General

  • Target

    cbd5231b3d8bd511ab28c10b0082c126.bin

  • Size

    13.6MB

  • Sample

    240620-ek2jqsxfme

  • MD5

    6b0f8ec8a67d3fa0d8ef9ceb96e4f817

  • SHA1

    e2cad65dc626623a0a2625545559d64b10200c0b

  • SHA256

    4100080f2d95ae5c262d029b1406ae5d037ab8a07035a8b9eedadb07071dbb21

  • SHA512

    623b6806554db7fe2f625e526e532a48683f2462d134385361b2bfbb3dbe46db581a4b92f6ea17446b2099416ad33132732bfeb302dad500b29429a8b2906b25

  • SSDEEP

    393216:kC0PvF+k0LqKZfks0OwkkpJagOUfL4hESMQM79dEpJ:90PvFKfosgOUz4hE8Ms7

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.2

Botnet

Default

C2

72.5.43.15:4449

Mutex

yezcydjwbxouz

Attributes
  • delay

    1

  • install

    true

  • install_file

    win.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      runtime.exe

    • Size

      73KB

    • MD5

      4fa7b1eec1fc84eb3a13c29e5a37aae7

    • SHA1

      dfff9fceeb4d74d7e82f9f0a65d1889fa0f9e326

    • SHA256

      5f5aa560b9b2d9f7ea3b9a4e05b9b9b35107dc78bd763000fe05f6b3f998f311

    • SHA512

      5e36a5589499a3db56d78de1b66a9ee57a2972bc57bf4b915df9118fd2a584c74ba00c61531d922431b72e87f9c53585c4c1a78a2aba122a22ea5e3603aa06ba

    • SSDEEP

      1536:KIUme0cxdlOH4PAI7Bn3h36rAi8EjZUPMwC/eqmmRhdWVH1bfbfPmjmwzUYbVclN:KIUm3cxdlOH4YI7Bn3h36rAi8EVUPMwv

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Async RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      win5.exe

    • Size

      13.8MB

    • MD5

      887ee63442c8ee2604ba02d5c5770069

    • SHA1

      1ed501df3fc3d4d58df2369a9195959b0e875597

    • SHA256

      e47b6c6eff46ef74daad65e7f84d70d1e713de4b6f6dda4be06708d8dae61339

    • SHA512

      c2fa7a25e7ed143ca1185089275c521c2dd26cb9a15b4378caa5111f9c34807486946a6490586498eafbc904ecd3b027e92dbd3f76c855cea0401da69bafedd1

    • SSDEEP

      196608:gYFgX7miZ0sKYu/PaQqtG7fpDOjmFpMRxtYSHdKiy4kdai7bN3mDRIIBR+CaW5LS:/FDQQYGVKKSphMB3Q1zDvp+

    Score
    7/10
    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Collection

Data from Local System

2
T1005

Tasks