Overview

overview

10

Static

static

1

ScreenConn...up.exe

windows7-x64

8

ScreenConn...up.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ScreenConnect.ClientSetup.exe

  • Size

    5.4MB

  • Sample

    250115-yw6sdavmfk

  • MD5

    538afd7e6c3bc1a78b5a0c42eb17e18d

  • SHA1

    5b6a3919e440d4ab8300b68ad0b6b64bfb80a59b

  • SHA256

    a89336d32b8a3491a251c5559a8e8d34d9935e88fb74ee86ad15e8909b1e876c

  • SHA512

    9ab23ee30db958f0b608c8131fba3b643333004c1dd3a143d6599f17784dcad65c35b073efc489792f46e0cec4856f10762f7a608025daf215ac1547c294814b

  • SSDEEP

    49152:mEEL5cx5xTkYJkGYYpT0+TFiH7efP8Q1yJJ4ZD1F5z97oL1YbGQ+okRPGHpRPqM8:jEs6efPNwJ4t1h0cG5FGJRPxow8O

Score
10/10
asyncratdefaultdiscoveryexecutionpersistenceprivilege_escalationrat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

46.183.223.84:920

Mutex

bgbugsuhmtscgxona

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      ScreenConnect.ClientSetup.exe

    • Size

      5.4MB

    • MD5

      538afd7e6c3bc1a78b5a0c42eb17e18d

    • SHA1

      5b6a3919e440d4ab8300b68ad0b6b64bfb80a59b

    • SHA256

      a89336d32b8a3491a251c5559a8e8d34d9935e88fb74ee86ad15e8909b1e876c

    • SHA512

      9ab23ee30db958f0b608c8131fba3b643333004c1dd3a143d6599f17784dcad65c35b073efc489792f46e0cec4856f10762f7a608025daf215ac1547c294814b

    • SSDEEP

      49152:mEEL5cx5xTkYJkGYYpT0+TFiH7efP8Q1yJJ4ZD1F5z97oL1YbGQ+okRPGHpRPqM8:jEs6efPNwJ4t1h0cG5FGJRPxow8O

    Score
    10/10
    discoveryexecutionpersistenceprivilege_escalationasyncratdefaultrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Sets service image path in registry

      persistence

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Boot or Logon Autostart Execution: Authentication Package

      Suspicious Windows Authentication Registry Modification.

      persistenceprivilege_escalation

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

3
T1547

Authentication Package

1
T1547.002

Registry Run Keys / Startup Folder

2
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Authentication Package

1
T1547.002

Registry Run Keys / Startup Folder

2
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

5
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks