General

  • Target

    Loader.exe

  • Size

    3.9MB

  • Sample

    241109-1nd4hatalj

  • MD5

    47a3da93e56b32634ef75d89326eddfd

  • SHA1

    c713ae03c5ca84d5b9d00c3766976a80ff4870f9

  • SHA256

    9da77aa713f1d8a0c0491326e6b187f57c59a9ac9988765913ad837b59dd0687

  • SHA512

    94a936ed621f8aee938bd9e58827723243519c282591d00713f5825c465d2e68b8598911bba712d1a62795d380e4c19b04449a4333983484b03f051fdad18ad6

  • SSDEEP

    98304:Nk1zJMJNrH1Z236EYzNVGm+xI7jfg/7KlTrzTGnI4A/z1Vre:q1zJSVHD236JXjY/7KFKnCz1Ze

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

193.161.193.99:53757

Mutex

qfufsslmpoqmfov

Attributes
  • delay

    1

  • install

    true

  • install_file

    Runtime Broker.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Loader.exe

    • Size

      3.9MB

    • MD5

      47a3da93e56b32634ef75d89326eddfd

    • SHA1

      c713ae03c5ca84d5b9d00c3766976a80ff4870f9

    • SHA256

      9da77aa713f1d8a0c0491326e6b187f57c59a9ac9988765913ad837b59dd0687

    • SHA512

      94a936ed621f8aee938bd9e58827723243519c282591d00713f5825c465d2e68b8598911bba712d1a62795d380e4c19b04449a4333983484b03f051fdad18ad6

    • SSDEEP

      98304:Nk1zJMJNrH1Z236EYzNVGm+xI7jfg/7KlTrzTGnI4A/z1Vre:q1zJSVHD236JXjY/7KFKnCz1Ze

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Async RAT payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Stops running service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks