Resubmissions

08-08-2024 08:56

240808-kv41havgjh 10

08-08-2024 08:55

240808-kvncravgjb 10

08-08-2024 08:48

240808-kqyypavfpg 10

General

  • Target

    Shellbag anylizer.exe

  • Size

    247KB

  • Sample

    240808-kqyypavfpg

  • MD5

    851269fc86de5d91e5f2db1b2b34cb6e

  • SHA1

    6103dab45c98bddef65b6eed235a60159d458526

  • SHA256

    0b7987bd9f7cbee60c4c809f22ecda6f314a0366f0704ed474626ac5f7af3521

  • SHA512

    c01c7d2ec52d55ece6f88eeb9c5ecf260ef9b59fd3f08ad42e4ed582b24bd482fcfd334375177b032564f567af6d195f7627249abe1e428f52f6c2806783acfc

  • SSDEEP

    6144:/bwmPMVWrVbVPwF9kfK8rpClz0KBb6o589GHWHWujiSPbp:/bw8n5gBuj/PV

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

zedtklncvg

Attributes
  • delay

    1

  • install

    true

  • install_file

    update.exe

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/f2T8NYnM

aes.plain

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1268156147073028147/TIx6OxtO2lKmkHzKF1kx6lqRbTwM5gpzuWgE_bIMnb6ppmXmskOWpqqHICCvEtAo0VeV

Targets

    • Target

      Shellbag anylizer.exe

    • Size

      247KB

    • MD5

      851269fc86de5d91e5f2db1b2b34cb6e

    • SHA1

      6103dab45c98bddef65b6eed235a60159d458526

    • SHA256

      0b7987bd9f7cbee60c4c809f22ecda6f314a0366f0704ed474626ac5f7af3521

    • SHA512

      c01c7d2ec52d55ece6f88eeb9c5ecf260ef9b59fd3f08ad42e4ed582b24bd482fcfd334375177b032564f567af6d195f7627249abe1e428f52f6c2806783acfc

    • SSDEEP

      6144:/bwmPMVWrVbVPwF9kfK8rpClz0KBb6o589GHWHWujiSPbp:/bw8n5gBuj/PV

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Async RAT payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

MITRE ATT&CK Enterprise v15

Tasks