General

  • Target

    win10.zip

  • Size

    14.5MB

  • Sample

    240729-fmr9hsybkf

  • MD5

    902aa8d1b070f89752a003b87acd57a4

  • SHA1

    6ee72c2177abb3ccb56993eb0c0bf3314661fe19

  • SHA256

    262591e77da99450016dfd15ab19d5f84e577f567d47e15ebe4f7dbe935980ef

  • SHA512

    28ce31a3bd969c66bfbe0c42eaafd2f4b0ad7d0506f04c0019138832747c733a4021cb054bfe9c43425fa675b1a73bd4ceaa3040a7b865e58af5e74c20bdb91d

  • SSDEEP

    196608:4VwtD6iNUrQugPvUAzPftWvLiKlyHE3t2Dp3aI/HYs+AK/467vl3ilH2PZd3Bnwv:4VLqMAzFWDQkmT/IlD09yb0vuBI

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.2

Botnet

Default

C2

72.5.43.15:4449

Mutex

yezcydjwbxouz

Attributes
  • delay

    1

  • install

    true

  • install_file

    win.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      runtime.exe

    • Size

      73KB

    • MD5

      4fa7b1eec1fc84eb3a13c29e5a37aae7

    • SHA1

      dfff9fceeb4d74d7e82f9f0a65d1889fa0f9e326

    • SHA256

      5f5aa560b9b2d9f7ea3b9a4e05b9b9b35107dc78bd763000fe05f6b3f998f311

    • SHA512

      5e36a5589499a3db56d78de1b66a9ee57a2972bc57bf4b915df9118fd2a584c74ba00c61531d922431b72e87f9c53585c4c1a78a2aba122a22ea5e3603aa06ba

    • SSDEEP

      1536:KIUme0cxdlOH4PAI7Bn3h36rAi8EjZUPMwC/eqmmRhdWVH1bfbfPmjmwzUYbVclN:KIUm3cxdlOH4YI7Bn3h36rAi8EVUPMwv

    Score
    10/10
    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Async RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Target

      win10.exe

    • Size

      14.7MB

    • MD5

      eba7aa775fcfec357583fd4803fa60d2

    • SHA1

      94a3667f7b137e305aa45fb9d2cd3578fca8255b

    • SHA256

      e69138b703cdc4bf16367c468b9af1b5b7b56dbe2331ca1c34b46f7bad43ffe4

    • SHA512

      e0b8e105faa612287b6078f932ba5dce74af5489533d29104de198638c905391c7a0009f18e02dc148ace84ff0f7e283cd307f95234ebe6c59e628e99935641f

    • SSDEEP

      196608:I3FgX7miZ0sKYu/PaQqtG7fo0DOjmFpMRxtYSHdKiy4kdai7bN3mDRIF+8L7nakh:mFDQQYGfKKSphMB3Q1EDfPpd

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks