General
-
Target
RNSM00391.7z
-
Size
6.1MB
-
Sample
241101-22ykqsvle1
-
MD5
8f04796eea62aca1a7dc0e43262fc523
-
SHA1
9ca40256af4e4029f17724064afb1feed92f34b0
-
SHA256
e03df762bb062c44aa98d703fb59acf42d886e1b29e7ca0e0300a0f9280ed64a
-
SHA512
a8c35efa3e0f4fbd8369cb39c013a312d9cb153f2efbc04b3a789dbe874af0dc0a0427ef83c804a6a51f03e16aca8bbcc9fbced8c3273e05e5b2e8751ae8b8ec
-
SSDEEP
196608:RjmLAqn+1/rnxINzohV3TuAzCS+Ulb39yQH0D5Ac2:gcO+Z8zohV3iKnVIS0D5W
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00391.7z
Resource
win10v2004-20241007-en
Malware Config
Extracted
asyncrat
0.5.7B
SEPT G11
chongmei33.publicvm.com:49746
chongmei33.publicvm.com:2703
185.165.153.116:49746
185.165.153.116:2703
54.37.36.116:49746
54.37.36.116:2703
185.244.30.92:49746
185.244.30.92:2703
dongreg202020.duckdns.org:49746
dongreg202020.duckdns.org:2703
178.33.222.241:49746
178.33.222.241:2703
rahim321.duckdns.org:49746
rahim321.duckdns.org:2703
79.134.225.92:49746
79.134.225.92:2703
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
svchost.exe
-
install_folder
%AppData%
Targets
-
-
Target
RNSM00391.7z
-
Size
6.1MB
-
MD5
8f04796eea62aca1a7dc0e43262fc523
-
SHA1
9ca40256af4e4029f17724064afb1feed92f34b0
-
SHA256
e03df762bb062c44aa98d703fb59acf42d886e1b29e7ca0e0300a0f9280ed64a
-
SHA512
a8c35efa3e0f4fbd8369cb39c013a312d9cb153f2efbc04b3a789dbe874af0dc0a0427ef83c804a6a51f03e16aca8bbcc9fbced8c3273e05e5b2e8751ae8b8ec
-
SSDEEP
196608:RjmLAqn+1/rnxINzohV3TuAzCS+Ulb39yQH0D5Ac2:gcO+Z8zohV3iKnVIS0D5W
-
Asyncrat family
-
GandCrab payload
-
Gandcrab family
-
Hiverat family
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
HiveRAT payload
-
Renames multiple (3798) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1