General

  • Target

    JaffaCakes118_9160c4962d732d3bedfbb9da1634c2393b6564fc5b1f8a1ce62de5a4ed172e8b

  • Size

    567KB

  • Sample

    241224-cyjvqsyrez

  • MD5

    0ca38bd4a3bea8fe36c7433d1d86a90b

  • SHA1

    2221a3c0cc49dc5b97ca36b3a4959424f93ed69f

  • SHA256

    9160c4962d732d3bedfbb9da1634c2393b6564fc5b1f8a1ce62de5a4ed172e8b

  • SHA512

    6ea4ce128f39192cd2c32041e021e1fd2e89baa779a44ba8e113999ee4665f9eaefee3bd803b7e46e43323492431506e2cc067094e1cf668fc1264e6f398d8aa

  • SSDEEP

    12288:64BR71eFL+FzE4b5dg8+7oN4gW/PppxPqGgXCjvEFdSLZPTvy:64BneFL+F1b5dIaW/zxPsyTidqNvy

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT 5.0.5

Botnet

Venom Clients

C2

gratedmonth.duckdns.org:8890

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://20.106.255.48/dll/lnk.pdf

Targets

    • Target

      BXA09QOPKJHVRFVU_001_PDF.exe

    • Size

      300.0MB

    • MD5

      5b5b1099d3adbfba6ac4a0fe2c2a032e

    • SHA1

      a0bfb095d19e54dd13f120b5b863c9ed9e02e7f7

    • SHA256

      521c835ad73fb2d4e932e2cb36a5f95377f0314384339e5e18adc3e85238cd14

    • SHA512

      c599cf5b2b04e871c45c884dc201f94f1038e96184610afa9a725349a590577fd823355b51fafb9a7f8aa8d8e78f724e936fac7e6e811dacc4060a25a41e8372

    • SSDEEP

      3072:Z2eAJ+sffO8Q335Bdq5mV4LcPz3ipe+ZUjUcwtJFu4Ki:Z2Ssen35Bdq5mVUcr3ipJcUFuni

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    • Target

      RWVQ04HDJSNYKSDF03BD_002_PDF.vbs

    • Size

      129KB

    • MD5

      1befa9ba6ebbb499691b9ba6e4dec4ae

    • SHA1

      a39f41c971b09a4928c86717deab8cfb5242bc52

    • SHA256

      f119b656cd5a8a68ac35e37d8da3b090300757afda4616f67ba13369f20e459c

    • SHA512

      91f7550d39963faa56df8116fadd44977fffbc22a0d92e2c43f95116276fa154633785a7bf1f0c5d1e644211f880ea44a57968a85670f5481cacdef67a96a06b

    • SSDEEP

      48:qTlqlqlqlqlqlqlqllgu3gMg1gxg9gfgdWegXgtogEPgNogZg2gkgE3Vo9jgLE3M:eAAAAAAAN/edkUDVo9teK7vtReq0yO

    Score
    10/10
    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

MITRE ATT&CK Enterprise v15

Tasks