General
-
Target
vhvncN PRV.zip
-
Size
2.7MB
-
Sample
230609-3yf2ysdg53
-
MD5
b774340174ff0e9ba16bb7c95b80a4df
-
SHA1
84774450e17cf9c1ac5ca5b9d0ec0e15bc89a114
-
SHA256
5ac69c8e54fb08fdc85586c8abf0ba19ebd2fecfab9007c6a6434ae47c513ff8
-
SHA512
8020138741e511f4ad78aff435da07141080856247164ad3a669d80aff825779163ba2ceff4c0f15a1fb89625d4c87240f28f75b133bef17482e192446692303
-
SSDEEP
49152:Z993i3/eIuQEjXwxUV2g8KPW5GqarBe1oTmqoaP7Mw:v1qe9QKXwX5GBrg1wmsP7Mw
Static task
static1
Behavioral task
behavioral1
Sample
vhvncN.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
vhvncN.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
vjustca.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
vjustca.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
vremcoss.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
vremcoss.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
vvenomd.exe
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
vvenomd.exe
Resource
win10v2004-20230221-en
Malware Config
Extracted
nanocore
1.2.2.0
justkowir.duckdns.org:8550
513a9907-f4ca-4a36-8f25-fcb7088c00a5
-
activate_away_mode
true
-
backup_connection_host
justkowir.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-01-03T15:53:14.690945336Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8550
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
513a9907-f4ca-4a36-8f25-fcb7088c00a5
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
justkowir.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
remcos
RemoteHost
homoney177.duckdns.org:4056
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-QMN5BU
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
asyncrat
VenomRAT 5.0.3
Venom Clients
ghankall40.duckdns.org:8890
Venom_RAT_Mutex_Venom_RAT
-
delay
0
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
vhvncN.exe
-
Size
300.0MB
-
MD5
34986f9c6ea8dbe780f8265e149d9d10
-
SHA1
919cbc39b8ae9586620668fcbf6e649edc37db89
-
SHA256
9cef989fedcd6ed1c4e8af2d790f46a24a36cb594d06e2c79abba747b4f10e8e
-
SHA512
bc618243a04e860e26fe0eae3d1144e4887d6e064b7a6722ec1ea56149f3b7db21303c943983e9f8ae19e289dff489ea1fc9a132cccb101383262a6da9d297fa
-
SSDEEP
24576:C/vPm5sH02EZdKwZGPdQaAITXZwfrY1jsgEe:gZH0nZYw+QGTXijYVs
Score8/10-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-
-
-
Target
vjustca.exe
-
Size
300.0MB
-
MD5
1633635a687ccb7d5af9b5f8d23d99c7
-
SHA1
82a39e06e75396a9523b0faa4f2e941c141c1240
-
SHA256
677e3f8a442e90e3d4464887248c326e226c028ad708e2dae85a9f215654f7a0
-
SHA512
5889baa375d46cb1413e473b3e8184e24bf17006ebd630650ef3de3c23379622f658d10bb233d4c9c8e41ddb52c73773e939685c79a6b742f31daeee3b6a586c
-
SSDEEP
6144:CjRfbsw9j74aiGZcpFpD2+iNoKZsy8WU7g/ke2FYD5Fj1:5wl/sLDrimKh8WUkP2Fg
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
-
-
Target
vremcoss.exe
-
Size
300.0MB
-
MD5
5e16a655613ab91693a8595b5c148a22
-
SHA1
6c7b4797b27de085abc25c6e87be4b40f7380022
-
SHA256
d89d2dc5477228526ab32eff6c588844118248ca2230e0f8248c2c1a072ad6c5
-
SHA512
0f5b16310d0fb6dfd350d764397a57a087e35f1e0bf59ec3b477de78941e836971c9a9734f980a804bc7d0cc3964246b2cb4b459e459458102a081478af65ea2
-
SSDEEP
12288:79k4AvS+CkGwjOl/cP4Ul535VJDXTksuvNiqPbXpr0zXed9:8S+yx/cP4WDVJfkt8qF0rU
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
-
-
Target
vvenomd.exe
-
Size
124.0MB
-
MD5
068178e4813895c8767a99e20ab131eb
-
SHA1
eb8bf68e2c940aaeb0b28e6f6cf0b87319c0a85f
-
SHA256
cd8a35b004683e744b703c043bbc08e6b1c33aa673eb76637815c957b5dfea69
-
SHA512
7aac9429cf4000a43887129b68dbe58acebc83098d36e7555b913c749e64a689afd180a02d20aabdff08e40ca56543c1224ea649b412df2a72c89a3e584dd526
-
SSDEEP
3072:JZd+lPvbKJ9rVNFJ+VyMdX68C+wdJww6r50iis79KCTDd:5UvbUHP+VyMdDnwc5Fjp
Score10/10-
Async RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-