General

  • Target

    win10.cmd

  • Size

    3KB

  • Sample

    241025-ranlca1aph

  • MD5

    e62a670dce5171d5ffc8cdc9d1897f1e

  • SHA1

    1f1641255d816783f7eac72f7359dd886ddaa164

  • SHA256

    37e3fb24bc4ea36c7363a55ca99539a5c91aa5600739a652deb3fbbbcab9b2d5

  • SHA512

    f7615a367da1bfabc4cf9fad782154342c14bca6cca448b493cc3ee0328c1267f6b91beeb6e12ece409b72429eb9bb23154aaa682cb49157867b5d3c593d4557

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://72.5.43.223/gdHydhxad/win10.zip

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.2

Botnet

Default

C2

72.5.43.15:4449

Mutex

yezcydjwbxouz

Attributes
  • delay

    1

  • install

    true

  • install_file

    win.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      win10.cmd

    • Size

      3KB

    • MD5

      e62a670dce5171d5ffc8cdc9d1897f1e

    • SHA1

      1f1641255d816783f7eac72f7359dd886ddaa164

    • SHA256

      37e3fb24bc4ea36c7363a55ca99539a5c91aa5600739a652deb3fbbbcab9b2d5

    • SHA512

      f7615a367da1bfabc4cf9fad782154342c14bca6cca448b493cc3ee0328c1267f6b91beeb6e12ece409b72429eb9bb23154aaa682cb49157867b5d3c593d4557

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Async RAT payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks