Overview

overview

10

Static

static

1

Invoice.pd...ad.lnk

windows7-x64

10

Invoice.pd...ad.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Invoice.pdf.download.lnk

  • Size

    148KB

  • Sample

    240516-rxzxwshc6v

  • MD5

    d39a73de9f109e3dba408e9481998206

  • SHA1

    30651dada81443db0fde9c3a336955d27b6d9024

  • SHA256

    84297536d9873d971dcc783ae2f95af8cbf32c65fccf3c8687af2ba5294b7f30

  • SHA512

    09c8954ecabbeb36aeb8804858168eb1448f5894c1641a1ba5311f2b33aaeb24814734d0b1f7e777f22910c53bb9df500801907a603d8d71fba139705f444d61

  • SSDEEP

    24:8WEe6Dz358m+pyAWkr+/4x+sPxZvBG0qdd79ds/Z6U/ab9Q9qFBm:8WENDzKvZbnvBG7dJ9A6U/a5QW

Score
10/10
asyncratdefaultdiscoverypersistencerat

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://invoiceinformations.com/InvoiceInfo/Evernote-Invoice

Extracted

Language
hta
Source
URLs
hta.dropper

https://invoiceinformations.com/InvoiceInfo/Evernote-Invoice

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.2

Botnet

Default

C2

94.156.69.161:8900

94.156.69.161:4443

94.156.69.163:8900

94.156.69.163:4443

94.156.69.164:8900

94.156.69.164:4443

94.156.69.165:8900

94.156.69.165:4443

94.156.69.166:8900

94.156.69.166:4443

91.92.248.82:8900

91.92.248.82:4443

91.92.251.136:8900

91.92.251.136:4443

91.92.251.153:8900

91.92.251.153:4443

91.92.251.159:8900

91.92.251.159:4443

91.92.251.179:8900

91.92.251.179:4443
Mutex

sqhylkrhlwjrecxiv

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Invoice.pdf.download.lnk

    • Size

      148KB

    • MD5

      d39a73de9f109e3dba408e9481998206

    • SHA1

      30651dada81443db0fde9c3a336955d27b6d9024

    • SHA256

      84297536d9873d971dcc783ae2f95af8cbf32c65fccf3c8687af2ba5294b7f30

    • SHA512

      09c8954ecabbeb36aeb8804858168eb1448f5894c1641a1ba5311f2b33aaeb24814734d0b1f7e777f22910c53bb9df500801907a603d8d71fba139705f444d61

    • SSDEEP

      24:8WEe6Dz358m+pyAWkr+/4x+sPxZvBG0qdd79ds/Z6U/ab9Q9qFBm:8WENDzKvZbnvBG7dJ9A6U/a5QW

    Score
    10/10
    asyncratdefaultdiscoverypersistencerat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks