General

  • Target

    ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3

  • Size

    451KB

  • Sample

    230817-v1mnhsch4v

  • MD5

    3165e5045b93dd77931c69b373226483

  • SHA1

    c4652b4087ef45c0ff18f7f01922905bdeb0ffe7

  • SHA256

    ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3

  • SHA512

    07e9821f3ae56b32d6ba6fed9db634c9f5041d2f5c3279f9596dbdb38d8e2d77c8a42a078ef527c8bf87a528fe6f66947098280e2c8d1e8dba5539a8a26e99de

  • SSDEEP

    6144:XtCdfR0ef6CJsxLKuV8bsdGy9dtHgAE/iSpRS1QxBJsXJnFtjS:X8dfR0efhOdVxYyxHgn/S1cSw

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.1

Botnet

Default

C2

185.106.94.122:4449

Mutex

nrasbnbyxirll

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3

    • Size

      451KB

    • MD5

      3165e5045b93dd77931c69b373226483

    • SHA1

      c4652b4087ef45c0ff18f7f01922905bdeb0ffe7

    • SHA256

      ac39761fb97690a8d3a9a664b482a1e966359c1cc4986c62563fc2daf6a857d3

    • SHA512

      07e9821f3ae56b32d6ba6fed9db634c9f5041d2f5c3279f9596dbdb38d8e2d77c8a42a078ef527c8bf87a528fe6f66947098280e2c8d1e8dba5539a8a26e99de

    • SSDEEP

      6144:XtCdfR0ef6CJsxLKuV8bsdGy9dtHgAE/iSpRS1QxBJsXJnFtjS:X8dfR0efhOdVxYyxHgn/S1cSw

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Modifies WinLogon for persistence

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Async RAT payload

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks