Overview

overview

10

Static

static

3

WKR001.exe

windows7-x64

10

WKR001.exe

windows10-2004-x64

10

WKR002.vbs

windows7-x64

10

WKR002.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_6810ad8ad8c3587dffb038e09ed2eb749fc4d7aafbad45eda8bc1423a6d48b47

  • Size

    300.3MB

  • Sample

    241230-wvl1gavnb1

  • MD5

    a37e970e063fc479b417b52576e17092

  • SHA1

    db379467c13db16bc7e97d39217539ae28336e53

  • SHA256

    6810ad8ad8c3587dffb038e09ed2eb749fc4d7aafbad45eda8bc1423a6d48b47

  • SHA512

    2dfe699aac1e0563ba7c5e36513dd06bad158906226381bf54af3f8d858b6d049490870526da51db9ac5b2ab2861ce30a518a1bfae61a87d628e75c66da3f55f

  • SSDEEP

    3072:SndCXcnX7ChnAAD6OByB6/lEsu0rmvHsMvIBk5z:SdCLDpByS3ryHsMvIBkt

Score
10/10
asyncratvenom clientsdiscoveryexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT 5.0.5

Botnet

Venom Clients

C2

ry8325585.duckdns.org:6087

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://schoolcrypter.com/dll_startup

Targets

    • Target

      WKR001.EXE

    • Size

      300.0MB

    • MD5

      ec0d7bfce7fe535906d4cc5e8eaa977e

    • SHA1

      04dd52f75415fee6f61077e07aa9e744de857b3a

    • SHA256

      a766403403d3c3de2ff965fbf148bcd56048b56d10e4dc65a702566669855016

    • SHA512

      02029fedd33ec22482bd7ec796fde86b462c1ee7a92a443a6a8306d7c42c2e1c32086db4b927465956c20e600028904db8b0580a7c23d9af83cf4f4e9c9a21d4

    • SSDEEP

      3072:cndCXcnX7ChnAAD6OByB6/lEsu0rmvHsMvIBk5z:cdCLDpByS3ryHsMvIBkt

    Score
    10/10
    asyncratvenom clientsdiscoveryrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      WKR002.VBS

    • Size

      236KB

    • MD5

      7a52bb9f2fb57ce1bff8bd3f692d40ca

    • SHA1

      bb39b944eb06e987eae9ccaa7f1d4b93bc72a89f

    • SHA256

      93945370001cf9fb955aee425a60717a446a7e86c89edef0c8e862cbf588f0cb

    • SHA512

      fe57c25777e12b3b563109e6186546286a05203650f089a02e179084a0bd48efc62e050d3efbb34089402686fdb53c9ed71347978d0d9b85602f5485ae32a1a3

    • SSDEEP

      24:QnOilyjOMyE2aL8gVEuMvywFfV7N9Riwnwm43YQ7FYiVLneMDTFv9vPvW0mEOSRp:y16OeqyYLQeMHNOSAgHyLKhB

    Score
    10/10
    execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks