General

  • Target

    JaffaCakes118_d12d87e04dc64cbc675d39046f6cd496f84da00d880a721979a11811c8728716

  • Size

    300.3MB

  • Sample

    241222-e5g1tstlhz

  • MD5

    df826b38b74eff53eb141474fb2ebe99

  • SHA1

    a13f64639fcd5c200d60c736458b25b7a95c3932

  • SHA256

    d12d87e04dc64cbc675d39046f6cd496f84da00d880a721979a11811c8728716

  • SHA512

    2b43472ae906cf991927860840361e746714e1e4058038787bee0958d7577c8a01c177b180863db01596571dad353d6cfad28b84b6a969ed564f3ec13df3431f

  • SSDEEP

    3072:vq1IYuRXuhcSOY/hQ6d1XmRsDvHt02pWJJ67rmvHszvTBFUa:yyY6TYC6d1XjxpWJmryHszvTBFZ

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT 5.0.5

Botnet

Venom Clients

C2

ry8325585.duckdns.org:6087

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://schoolcrypter.com/dll_startup

Targets

    • Target

      RVF001.EXE

    • Size

      300.0MB

    • MD5

      fdd6bb2ce995b36d49d3196894192988

    • SHA1

      9e8b9db35c796ccd6622771ffc5d333038d3333d

    • SHA256

      a09c85265ae57ce325328a06925d3fbc61021f2ca815d00858c3024ab6f8e3a8

    • SHA512

      e337f94b47930a8e01ef4877a45578c9e1bf430111a6c27de03f50cee599717e4c0605f01f41d70b2123ef3bf12fb695893965876cd90ac4a17746dc8b7389e2

    • SSDEEP

      3072:9q1IYuRXuhcSOY/hQ6d1XmRsDvHt02pWJJ67rmvHszvTBFUa:UyY6TYC6d1XjxpWJmryHszvTBFZ

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    • Target

      RVF002.VBS

    • Size

      236KB

    • MD5

      7b474b087d336f766ba4cd74067e2786

    • SHA1

      aac3de5ebd60465dabdd78033637819b68d1e91b

    • SHA256

      92d4a215bc6adc95dec27c087a23e307dcebd79b2abcbb76f9f9dc08a70b3e5a

    • SHA512

      e431562d6a08d91075c8498dd88de3c83a7e21bf627263254f3b62e9f9b5493a34f1f942412865e3bd4bc3bcfc4ff2c8f5223aa0fa58601803d1f43451f50dfe

    • SSDEEP

      24:QnODOUWlHllyjOMyE2aL8gVEuMvywFfV7N9Riwnwm43YQ7FYiVLneMDTFv9vPvWE:yKVWtl6OeqyYLQeMHNOSAgHyLKhB

    Score
    10/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

MITRE ATT&CK Enterprise v15

Tasks