Overview

overview

10

Static

static

3

RFAU02GSHK...DF.vbs

windows7-x64

10

RFAU02GSHK...DF.vbs

windows10-2004-x64

10

RV07QAROPH...an.exe

windows7-x64

10

RV07QAROPH...an.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_ab9c7560ca7b9d1f5969701bf497090d5fa95ae6373da5591dac202db9ce34af

  • Size

    92KB

  • Sample

    241230-dq7ghawpam

  • MD5

    2b38592e8349bafcece5ddfc76296465

  • SHA1

    d94153abfc925353d0007b0141e1c5da3f07d322

  • SHA256

    ab9c7560ca7b9d1f5969701bf497090d5fa95ae6373da5591dac202db9ce34af

  • SHA512

    1b4df5f249cb7500ca39e14d86eb60d1f22c2d917d28ed70caf540e3c9164b2cc3853b213f06480ef522bbe6aecc2b85c562971c03a862ecc83340a62c0fa3ae

  • SSDEEP

    1536:iyM6dBHTi18g9B4k5BL2rKdBi3EEbgvvFJdP8j9FMsqHVnJ4KvexYw68RkEyx4Zh:fM6dJGigL409g0EbGtcj9SseVJKxYd85

Score
10/10
asyncratvenom clientsdiscoveryexecutionrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://20.106.255.48/dll/TESTING.txt

Extracted

Family

asyncrat

Version

Venom RAT 5.0.5

Botnet

Venom Clients

C2

toff7857.duckdns.org:8890

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      RFAU02GSHKOPSFDQW_002_PDF.vbs

    • Size

      222KB

    • MD5

      f212536d8cdf98f7284837ee48886346

    • SHA1

      7fe473d02fe0dc783b6021c792abca338dc4e11f

    • SHA256

      91f8e59475196b2ab33f9e5e22beb04d3ee039985abe1572a4a6e7b3f6f8b74d

    • SHA512

      08524a86d5b9f53953e9587286e7210c48ee403e99c67f13dbdd5081a7d558c58541c4e95b6ca640a98a5e5d8a634127801767655b168fa8889357d3319880c6

    • SSDEEP

      192:Oply3gSajcsbpS1zQ1QXDebjDqNBft1hx8+W6h8VDvwAv1CjIc:ODokghw1HqR98dfH1Cjj

    Score
    10/10
    execution

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

    • Target

      RV07QAROPHDFSRE_001_PDF_clean.exe

    • Size

      126KB

    • MD5

      8dc1c167f8f69381b9c97e2959f0d531

    • SHA1

      a44d3def5a60ea19b2d5cc2dc89aca74c9c666c0

    • SHA256

      ae3b4897a288a41ec73e1a6b94ce89b982a35e4ee754208e035877ed27ad17a8

    • SHA512

      d61cd8bed549b69cdebbb26d0cfc26525165755b49d731e0268b293f8dfa99cc78f6a80897fd8db4b180b77ffb03501091f5dbd0811e11a639d74f59a97c323c

    • SSDEEP

      3072:2JBH+suK5LqfcddhnOdzzW+49vdtJFu4Kis:TsugmO4xYFunis

    Score
    10/10
    asyncratvenom clientsdiscoveryrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks