asyncrat

General

Target

912cb836caee6748788b60d0e26a2fed0dd6ab86fdc347062cf667d6498fa8e4
Size

1.0MB
Sample

250309-knknaazj19
MD5

e08608283c665cc306cc11dcb7c08611
SHA1

28f33902c9773764d0c95a85ab204b1b77e18df6
SHA256

912cb836caee6748788b60d0e26a2fed0dd6ab86fdc347062cf667d6498fa8e4
SHA512

dc716cb9c2b86eff708d11915ccb1c0ce845dab43e1616b28791af6cdab69416ac74a08f352f52ef68d57f84d5fb9ae2bc41c52c6bec3313d2f76fc3bfd5017d
SSDEEP

24576:mAkK+owDc5adDtg0W6H8tDPq5hmLQF9Ijr3WVsUaiacf:pHbwDcctdn8tDPq5cLishviacf

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

204.10.161.147:4955

Mutex

mzsualcjlq

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  RFQ_PO_783B65/RFQ-PO783B65.bat
- Size
  
  45B
- MD5
  
  c15f0bc7c754ae5cc5f09d4a646232a5
- SHA1
  
  3463cfed84c507ea4839793db9a19b79d9218632
- SHA256
  
  1d25f7af62786393a933913bcbd4e0412b7261817ecea3aeb60e2294adaece9d
- SHA512
  
  bf5c3da788c3807d8be313765f12671cc67bac797214d7a18ab1570c6fbcbb4a8536ec169633329d51d22b087692ebfed45fd8565277a4c26df656ab6e9e43f0
Score

10^/10

asyncrat venomrat default collection discovery persistence privilege_escalation rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- VenomRAT
  Detects VenomRAT.
  rat
- Venomrat family
  venomrat
- Drops startup file
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  RFQ_PO_783B65/RFQ-PO783B65.png
- Size
  
  1.1MB
- MD5
  
  c655f74a0a364d39ca8c4c7f46647a15
- SHA1
  
  04fa23d7ff51f5b503c991f7d9ff0d4c919b89b0
- SHA256
  
  6ff96de44e65161cfb8afd5e46e30b4940be0187b0c5422ff270f4e5adfb60a7
- SHA512
  
  120b10adc8b83feeaf26663f954ecba4e06dd6a3100f1d0405e5c054f62441ea9ad92015a296e9d56f9a295b11dbb54e5bcfddd26958a0dcc1633126c2f9a09e
- SSDEEP
  
  24576:mKyowlc5WdDtWmW6/2t1tm5JcL8FPujl3mV0UKAaL:93wlcctTf2t1tm56LG4LFAa
Score

10^/10

asyncrat venomrat default collection discovery persistence privilege_escalation rat spyware stealer
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- VenomRAT
  Detects VenomRAT.
  rat
- Venomrat family
  venomrat
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral3 behavioral4