Overview

overview

10

Static

static

3

3642ef9a11...0b.exe

windows7-x64

10

3642ef9a11...0b.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3642ef9a1154a7507ebe7dc1bc8f7f64fd367ffb7385a2861f25ab841bd1b60b

  • Size

    9.9MB

  • Sample

    240414-zc2vrafg9s

  • MD5

    17a854efbb5ef05cf85476190e14cc3e

  • SHA1

    cd8badff5bb40d04517e7e6a74a92652edeef86a

  • SHA256

    3642ef9a1154a7507ebe7dc1bc8f7f64fd367ffb7385a2861f25ab841bd1b60b

  • SHA512

    7bfdad56e9a0515c254e03f3baf6c309deaad82fa650aad513dfd9098b5f9f4bc0dad9f1915719535fd6a324d5adfd69c73daaf8e233c303f9513df9e281d05e

  • SSDEEP

    196608:mgkMXNp5P2UvkgWHeFQ8rX7K//mqV3EVjW3g22ZVyA1qRQr3LG72mmjet3d:jkSNnpsHH8rX6l3UjxVy2qq3LGKmmjer

Score
10/10
asyncratguloadervenom clientsdownloaderpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

markvenm2.duckdns.org:8890

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      3642ef9a1154a7507ebe7dc1bc8f7f64fd367ffb7385a2861f25ab841bd1b60b

    • Size

      9.9MB

    • MD5

      17a854efbb5ef05cf85476190e14cc3e

    • SHA1

      cd8badff5bb40d04517e7e6a74a92652edeef86a

    • SHA256

      3642ef9a1154a7507ebe7dc1bc8f7f64fd367ffb7385a2861f25ab841bd1b60b

    • SHA512

      7bfdad56e9a0515c254e03f3baf6c309deaad82fa650aad513dfd9098b5f9f4bc0dad9f1915719535fd6a324d5adfd69c73daaf8e233c303f9513df9e281d05e

    • SSDEEP

      196608:mgkMXNp5P2UvkgWHeFQ8rX7K//mqV3EVjW3g22ZVyA1qRQr3LG72mmjet3d:jkSNnpsHH8rX6l3UjxVy2qq3LGKmmjer

    Score
    10/10
    guloaderdownloaderasyncratvenom clientspersistencerat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Detects executables attemping to enumerate video devices using WMI

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      8cf2ac271d7679b1d68eefc1ae0c5618

    • SHA1

      7cc1caaa747ee16dc894a600a4256f64fa65a9b8

    • SHA256

      6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

    • SHA512

      ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

    • SSDEEP

      192:BenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XB9IwL:B8+Qlt70Fj/lQRY/9VjjlL

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks