General

  • Target

    8a6f75426c02db73affeb070b56bebcbfb8769387dfc15f94018ffc1f63d3938.zip

  • Size

    13.6MB

  • Sample

    240619-bxs7ca1eqf

  • MD5

    cbd5231b3d8bd511ab28c10b0082c126

  • SHA1

    f9764513b8fef61561fbfae0a2c575190bbf136c

  • SHA256

    8a6f75426c02db73affeb070b56bebcbfb8769387dfc15f94018ffc1f63d3938

  • SHA512

    8485b591db278395b143d7c2e1bacb177ec67117e779b6065513e9ec714c2d3eeefebeb3b3afcbd6221df3a949afe790e25956f89a3d7431041ab169d32a39cb

  • SSDEEP

    196608:VfE7Wp1+IZGzaIWCTWOynhtcLNtFC3Azdxg/rXI+TleGqSYNEa7bNL8nXGIFf743:a7frJynHcnswWdPoXfaXT7IfW+

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.2

Botnet

Default

C2

72.5.43.15:4449

Mutex

yezcydjwbxouz

Attributes
  • delay

    1

  • install

    true

  • install_file

    win.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      runtime.exe

    • Size

      73KB

    • MD5

      4fa7b1eec1fc84eb3a13c29e5a37aae7

    • SHA1

      dfff9fceeb4d74d7e82f9f0a65d1889fa0f9e326

    • SHA256

      5f5aa560b9b2d9f7ea3b9a4e05b9b9b35107dc78bd763000fe05f6b3f998f311

    • SHA512

      5e36a5589499a3db56d78de1b66a9ee57a2972bc57bf4b915df9118fd2a584c74ba00c61531d922431b72e87f9c53585c4c1a78a2aba122a22ea5e3603aa06ba

    • SSDEEP

      1536:KIUme0cxdlOH4PAI7Bn3h36rAi8EjZUPMwC/eqmmRhdWVH1bfbfPmjmwzUYbVclN:KIUm3cxdlOH4YI7Bn3h36rAi8EVUPMwv

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Async RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      win5.exe

    • Size

      13.8MB

    • MD5

      887ee63442c8ee2604ba02d5c5770069

    • SHA1

      1ed501df3fc3d4d58df2369a9195959b0e875597

    • SHA256

      e47b6c6eff46ef74daad65e7f84d70d1e713de4b6f6dda4be06708d8dae61339

    • SHA512

      c2fa7a25e7ed143ca1185089275c521c2dd26cb9a15b4378caa5111f9c34807486946a6490586498eafbc904ecd3b027e92dbd3f76c855cea0401da69bafedd1

    • SSDEEP

      196608:gYFgX7miZ0sKYu/PaQqtG7fpDOjmFpMRxtYSHdKiy4kdai7bN3mDRIIBR+CaW5LS:/FDQQYGVKKSphMB3Q1zDvp+

    Score
    7/10
    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Collection

Data from Local System

2
T1005

Tasks