General
-
Target
Loader.exe
-
Size
6.8MB
-
Sample
240802-xfzhpazhph
-
MD5
2c07c81a8d5f9214b84fbc719bc05cd9
-
SHA1
4290e1e9b958e60a6f14a4e02fbecac28ba11506
-
SHA256
ddb108688775b154e5fdcba09cd8b204e8de3c355772c3136c1c72e9cb2e6c9d
-
SHA512
ed2049df3988f23360e1b3ea7cf0bdb2af6543dcef9cf29464174003af74fea74cc3aa5b4f5085a5b2b47d6fb0e528bd09035377a353f83931a5ddea8b3ec2f0
-
SSDEEP
196608:DqCSDQ52eJbdmRnNwjsWfGRyHXXGQ/3k:DMQzIRniIW+RyHXX/Pk
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
193.161.193.99:53757
tdzrvimddbca
-
delay
1
-
install
true
-
install_file
System32.exe
-
install_folder
%AppData%
Targets
-
-
Target
Loader.exe
-
Size
6.8MB
-
MD5
2c07c81a8d5f9214b84fbc719bc05cd9
-
SHA1
4290e1e9b958e60a6f14a4e02fbecac28ba11506
-
SHA256
ddb108688775b154e5fdcba09cd8b204e8de3c355772c3136c1c72e9cb2e6c9d
-
SHA512
ed2049df3988f23360e1b3ea7cf0bdb2af6543dcef9cf29464174003af74fea74cc3aa5b4f5085a5b2b47d6fb0e528bd09035377a353f83931a5ddea8b3ec2f0
-
SSDEEP
196608:DqCSDQ52eJbdmRnNwjsWfGRyHXXGQ/3k:DMQzIRniIW+RyHXX/Pk
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Async RAT payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Drops file in Drivers directory
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3