General
-
Target
win10.zip
-
Size
14.5MB
-
Sample
240729-fmr9hsybkf
-
MD5
902aa8d1b070f89752a003b87acd57a4
-
SHA1
6ee72c2177abb3ccb56993eb0c0bf3314661fe19
-
SHA256
262591e77da99450016dfd15ab19d5f84e577f567d47e15ebe4f7dbe935980ef
-
SHA512
28ce31a3bd969c66bfbe0c42eaafd2f4b0ad7d0506f04c0019138832747c733a4021cb054bfe9c43425fa675b1a73bd4ceaa3040a7b865e58af5e74c20bdb91d
-
SSDEEP
196608:4VwtD6iNUrQugPvUAzPftWvLiKlyHE3t2Dp3aI/HYs+AK/467vl3ilH2PZd3Bnwv:4VLqMAzFWDQkmT/IlD09yb0vuBI
Behavioral task
behavioral1
Sample
runtime.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral2
Sample
win10.exe
Resource
win10v2004-20240709-en
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.2
Default
72.5.43.15:4449
yezcydjwbxouz
-
delay
1
-
install
true
-
install_file
win.exe
-
install_folder
%AppData%
Targets
-
-
Target
runtime.exe
-
Size
73KB
-
MD5
4fa7b1eec1fc84eb3a13c29e5a37aae7
-
SHA1
dfff9fceeb4d74d7e82f9f0a65d1889fa0f9e326
-
SHA256
5f5aa560b9b2d9f7ea3b9a4e05b9b9b35107dc78bd763000fe05f6b3f998f311
-
SHA512
5e36a5589499a3db56d78de1b66a9ee57a2972bc57bf4b915df9118fd2a584c74ba00c61531d922431b72e87f9c53585c4c1a78a2aba122a22ea5e3603aa06ba
-
SSDEEP
1536:KIUme0cxdlOH4PAI7Bn3h36rAi8EjZUPMwC/eqmmRhdWVH1bfbfPmjmwzUYbVclN:KIUm3cxdlOH4YI7Bn3h36rAi8EVUPMwv
-
Async RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
win10.exe
-
Size
14.7MB
-
MD5
eba7aa775fcfec357583fd4803fa60d2
-
SHA1
94a3667f7b137e305aa45fb9d2cd3578fca8255b
-
SHA256
e69138b703cdc4bf16367c468b9af1b5b7b56dbe2331ca1c34b46f7bad43ffe4
-
SHA512
e0b8e105faa612287b6078f932ba5dce74af5489533d29104de198638c905391c7a0009f18e02dc148ace84ff0f7e283cd307f95234ebe6c59e628e99935641f
-
SSDEEP
196608:I3FgX7miZ0sKYu/PaQqtG7fo0DOjmFpMRxtYSHdKiy4kdai7bN3mDRIF+8L7nakh:mFDQQYGfKKSphMB3Q1EDfPpd
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3