General

  • Target

    4672ceafd2e11ff9aa26ecbb9094aed5d1a58e995f2a93ae054f46f6f56591f7

  • Size

    415KB

  • Sample

    221205-g6k5zshc9s

  • MD5

    0ee108a8e3b9cddad2cceb2648072fe2

  • SHA1

    fce82d4a7aefd76ed3239fb6f33bbd7b6dce87a9

  • SHA256

    4672ceafd2e11ff9aa26ecbb9094aed5d1a58e995f2a93ae054f46f6f56591f7

  • SHA512

    1456febc7903ffa5c018b8c3a2ebd05278cddb9a39f792615f9dd308ef95a542fd89ebe31a709d4d36d335f9e96fbe410fc6990e4e3f9c2f4308d9e508124449

  • SSDEEP

    12288:mF4ioOyjRGILz+N8vmI/v8GpRyWgDy6QG:2ZoOyjMqLN+W9G

Malware Config

Extracted

Family

asyncrat

Version

VenomRAT+HVNC+Stealer Version:5.0.8

Botnet

Venom Clients

C2

79.137.207.151:4449

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    10

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      4672ceafd2e11ff9aa26ecbb9094aed5d1a58e995f2a93ae054f46f6f56591f7

    • Size

      415KB

    • MD5

      0ee108a8e3b9cddad2cceb2648072fe2

    • SHA1

      fce82d4a7aefd76ed3239fb6f33bbd7b6dce87a9

    • SHA256

      4672ceafd2e11ff9aa26ecbb9094aed5d1a58e995f2a93ae054f46f6f56591f7

    • SHA512

      1456febc7903ffa5c018b8c3a2ebd05278cddb9a39f792615f9dd308ef95a542fd89ebe31a709d4d36d335f9e96fbe410fc6990e4e3f9c2f4308d9e508124449

    • SSDEEP

      12288:mF4ioOyjRGILz+N8vmI/v8GpRyWgDy6QG:2ZoOyjMqLN+W9G

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Modifies Windows Defender Real-time Protection settings

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • UAC bypass

    • Async RAT payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks whether UAC is enabled

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Scheduled Task

1
T1053

Privilege Escalation

Bypass User Account Control

1
T1088

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Bypass User Account Control

1
T1088

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks