General

  • Target

    163.5.169.28.zip

  • Size

    3.4MB

  • Sample

    240110-1ba63sgfdp

  • MD5

    791696c6bca812e4b443238fe3f9d336

  • SHA1

    51e1eee80ddc458e38d8a8bace02f27ba49206bd

  • SHA256

    3f04d3267f818beec7a5f29a7780282bdf862a71669230b796b77700a494b55d

  • SHA512

    59ae4f46f85377333da911da93ed22ac28e5ec6b61bbf5b57ad2238290494fbf38b7c16ab994bd1cb69d0d3a48c0cc045dad40b377fc947b8d504bc95326ddfc

  • SSDEEP

    98304:zZo6YOMbyKDMs7Lv0Wu0usBtdfx7HofyhQIM37ME:VobFeKDBvvL9Jy379

Malware Config

Extracted

Family

xworm

Version

5.0

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.2

Botnet

Default

C2

5.182.87.154:4449

Mutex

jiqsvporltpvroy

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      163.5.169.28/SCAN-atoletter2.hta

    • Size

      1.1MB

    • MD5

      0e02311efc79d0580a3ae453f00cce83

    • SHA1

      77721025336c37d0df3349badaa71e6610c6d429

    • SHA256

      01e20536cc9847e7411bbb0e4d7381774f0e5e4cc86bfd6fdf0e12229d1d2786

    • SHA512

      312589562ec740619629402876f4c077b56e0f3985686a6747c8c1d277f1bb56b41c21ef4fa1054178105a584692d3f6fc09af76e5edf4c6773826836c4b7bae

    • SSDEEP

      1536:y4pLmOmQ7Mf99jXfqe+Wjyosy3vmr/l1vcmafSIm+lIWFR3QXdpkJJ0sVaVMHfFP:y4pLZmQ7CJXReoz3zH

    Score
    8/10
    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      163.5.169.28/SCAN-atoletter2.pdf

    • Size

      168KB

    • MD5

      94667972ade0e377d8edd7f16730a0db

    • SHA1

      7e097e209bfcef8f11ff319fc5d2953fa436875b

    • SHA256

      3d29d9e8dd685c045d594a530a29c873b9d6c1957e9616675a0087746d592fa9

    • SHA512

      83fbf17fcf72f023f71a68583acdfcd65eeb8702c09f90d10af6e284eb400ce49802a3d26492e6cddc2406aadfdc1f6d14f01c7fc6498b6d2b836f60c81d3d67

    • SSDEEP

      3072:9pAXRLFm5rv1Wqu9r1RRbgz/hdcJ0XWLtSvi6dzRov5dMWv4yqF:+RLF8Bux5grI9c6DTMPyi

    Score
    1/10
    • Target

      163.5.169.28/SCAN-atoletter3.hta

    • Size

      1.1MB

    • MD5

      65a82ba108814502f8de8f9c918c1637

    • SHA1

      81bb281aff6d485787f79558b2433a529af5d53b

    • SHA256

      dceca8e7f6baca5bd3417c0e05a1e9e934a0c72fe36c79fd3aca451ea2168d76

    • SHA512

      477a94c061e96c5b8cdc256e746eb9dbd57339c93bcbd90bb66e2b6d21a7ff9e35b3b0ac7eac7a4c2b308306b06178060c38bce1470f5d94af32d07a97ce2621

    • SSDEEP

      1536:MUQr+podgEt/pvBYwPBONWBImr/l1vcmafSIm+lIWFWY7Cy5h7OIxeZeDG52VP+q:ArooW8vhXBHuV

    Score
    10/10
    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      163.5.169.28/SCAN-atoletter3.pdf

    • Size

      169KB

    • MD5

      bcb62044282191bb5294c1435de71a18

    • SHA1

      69eaa574d9b0118424c7b204724351811aa0c015

    • SHA256

      354993c4965d7445b37c6b256f4c1c5c2086c0b1ec5736b9f179bcd6387a194f

    • SHA512

      d2737e5418b4bf0ec7ad736cb4707516e702667f57da1ead88cd0f012f188b087fca8520bb1fb9881356bc920027b177349905a2150784bbf79d039eb3c0e6ad

    • SSDEEP

      3072:AvVr51Wqu9r1RRVgz/hdcJ0XWLtSsi6dzRov5dMWP4y0LUy:8BuxHgrI9cLDTMPyo3

    Score
    1/10
    • Target

      163.5.169.28/SCAN-atoletter4.hta

    • Size

      1.1MB

    • MD5

      4bde59d84e71c0ff88901e353dbe3eec

    • SHA1

      3000483b2add41716148b8e11fa283f6db6a9cf1

    • SHA256

      992820187d1f871cb816dfb5839c0a71dfde38626d6947b4d912d04cf585454d

    • SHA512

      38a11e2bbba9b26f5651d09f072109cb1b77717c53322a47147e1560016d409c528639be48f2044f038a6b24bad5cf0df200a83ca80c5a27d49fe5b91ecbb0b4

    • SSDEEP

      1536:sSdyqS4pxRNGWLPcX/WhEdbVhtmr/l1vcmafSIm+lIWFXvD+v/j53mD0QMYPhgg9:ldHzpxdPcPWhqxki

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      163.5.169.28/SCAN-atoletter4.pdf

    • Size

      170KB

    • MD5

      6959cdb24cc37e1a25fcf1b9aed58fcc

    • SHA1

      0659f4eb013280e21a057fa1c3843d4c0043ff90

    • SHA256

      753a2e33fc19c1436650f392c23429728a97f4c941bd5493bc227ab04f6f231d

    • SHA512

      b56f3c8584d30edcad363d1dc283c8b9edc0d13b4eb68755940f5400a6ea050a27677a1b744a0af1e7bf9ea8ff3af75a9991c20c153dbae0e64eafb3a863886d

    • SSDEEP

      3072:ccAr61Wqu9r1RRrgz/hdcJ0XWLtSCi6dzRov5dMWm4yyLUQ:TBuxBgrI9cJDTMEyK9

    Score
    1/10
    • Target

      163.5.169.28/SCAN-atoletter5.hta

    • Size

      1.1MB

    • MD5

      415d6911c9a6e92b5d3f050668592357

    • SHA1

      3f5ddfb1475a25201e443c61e31382100e8ddbae

    • SHA256

      87b6bcaa19c9631310bb28100e1ed2c9f2b982fa5aaef48186da150d8d1c4ac3

    • SHA512

      6b322e26c4724efa648713c665d6eddc4f2191d9f3a7764076ae8fc8d5f13fd2301238e7aade65b49db71b0ecadd9333af42cfa7e98ae54b554a99eafc45a055

    • SSDEEP

      1536:zA8mj3XPCeaTTQT7L/1rTrZwsvCPA68WStimr/l1vcmafSIm+lIWFiWCK4vLwwlY:zA8mrfFITQTH/1rTrZ/CPArtQ

    Score
    10/10
    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      163.5.169.28/SCAN-atoletter5.pdf

    • Size

      169KB

    • MD5

      c5de2a211a2580c04d1b5349651d3e4a

    • SHA1

      81a25e710c7dc63b10220dbdf39dc48ff11da5f3

    • SHA256

      57b4117e2cf9ab76ed554c2bbf192b9868b94202ad5aaff05a593cf3d4630f85

    • SHA512

      ad3fead8c0e7820e008bdd9f90b443a20eab0dde9d51a1035e8b40f070d7e381e641a8ae00911bc8c0a4a8e341a9a73e3ee133b78abddbbb442f00ce28efd51d

    • SSDEEP

      3072:NPAr51Wqu9r1RRVgz/hdcJ0XWLtSsi6dzRov5dMWP4y0LUD:UBuxHgrI9cLDTMPyoC

    Score
    1/10
    • Target

      163.5.169.28/ato_letter2.hta

    • Size

      1.1MB

    • MD5

      54ff1471d93aa84c94efd8cbae4c6c78

    • SHA1

      11c7d8cd8e02b27aee846c353c32b114a7daa3bf

    • SHA256

      e1869d3a88c9190cf43014e3cb48562fc220ff7f6d5baed77c7dfa1c84c5d530

    • SHA512

      5eed6c7f0ffc27e96349fa8fc7c959e87ff35561da2b811f2e59c0fa0bd42f53debd4079da4c1df133b8211c38ef48f03b3f8b5471370bcf6ed79d240fdde804

    • SSDEEP

      1536:SwxapK31kELNEZ1fos0mr/l1vcmafSIm+lIWFR9UU5gou0gQixFaVEYkEOvMXu+f:SOapK31RBEDws7g

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      163.5.169.28/atoletter.hta

    • Size

      1.1MB

    • MD5

      47b67f1ef2ff1967fd6eee7f2eee2a79

    • SHA1

      e53cecf356df43405a19daf75ff5dcfd8b44f2ce

    • SHA256

      6c4beabd874f9b38209eb0cc585fc19407edc997ffb0bf0897c34bf4552f5194

    • SHA512

      d9586f412e0a9cecc5909cde9391def8c338ca086ba506366076816f6a4ce8309176e884a133bc11bec731bf1d9bf3b027e42ef6a49b545b000ffee60c6d42b9

    • SSDEEP

      1536:jxr5/6p/OpbQEcQIKdquZcod/zA4l2ZFmr/l1vcmafSIm+lIWFeQnoxLPCQwkcUC:jxV6JsMEcQIQZcod/c4K

    Score
    8/10
    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      163.5.169.28/atoletter2.hta

