Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
RavenGen.exe
-
Size
6.1MB
-
Sample
250102-x47h7ssmhs
-
MD5
c8aeb6df26f168f40e546ea284f3a12a
-
SHA1
8b6fd323ab0860e838e359b47cb0c432e37dd9bd
-
SHA256
a5795f05ca4de63e25ecfe7636a77e4d4e2d48963931f35dcad728dc4cd08956
-
SHA512
4f86e47e76ce8dd0b374142988d4e82849a96768443fb5e1c65cfc3b527578296125dce7fc7619afc8ef4df40eb3c098128c31137215ea73237fc1c07d78351c
-
SSDEEP
196608:bSkSIlLTUcwti7TQl2NgVg01MWAXAkuujCPX9YG9he5GnQCAJKN:OkSopwtQQl2aOtXADu8X9Y95GQLJ
Static task
static1
Behavioral task
behavioral1
Sample
RavenGen.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
RavenGen.exe
Resource
win10ltsc2021-20241211-en
Malware Config
Extracted
asyncrat
1.0.7
Default
51.89.44.68:8848
etb3t1tr5n
-
delay
1
-
install
true
-
install_file
svchost.exe
-
install_folder
%Temp%
Targets
-
-
Target
RavenGen.exe
-
Size
6.1MB
-
MD5
c8aeb6df26f168f40e546ea284f3a12a
-
SHA1
8b6fd323ab0860e838e359b47cb0c432e37dd9bd
-
SHA256
a5795f05ca4de63e25ecfe7636a77e4d4e2d48963931f35dcad728dc4cd08956
-
SHA512
4f86e47e76ce8dd0b374142988d4e82849a96768443fb5e1c65cfc3b527578296125dce7fc7619afc8ef4df40eb3c098128c31137215ea73237fc1c07d78351c
-
SSDEEP
196608:bSkSIlLTUcwti7TQl2NgVg01MWAXAkuujCPX9YG9he5GnQCAJKN:OkSopwtQQl2aOtXADu8X9Y95GQLJ
-
Asyncrat family
-
Async RAT payload
-
Downloads MZ/PE file
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1