Overview

overview

10

Static

static

1

INV-ER002.vbs

windows7-x64

3

INV-ER002.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    INV-ER002.vbs

  • Size

    38KB

  • Sample

    240129-yxkxasbchn

  • MD5

    e4cf2f2811c2de24cb7d166763201396

  • SHA1

    955e80013bb693230c2b5166f46e1076d7beffb1

  • SHA256

    2e51701300c4979eced495d5ee72eba92978e05b60d6ca4634f73ac549815090

  • SHA512

    c0ab959a2d982cfe58ea239e1282f550d833da12e38966d747f71dc0192be3e7c0d58a313845b4ee13e3f906f17a98cb81701d138fdbce9ebd84942d8f62de57

  • SSDEEP

    768:tWiG+bT8EVgGoCvzbZwR9+/CmCRYMcOyVtC8aqcoLSBxhEAs:cicCoIb+/fRRcVU8+BxhEAs

Score
10/10
asyncratguloadervenom clientsdownloaderpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

markvenm2.duckdns.org:8890

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      INV-ER002.vbs

    • Size

      38KB

    • MD5

      e4cf2f2811c2de24cb7d166763201396

    • SHA1

      955e80013bb693230c2b5166f46e1076d7beffb1

    • SHA256

      2e51701300c4979eced495d5ee72eba92978e05b60d6ca4634f73ac549815090

    • SHA512

      c0ab959a2d982cfe58ea239e1282f550d833da12e38966d747f71dc0192be3e7c0d58a313845b4ee13e3f906f17a98cb81701d138fdbce9ebd84942d8f62de57

    • SSDEEP

      768:tWiG+bT8EVgGoCvzbZwR9+/CmCRYMcOyVtC8aqcoLSBxhEAs:cicCoIb+/fRRcVU8+BxhEAs

    Score
    10/10
    asyncratguloadervenom clientsdownloaderpersistencerat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Async RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks