General
-
Target
https://cdn.discordapp.com/attachments/1244465534632726578/1245514727015317616/BetterSolara.exe?ex=6659077b&is=6657b5fb&hm=e26d0e12d909ec9eeb42aa75cdaecf0a3a55d049f8343bd2566f809b567aa6d6&
-
Sample
240529-3zkfrseg4z
Malware Config
Extracted
asyncrat
5.0.5
Venom Clients
127.0.0.1:2000
127.0.0.1:3069
taking-headquarters.gl.at.ply.gg:2000
taking-headquarters.gl.at.ply.gg:3069
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
https://cdn.discordapp.com/attachments/1244465534632726578/1245514727015317616/BetterSolara.exe?ex=6659077b&is=6657b5fb&hm=e26d0e12d909ec9eeb42aa75cdaecf0a3a55d049f8343bd2566f809b567aa6d6&
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Async RAT payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1