General
-
Target
08b0e2870a7fc2dcd71879d84ff235b6f3b27ed5fa2d320a03821d55ce6d6726.zip
-
Size
22.0MB
-
Sample
240619-bd91raveln
-
MD5
78c12e107561655fed35af72ed4c7400
-
SHA1
3668f3cb356f7ddee4e913df652542814531cd89
-
SHA256
08b0e2870a7fc2dcd71879d84ff235b6f3b27ed5fa2d320a03821d55ce6d6726
-
SHA512
1a32bf0df0e632509db83b7bcc85bb17aafd55adf6f40dcfc6418a3129aa47d7c1ca6783eecb65704ad392a14a666c5a1501635eb6305c88d6b8adba9458ff64
-
SSDEEP
393216:O59jOFPfpmDOsL5NlALjjdx+pbd/O8hGDoGFLjsflmtsVeRnNZ:OjOFPBxG53QjpxKG8jGdUstser
Behavioral task
behavioral1
Sample
win7/runtime.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
win7/runtime.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
win7/win5.exe
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
win7/win5.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
win7/win6.exe
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
win7/win6.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.2
Default
72.5.43.15:4449
yezcydjwbxouz
-
delay
1
-
install
true
-
install_file
win.exe
-
install_folder
%AppData%
Targets
-
-
Target
win7/runtime.exe
-
Size
73KB
-
MD5
4fa7b1eec1fc84eb3a13c29e5a37aae7
-
SHA1
dfff9fceeb4d74d7e82f9f0a65d1889fa0f9e326
-
SHA256
5f5aa560b9b2d9f7ea3b9a4e05b9b9b35107dc78bd763000fe05f6b3f998f311
-
SHA512
5e36a5589499a3db56d78de1b66a9ee57a2972bc57bf4b915df9118fd2a584c74ba00c61531d922431b72e87f9c53585c4c1a78a2aba122a22ea5e3603aa06ba
-
SSDEEP
1536:KIUme0cxdlOH4PAI7Bn3h36rAi8EjZUPMwC/eqmmRhdWVH1bfbfPmjmwzUYbVclN:KIUm3cxdlOH4YI7Bn3h36rAi8EVUPMwv
-
Async RAT payload
-
Detects executables attemping to enumerate video devices using WMI
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
win7/win5.exe
-
Size
13.8MB
-
MD5
2639068bf1e1de3ccae340e6bee3e548
-
SHA1
3eec25d70e72e94085b854a07af032d3e4df7c70
-
SHA256
d8bbee1d3eee12b9d710cc892d767469578a511a8149ada07a05dfbee89941bf
-
SHA512
45ada1b47ab66e2c5f9e9344fd0d2e3b759a738ff4a970138ab8253dd12c55d7fe9cce5a9c3bb23c9c52a7d6d46ff6a0f86381d64bfd19ae8b1b1f222040cb6f
-
SSDEEP
196608:ugFgX7miZ0sKYu/PaQqtG7fpDOjmFpMRxtYSHdKiy4kdai7bN3mDRI1p+CbbPlaJ:LFDQQYGVKKSphMB3Q1sDVaJ
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
win7/win6.exe
-
Size
8.5MB
-
MD5
54da1e18625df8635098673f7910ef0a
-
SHA1
a7093de871853b6b2ee0a506dc2e40d56f2b2cea
-
SHA256
0ec75e29acf2a905f1061e1c051bd34ef6ba01e216f8cf0f43db983eb0e6d5a4
-
SHA512
1d50dc05bd4e74fbf19bf492ba35111af75167d7822ba866e6557b8fa3090795c990b7ce1fa3a88cba9e315b51b8212fa6e32fcd9ffc1514f007f30d8fa2820f
-
SSDEEP
196608:3ZpWwkjiVXF4ckmkXnVFPQ/WQ9pQeHSXhLZmftMbjUFrNWk:3FVV41lFPpQ9GdxMftMbjkN5
-
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
-
Detects Windows executables referencing non-Windows User-Agents
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers
-
Detects executables referencing many IR and analysis tools
-
Detects executables referencing virtualization MAC addresses
-
Detects executables using Telegram Chat Bot
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-