Overview

overview

10

Static

static

B840k49sjm47_PDF.exe

windows7-x64

10

B840k49sjm47_PDF.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-01-2023 21:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    B840k49sjm47_PDF.exe

  • Size

    300.0MB

  • MD5

    e14a49db1e766a0d20b4917a16645ab1

  • SHA1

    32a5294a721e1b8fa807f3af71ee7bf81a0c4fae

  • SHA256

    0525ef32bd0fdea85df06fb17d23a31a97ce2f4a9d92a531a2a027ed2cb591e6

  • SHA512

    0eceefc925ac85e9801006b045726e6fde7c57a2d197c6b34092503fe6fd45487fd9c68b727cef898ee734a18d2376b951f413117db5b8a97aeb0a765cc4a2dc

  • SSDEEP

    49152:OHD6sHN0ejZB8wVLmZYqscvmuWqkY2taer:OHXtbB8mOYDcvmFU2J

Score
10/10
asyncratbitratvenom clientsrattrojanupx

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT 5.0.5

Botnet

Venom Clients

C2

venmo8500.duckdns.org:8500

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

bitrat

Version

1.38

C2

bitone9090.duckdns.org:9090

Attributes
  • communication_password

    e10adc3949ba59abbe56e057f20f883e

  • tor_process

    tor

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4892
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4004
    • C:\Users\Admin\AppData\Local\Temp\bitner9090.exe
      "C:\Users\Admin\AppData\Local\Temp\bitner9090.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1788
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\dftgr"
      2⤵
        PID:628
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe'" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3908
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe'" /f
          3⤵
          • Creates scheduled task(s)
          PID:3884
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe" "C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe"
        2⤵
          PID:4280
      • C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe
        C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1100
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:848
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\dftgr"
          2⤵
            PID:4544
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe'" /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4408
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe'" /f
              3⤵
              • Creates scheduled task(s)
              PID:2128
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c copy "C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe" "C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe"
            2⤵
              PID:3688

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\bitner9090.exe
            Filesize

            1.4MB

            MD5

            3910450cfb9c43a37a77b8b7fbd7c3a3

            SHA1

            1699b1b16cd067fab7dbfa0c9207fa14f49444a8

            SHA256

            04434a5c67c7d540871edd1b2e989d8c78270fb6317ddab3b392156f322d2d2f

            SHA512

            2d8e9dc00b17151398467bf8f1947285552770906e08e686eca987ea97b9aa58701b132ae8c0839edd3a1bc94e33c420574fa3e64d1b026a7eaebfee2f66a9e2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\bitner9090.exe
            Filesize

            1.4MB

            MD5

            3910450cfb9c43a37a77b8b7fbd7c3a3

            SHA1

            1699b1b16cd067fab7dbfa0c9207fa14f49444a8

            SHA256

            04434a5c67c7d540871edd1b2e989d8c78270fb6317ddab3b392156f322d2d2f

            SHA512

            2d8e9dc00b17151398467bf8f1947285552770906e08e686eca987ea97b9aa58701b132ae8c0839edd3a1bc94e33c420574fa3e64d1b026a7eaebfee2f66a9e2

            Download Submit

          • C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe
            Filesize

            300.0MB

            MD5

            e14a49db1e766a0d20b4917a16645ab1

            SHA1

            32a5294a721e1b8fa807f3af71ee7bf81a0c4fae

            SHA256

            0525ef32bd0fdea85df06fb17d23a31a97ce2f4a9d92a531a2a027ed2cb591e6

            SHA512

            0eceefc925ac85e9801006b045726e6fde7c57a2d197c6b34092503fe6fd45487fd9c68b727cef898ee734a18d2376b951f413117db5b8a97aeb0a765cc4a2dc

            Download Submit

          • C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe
            Filesize

            300.0MB

            MD5

            e14a49db1e766a0d20b4917a16645ab1

            SHA1

            32a5294a721e1b8fa807f3af71ee7bf81a0c4fae

            SHA256

            0525ef32bd0fdea85df06fb17d23a31a97ce2f4a9d92a531a2a027ed2cb591e6

            SHA512

            0eceefc925ac85e9801006b045726e6fde7c57a2d197c6b34092503fe6fd45487fd9c68b727cef898ee734a18d2376b951f413117db5b8a97aeb0a765cc4a2dc

            Download Submit

          • memory/1788-163-0x0000000070910000-0x0000000070949000-memory.dmp

            Filesize

            228KB

            Download

          • memory/1788-147-0x0000000070850000-0x0000000070889000-memory.dmp

            Filesize

            228KB

            Download

          • memory/1788-162-0x0000000070850000-0x0000000070889000-memory.dmp

            Filesize

            228KB

            Download

          • memory/1788-148-0x0000000070910000-0x0000000070949000-memory.dmp

            Filesize

            228KB

            Download

          • memory/1788-145-0x0000000000400000-0x00000000007E4000-memory.dmp

            Filesize

            3.9MB

            Download

          • memory/1788-152-0x0000000000400000-0x00000000007E4000-memory.dmp

            Filesize

            3.9MB

            Download

          • memory/4004-138-0x00000000003E0000-0x00000000003F6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4004-151-0x00000000066C0000-0x00000000066DE000-memory.dmp

            Filesize

            120KB

            Download

          • memory/4004-149-0x0000000005680000-0x000000000571C000-memory.dmp

            Filesize

            624KB

            Download

          • memory/4004-153-0x0000000006BF0000-0x0000000006BFA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4004-150-0x0000000006700000-0x0000000006776000-memory.dmp

            Filesize

            472KB

            Download

          • memory/4892-133-0x0000000006100000-0x00000000066A4000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/4892-134-0x0000000005A70000-0x0000000005B02000-memory.dmp

            Filesize

            584KB

            Download

          • memory/4892-135-0x0000000005BC0000-0x0000000005C26000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4892-132-0x0000000000F00000-0x00000000010C6000-memory.dmp

            Filesize

            1.8MB

            Download