f4054ca0d6ce5207d37ca922803fe

    • SHA1

      4c7828635cb2202b0732b6f4260684024bfe2028

    • SHA256

      1a0145381fa83d89e42b662bdc24790792f62e86b56a2d225ba67ab28b2a1bd5

    • SHA512

      a1ec80a416366d1154ab461559545f4e277c0095aefe84fb0ae9374d000565288293e9c5cf2bb680fa8e4444505f9f0eabc81454ddcd57b53ec2bddb8d4cebc6

    • SSDEEP

      393216:Olo/1obI/w9c5hlERjAdZYygtN3ZWzVrC5jTA/NnN7:6o/1h/gEhkjAdZgtN3Qt/Vx

    Score
    10/10
    asyncratauthenticatorevasionpersistencerattrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Async RAT payload

      rat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

      evasion

    • Sets service image path in registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

3
T1089

Modify Registry

5
T1112

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks