Overview

overview

10

Static

static

3

3642ef9a11...0b.exe

windows7-x64

10

3642ef9a11...0b.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-04-2024 20:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3642ef9a1154a7507ebe7dc1bc8f7f64fd367ffb7385a2861f25ab841bd1b60b.exe

  • Size

    9.9MB

  • MD5

    17a854efbb5ef05cf85476190e14cc3e

  • SHA1

    cd8badff5bb40d04517e7e6a74a92652edeef86a

  • SHA256

    3642ef9a1154a7507ebe7dc1bc8f7f64fd367ffb7385a2861f25ab841bd1b60b

  • SHA512

    7bfdad56e9a0515c254e03f3baf6c309deaad82fa650aad513dfd9098b5f9f4bc0dad9f1915719535fd6a324d5adfd69c73daaf8e233c303f9513df9e281d05e

  • SSDEEP

    196608:mgkMXNp5P2UvkgWHeFQ8rX7K//mqV3EVjW3g22ZVyA1qRQr3LG72mmjet3d:jkSNnpsHH8rX6l3UjxVy2qq3LGKmmjer

Score
10/10
asyncratguloadervenom clientsdownloaderpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

markvenm2.duckdns.org:8890

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Detects executables attemping to enumerate video devices using WMI 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3642ef9a1154a7507ebe7dc1bc8f7f64fd367ffb7385a2861f25ab841bd1b60b.exe
    "C:\Users\Admin\AppData\Local\Temp\3642ef9a1154a7507ebe7dc1bc8f7f64fd367ffb7385a2861f25ab841bd1b60b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Program Files (x86)\windows mail\wab.exe
      "C:\Users\Admin\AppData\Local\Temp\3642ef9a1154a7507ebe7dc1bc8f7f64fd367ffb7385a2861f25ab841bd1b60b.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      PID:4624

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cambo.ini
    Filesize

    29B

    MD5

    b0b48e88b7bb6b2acaf033d8faf5a7a2

    SHA1

    286ded38aa1e86b6e63748b23c169bae4c004dfe

    SHA256

    5ca7ff309ec26fe20d31a18ca66c4e8f467f743305443f0aa97c30a3b365d645

    SHA512

    2221c6abb8ded4e53115b899a5781a909db893f399f90ee6e126d3aec3581a220d0e647921968757095421924d0412bcdf23918bbeb314ca45e3300c58d96199

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Cambo.ini
    Filesize

    29B

    MD5

    c32a808d0983d9dde63ca2cdec8b78d9

    SHA1

    d500992002ab215b704c747349d922969b977262

    SHA256

    4d0bca4f8cd5838efc2f59284bf3372290bd8db19f0b64c20878ebf07afa366f

    SHA512

    2227d900c2e2c929f1e0008ca44f9f42c477a288cd11edfd3371ea824365253973e29f7a4e67d3b007cc2612b93d85ede9032e293aed4c98b13ec8c6e06a9f35

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Cambo.ini
    Filesize

    29B

    MD5

    7e2ed1d7d499f2799f27e16605a95e24

    SHA1

    9a182c49a9839df2e5fde10b8237d25b199c503c

    SHA256

    05d18795c3921c971fd931fe0140f2c871ed7128b025779a97b7b2a4c2a16206

    SHA512

    e66829a3f2ff5e969c26578cf5b0219454386eb69639f36dfaa0dcf10747a8e69ea7e2fe1954d59a987b304cbcbd9449a5914fd6f0634b3dc526b5c473c9e880

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Cambo.ini
    Filesize

    29B

    MD5

    3fc0f0665cbc24cd31df6a4e5f3a488e

    SHA1

    9d7a88d953c337c434b74a2b5e964c39ae6816c6

    SHA256

    ef03e40f283098deb0ea71dd7914f98afb2dbcb124184bd283a61c73a422f0a0

    SHA512

    1fc4e2263ac20fad8a8cdc1901284d586e4db3f150f4332629735167a2e58580e2ef527229d9fd0f7e8aa12102c3907658f884b1e3ee4bb2cc5f3daf3ca47ac5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nsi4FA7.tmp\System.dll
    Filesize

    12KB

    MD5

    8cf2ac271d7679b1d68eefc1ae0c5618

    SHA1

    7cc1caaa747ee16dc894a600a4256f64fa65a9b8

    SHA256

    6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

    SHA512

    ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

    Download Submit
  • memory/1712-191-0x0000000004370000-0x000000000639D000-memory.dmp
    Filesize

    32.2MB

    Download
  • memory/1712-192-0x0000000077D41000-0x0000000077E61000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1712-193-0x0000000074990000-0x0000000074997000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1712-208-0x0000000004370000-0x000000000639D000-memory.dmp
    Filesize

    32.2MB

    Download
  • memory/1712-195-0x0000000004370000-0x000000000639D000-memory.dmp
    Filesize

    32.2MB

    Download
  • memory/4624-205-0x0000000000CC0000-0x0000000001F14000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/4624-211-0x0000000036340000-0x0000000036350000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4624-196-0x0000000077D41000-0x0000000077E61000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/4624-194-0x0000000001F20000-0x0000000003F4D000-memory.dmp
    Filesize

    32.2MB

    Download
  • memory/4624-207-0x0000000000CC0000-0x0000000000CD6000-memory.dmp
    Filesize

    88KB

    Download
  • memory/4624-209-0x00000000720E0000-0x0000000072890000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4624-210-0x0000000001F20000-0x0000000003F4D000-memory.dmp
    Filesize

    32.2MB

    Download
  • memory/4624-197-0x0000000077DC8000-0x0000000077DC9000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4624-212-0x0000000077DA1000-0x0000000077DA2000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4624-213-0x0000000036530000-0x00000000365CC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4624-214-0x0000000036B80000-0x0000000037124000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4624-215-0x00000000365D0000-0x0000000036636000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4624-217-0x0000000077D41000-0x0000000077E61000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/4624-219-0x00000000720E0000-0x0000000072890000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4624-220-0x0000000036340000-0x0000000036350000-memory.dmp
    Filesize

    64KB

    Download