    • Size

      1.1MB

    • MD5

      3aa22e06354205638a0560dfd95ba73d

    • SHA1

      bd77bf64a070a8f233197e2db3cdef0879cc446d

    • SHA256

      8867f18c416e402fa6c470e2fa207e2ff1809b69a450356bd8a8c854edea4dd5

    • SHA512

      ce75e12481f9840666fc783bed155779d75845e0b81f5679dd5ea801ad359527b389b611ca11eda321fb28d77dc10089ebf073c41aa00e51b921ea0cc1c28b8b

    • SSDEEP

      1536:qb0rlgqoroRgFUnAFzUbVlt9Ci5namr/l1vcmafSIm+lIWFjBoOuqpd2eWSFU4ww:qb0rlmrkgFUnAFgbVLFnG

    Score
    3/10
    • Target

      163.5.169.28/binary.gif

    • Size

      246B

    • MD5

      96bd4beed88ff93356586485c13e5d89

    • SHA1

      399c2bc3d5ec4fdb4c7a597afdf19eeb64cbdf2d

    • SHA256

      8a31e7855292e0a8c66c67ff92ea660743006d47de9f012193cbd123a17ba79d

    • SHA512

      069a292c7e5d2e8d76964e901f4922ae8948151c235436cf8abc67e84011f983cd052142381b8d3c7a417f42b06797a6a226da48155d5905e7d92c9847b346cd

    Score
    1/10
    • Target

      163.5.169.28/blank.gif

    • Size

      148B

    • MD5

      19517fb39a31be6b8d7ccf53ad84908f

    • SHA1

      ebbcfdc6acc99f7aac3bf7fe72bc55f07f03f7e9

    • SHA256

      3cb0e54babf019703fe671a32fcc3947aab9079ec2871cf0f9639245cc12d878

    • SHA512

      be752ff4c7aa3ab46fdbd93555a17e422e7c8b8661f40f899f51ec9393b510dcb2e66436a4f2c78a42af77dd95e01a3438c88cfaa3e0b02694c1912d5294ee16

    Score
    1/10
    • Target

      163.5.169.28/cmd.exe

    • Size

      283KB

    • MD5

      8a2122e8162dbef04694b9c3e0b6cdee

    • SHA1

      f1efb0fddc156e4c61c5f78a54700e4e7984d55d

    • SHA256

      b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

    • SHA512

      99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

    • SSDEEP

      6144:k4WA1B9BxDfQWKORSqY4zOcmpdlc3gJdmtolSm:H1BhkWvSqY4zvmjOwJIT

    Score
    1/10
    • Target

      163.5.169.28/cmt.exe

    • Size

      8KB

    • MD5

      dc0d40579447b035d980cf0b8cd7667c

    • SHA1

      c907f983cb27d5caec6c941e0712afcc973487d0

    • SHA256

      36ed94fb9f8ef3f5cbf8494ff6400d0be353ae7c223ed209bd85d466d1ba1ff7

    • SHA512

      ed37522b52b617877b5e5f7023a0138baf396c0b33393d6155dbb6bfa4b3347b737e5493cbde634fa1937d0094a7b9b543929e6f32b35331a8c6dc838f38d51b

    • SSDEEP

      96:5g48vbNEbfZlmg9fVFBHDqPkNR0bejUoKKeyDvYKx4YG4qyZQFq+zNt:5ghJufi6tXy20Kj2KeyDQKqYXqMQMY

    Score
    1/10
    • Target

      163.5.169.28/fd1.exe

    • Size

      649KB

    • MD5

      b9a42052c81229de87b90370c7e8ef56

    • SHA1

      8253ef8fe65f68ea7e0cc11bcdc06ec91c8d3290

    • SHA256

      2799308c4b285f662d2954b3d9900951d74ae0cdde04b80ff865221817103f3b

    • SHA512

      0e6a1b3d66c2401f8b8d5f8b2cae7d4912fa73565faf4c21686caa63a0d81eda952d6070edb57e7577c15c896caff3e52a6671713cfaa13ed21bab7accb86755

    • SSDEEP

      12288:tOSF/ZdMP5WlYj6Fs/HI6C96D7cyTZ33a33S333333dkS9Jy9:tLrMPkDFB6+2NkeO

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

pdflinkxwormzgrat
Score
10/10

behavioral1

Score
3/10

behavioral2

Score
8/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
3/10

behavioral6

asyncratdefaultrat
Score
10/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
3/10

behavioral10

Score
7/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
3/10

behavioral14

asyncratdefaultrat
Score
10/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
3/10

behavioral18

Score
7/10

behavioral19

Score
3/10

behavioral20

Score
8/10

behavioral21

Score
3/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

asyncratdefaultpersistencerat
Score
10/10

behavioral32

asyncratdefaultpersistencerat
Score
10/10