General

  • Target

    Office.rar

  • Size

    5.2MB

  • Sample

    230324-qsw5rsgf9s

  • MD5

    24fd1c1c16a63edc5e2402021a140e9e

  • SHA1

    4ad1124ab2010b776e2cccb9d34ad9bedfde3018

  • SHA256

    c2e2c6bb6fcfc0c7cb5e431aa864ef254d1a5da2dfc3404e57c2fbaffd4b03fe

  • SHA512

    53164193d1d28780f71c502ff8f99766868cc34c95073d678bcb1cc420c98ad07934369cc376d5a4d8985b9739b0395c43cc0c1fad42d5df9711b1204205c561

  • SSDEEP

    98304:tXHpnPdiqar27R8IA42/1Ue5SUzXg0+B6oHBIkc7RayoHo74RItLd3u9yXQiORca:NlPsqar27OIF2/UUzXg0+B6+BrclayOP

Malware Config

Extracted

Family

asyncrat

Version

VenomRAT_HVNC 5.0.4

Botnet

Venom Clients

C2

0.tcp.in.ngrok.io:16536

Mutex

ddzucoqijfsxpd

Attributes
  • delay

    0

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Officeexploit.exe

    • Size

      6.9MB

    • MD5

      c862188d5b7ff565649a8910e1de5567

    • SHA1

      fb2136bbcd0906b1475aa9fcc6b60aa73b1e60c8

    • SHA256

      e177f76028426973fee6f4da522dc1c3a2b7cc8ee47ba1d3ca9ae5388f415c61

    • SHA512

      8d07661c05f19f8773ef3a1aae063374fb7f24425acf45c068d567eaf1afb61a12b3026c8a13f9e24100835f26ccf2871f155d2b1f9b8a121fa9097827aaacde

    • SSDEEP

      49152:G2iFjtp/eaXvBINUm0lcMvzDhQozYgCfg85UQn4lK5iTkV8u9HUIWz/OrZHzlcvG:GPjG

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Async RAT payload

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Legitimate hosting services abused for malware hosting/C2

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Remote System Discovery

1
T1018

Command and Control

Web Service

1
T1102

Tasks