Analysis
-
max time kernel
145s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
05-12-2022 14:32
General
-
Target
6474c38705ed24203c4f2c1386465b97.exe
-
Size
1.2MB
-
MD5
6474c38705ed24203c4f2c1386465b97
-
SHA1
afecee20116234fb98d5ce66bb99dd71de43796c
-
SHA256
538f828e062bb8200c9947698aa8d57281fb41df64e29bae5d148fc3b2983c36
-
SHA512
bb3ef85bb1fd87245095aa68503347f3ee4452b871f26b4dd90a100e4d08b0164f96147c4a7f2a50d3c153bc26e162d9edf0bf68a37b1a3cf6b0915ee52a2e05
-
SSDEEP
12288:m7Xw8/7fKSkzJNolKRASwx7IkN24DLbwTDzGPNPbegfKk7ZT1uQOXVtOt5kYgkmI:mP7iqlKDw+m24D0cbDZuQmS5kme
Malware Config
Extracted
asyncrat
VenomRAT+HVNC+Stealer Version:5.0.8
Venom Clients
79.137.207.151:4449
Venom_RAT_HVNC_Mutex_Venom RAT066840
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload 1 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6474c38705ed24203c4f2c1386465b97.exe"C:\Users\Admin\AppData\Local\Temp\6474c38705ed24203c4f2c1386465b97.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sZXlqqpkmCl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp71DF.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp71DF.tmpFilesize
1KB
MD53f8048b46b86c2accfda5e4e083ad415
SHA112619c577c4bbca2a9ab8b1737681ccf006d3b00
SHA25628e96144578d0c42002eadf169d271c0227db4dc93cacc5eb0bb22fc6a09747b
SHA512e5098ca7ca61076f50e7c6b160a917381dc649fb06f73eda9fba60aa45ea7a7de154d260e21adf7b2196fefbfc5d885967accf6f4bceed777b82369aafe151d2
-
memory/2996-132-0x0000000000A60000-0x0000000000B9C000-memory.dmpFilesize
1.2MB
-
memory/2996-133-0x0000000005A60000-0x0000000006004000-memory.dmpFilesize
5.6MB
-
memory/2996-134-0x0000000005550000-0x00000000055E2000-memory.dmpFilesize
584KB
-
memory/2996-135-0x0000000005690000-0x000000000572C000-memory.dmpFilesize
624KB
-
memory/2996-136-0x00000000055F0000-0x00000000055FA000-memory.dmpFilesize
40KB
-
memory/2996-137-0x00000000010D0000-0x0000000001136000-memory.dmpFilesize
408KB
-
memory/3952-138-0x0000000000000000-mapping.dmp
-
memory/4300-140-0x0000000000000000-mapping.dmp
-
memory/4300-141-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB