General

  • Target

    b84eb711989fbe9e0ff3ec874b5a0dac33655d27929fdce619ea94a35dca8953.cmd

  • Size

    6KB

  • Sample

    240524-b2x14agg84

  • MD5

    7b90a6964decffe69d5a3f43d4285498

  • SHA1

    9e2982f4c58624952f26322fd7eff379af540586

  • SHA256

    b84eb711989fbe9e0ff3ec874b5a0dac33655d27929fdce619ea94a35dca8953

  • SHA512

    f95ac4691adb65fe56c981567c2ea79bb786f38305ae0280da1c41f48c7f34d72fdc22737835096046590036353ec33295f1c6378987f1d9354356accd650b68

  • SSDEEP

    96:Svgs1WudsEONjKlXPi3+mB0AT1DLkHjXTIo6wwPtsRmNga74vGyr:SN0ysEOKjMlTxiDEwqtLNga0N

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

xvern429.duckdns.org:8890

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      b84eb711989fbe9e0ff3ec874b5a0dac33655d27929fdce619ea94a35dca8953.cmd

    • Size

      6KB

    • MD5

      7b90a6964decffe69d5a3f43d4285498

    • SHA1

      9e2982f4c58624952f26322fd7eff379af540586

    • SHA256

      b84eb711989fbe9e0ff3ec874b5a0dac33655d27929fdce619ea94a35dca8953

    • SHA512

      f95ac4691adb65fe56c981567c2ea79bb786f38305ae0280da1c41f48c7f34d72fdc22737835096046590036353ec33295f1c6378987f1d9354356accd650b68

    • SSDEEP

      96:Svgs1WudsEONjKlXPi3+mB0AT1DLkHjXTIo6wwPtsRmNga74vGyr:SN0ysEOKjMlTxiDEwqtLNga0N

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Detects executables attemping to enumerate video devices using WMI

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Tasks