General
-
Target
7f5fd6228a8d8edf2c88d1b34cb8c847.bin
-
Size
261KB
-
Sample
230605-nrn2nagc79
-
MD5
9bf4170e350ba548431245b86045bb3c
-
SHA1
2339be59f8a1cde2c22583eda0b2e5b6b1265bf6
-
SHA256
858e0ef704d84e33638b0358a4c18f0aee3c92d04fcc1f5d4fea042a0e0c9a4f
-
SHA512
9f5f3a2910f7c00cc3f3073582fe8b81c72c4a3efd7b364fa412abd77685db896b24d8b423863828e469671b53be21a076a85f802e417c4ff33950beaf04bd92
-
SSDEEP
6144:o7FgAv2SBlRSk6eee7gVPKfM+Va+LKBdvW+2tgKKzo9BAD:o7FeSlSkaxViF4CtpK0U
Static task
static1
Behavioral task
behavioral1
Sample
2869fbcf083c03c7cd55e45661f6df089fdf169b1719d5052a52e2e386bf3a6d.exe
Resource
win7-20230220-en
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.1
Default
vrmctetyuyojxzjvffl
-
delay
1
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/WD485ntt
Targets
-
-
Target
2869fbcf083c03c7cd55e45661f6df089fdf169b1719d5052a52e2e386bf3a6d.exe
-
Size
336KB
-
MD5
7f5fd6228a8d8edf2c88d1b34cb8c847
-
SHA1
408049adf245bcad778add0903c6803a4d691d3f
-
SHA256
2869fbcf083c03c7cd55e45661f6df089fdf169b1719d5052a52e2e386bf3a6d
-
SHA512
4ec90147cdace22b9a14d776fe28837994689553aeef682597a4e218a44ca68a0227131987ed28f6458ca6ba478f2e1f39785f99c98154a301a5affb37a755ab
-
SSDEEP
6144:DT9zpYsT9/xBDwYQJkaLVo/DtBI6C39gMGHQuwDBOknXcMbE+:DYsZ/bxQJDVODtBtOgOuYO8Xb
-
Async RAT payload
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-