General
-
Target
B840k49sjm47_PDF.exe
-
Size
300.0MB
-
Sample
230117-1bbslsgc94
-
MD5
e14a49db1e766a0d20b4917a16645ab1
-
SHA1
32a5294a721e1b8fa807f3af71ee7bf81a0c4fae
-
SHA256
0525ef32bd0fdea85df06fb17d23a31a97ce2f4a9d92a531a2a027ed2cb591e6
-
SHA512
0eceefc925ac85e9801006b045726e6fde7c57a2d197c6b34092503fe6fd45487fd9c68b727cef898ee734a18d2376b951f413117db5b8a97aeb0a765cc4a2dc
-
SSDEEP
49152:OHD6sHN0ejZB8wVLmZYqscvmuWqkY2taer:OHXtbB8mOYDcvmFU2J
Malware Config
Extracted
asyncrat
Venom RAT 5.0.5
Venom Clients
venmo8500.duckdns.org:8500
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
bitrat
1.38
bitone9090.duckdns.org:9090
-
communication_password
e10adc3949ba59abbe56e057f20f883e
-
tor_process
tor
Targets
-
-
Target
B840k49sjm47_PDF.exe
-
Size
300.0MB
-
MD5
e14a49db1e766a0d20b4917a16645ab1
-
SHA1
32a5294a721e1b8fa807f3af71ee7bf81a0c4fae
-
SHA256
0525ef32bd0fdea85df06fb17d23a31a97ce2f4a9d92a531a2a027ed2cb591e6
-
SHA512
0eceefc925ac85e9801006b045726e6fde7c57a2d197c6b34092503fe6fd45487fd9c68b727cef898ee734a18d2376b951f413117db5b8a97aeb0a765cc4a2dc
-
SSDEEP
49152:OHD6sHN0ejZB8wVLmZYqscvmuWqkY2taer:OHXtbB8mOYDcvmFU2J
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
Async RAT payload
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-