General

  • Target

    JaffaCakes118_9c3b123bf5be1332f7b3727c8f6c352887437b5329ffc083d0b65833cfe5678c

  • Size

    485KB

  • Sample

    241224-mmw12avqbr

  • MD5

    cafaa060fd7c48f5dd75fd9542062622

  • SHA1

    ee891d615c83b2e3eebdc3e859d975348659ce9f

  • SHA256

    9c3b123bf5be1332f7b3727c8f6c352887437b5329ffc083d0b65833cfe5678c

  • SHA512

    5aa310ed1fb5d5b959ce8a212866859be6ed3ec9bd81dfe47e33c486423402ce2709274098ebc71661622c413c5f9d60d110a29989c8932d1439e92fb5cb052f

  • SSDEEP

    3072:5QBgL8npOntBnNOTUMBF6kI1hCRFukPxHOhTUV7f:5QBg7t7OQkF6dw3KTy7f

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://20.7.14.99/dll/dll_ink.pdf

Extracted

Family

asyncrat

Version

Venom RAT 5.0.5

Botnet

Venom Clients

C2

resulttoday2.duckdns.org:6111

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      URFT06GSBAWRP_001_PDF/RQK02HVBPO_002_PDF.vbs

    • Size

      219KB

    • MD5

      86d9cdbe85e0b345c00063cb59efda75

    • SHA1

      6990625fff03cdc505a7c9a224c39fb9c1b1ab80

    • SHA256

      541752eae29c171bb8ab3f5851b6f58ba58035298b8781990998d22cd4982f6e

    • SHA512

      0f39d5b741cb5fc822f17306537a4659c5ff191f18ef47e18aa3f604eb9d4598f1c01316068285531916a57bd0410b27fd8d44adb3bda41ee691098cd5b1bc2f

    • SSDEEP

      48:DVK0hbQvuivLvyvTxYvsvuiv7vu2vJR2vFvvvfv1KvFvDv2UfHvrvUvgYvc2vGgu:xKWdUIlVc8WGvXimF

    Score
    10/10
    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Target

      URFT06GSBAWRP_001_PDF/URFT06GSBAWRP_001_PDF.exe

    • Size

      300.0MB

    • MD5

      464753cd8a6523de0fba921ce6846177

    • SHA1

      6b3b77af1129f9ad86acc31163d8450eacb4dbd3

    • SHA256

      3221a50204afcf59f4a836680d1e484903ac3aa389c2105d059efc51b8461092

    • SHA512

      589d0919ddf11d1e8e8eff15a0f78623742e5ab6b16e2b754f519f3bfc7912ccd6c43ad5ffe5c0e11c315f9835936b6b2039dc579527d50cb25333844b0876f2

    • SSDEEP

      3072:1iJZ3k2p8jrvVIYkwur2JMBZ6kINhCRFuaABOUEs64BRg40nOFblHTgr4:1OyRr9u1KJkZ6dIYBUeBRgOlWU

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks