General
-
Target
INV-ER002.vbs
-
Size
38KB
-
Sample
240129-yxkxasbchn
-
MD5
e4cf2f2811c2de24cb7d166763201396
-
SHA1
955e80013bb693230c2b5166f46e1076d7beffb1
-
SHA256
2e51701300c4979eced495d5ee72eba92978e05b60d6ca4634f73ac549815090
-
SHA512
c0ab959a2d982cfe58ea239e1282f550d833da12e38966d747f71dc0192be3e7c0d58a313845b4ee13e3f906f17a98cb81701d138fdbce9ebd84942d8f62de57
-
SSDEEP
768:tWiG+bT8EVgGoCvzbZwR9+/CmCRYMcOyVtC8aqcoLSBxhEAs:cicCoIb+/fRRcVU8+BxhEAs
Static task
static1
Behavioral task
behavioral1
Sample
INV-ER002.vbs
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
INV-ER002.vbs
Resource
win10v2004-20231215-en
Malware Config
Extracted
asyncrat
5.0.5
Venom Clients
markvenm2.duckdns.org:8890
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
INV-ER002.vbs
-
Size
38KB
-
MD5
e4cf2f2811c2de24cb7d166763201396
-
SHA1
955e80013bb693230c2b5166f46e1076d7beffb1
-
SHA256
2e51701300c4979eced495d5ee72eba92978e05b60d6ca4634f73ac549815090
-
SHA512
c0ab959a2d982cfe58ea239e1282f550d833da12e38966d747f71dc0192be3e7c0d58a313845b4ee13e3f906f17a98cb81701d138fdbce9ebd84942d8f62de57
-
SSDEEP
768:tWiG+bT8EVgGoCvzbZwR9+/CmCRYMcOyVtC8aqcoLSBxhEAs:cicCoIb+/fRRcVU8+BxhEAs
-
Async RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-