General
-
Target
ValPrivate by Spence.exe
-
Size
20.9MB
-
Sample
240630-h4sygsvcla
-
MD5
3bba4fcdde47709b2f1a7070d9d75bc4
-
SHA1
fc430dffd95f64e962499caaca1a6dc5623a2834
-
SHA256
fdc3dbca5f227819f45bdbff9724050fc87c9f77f6e12215fce4b62dbdb1ecf0
-
SHA512
479da850d2c99458171a76c105eac6bab98d2275840bc4b173fc0e5dccedf0d639ad0e9362cf1e4010f21e3bc33ff333bc4efc29b88b11a09194d37e611f7d7d
-
SSDEEP
393216:hCroZbAGdSrxNM4FUtNsNWzbqXSHhT9zNku8Gl43T/D0hNhIov0vbkfX:yG0jM4ysNmqCHhTh4MKa8osDk
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
ValoPrivate
ValoPrivate2112
-
delay
1
-
install
true
-
install_file
fonthostdrw.exe
-
install_folder
%Temp%
-
pastebin_config
https://pastebin.com/raw/UvBeaykR
Extracted
quasar
1.4.1
ValoPrivate
147.185.221.18:7764
dcd71dd9-fe72-4506-a382-2402acd94cad
-
encryption_key
EC027AEC27EEC6C9F635FB541708B1C7333B126C
-
install_name
svchostw.exe
-
log_directory
Logs
-
reconnect_delay
5050
-
startup_key
svchost
Extracted
xworm
-
Install_directory
%Public%
-
install_file
ValoPrivate-V2.exe
-
pastebin_url
https://pastebin.com/raw/UvBeaykR
Targets
-
-
Target
ValPrivate by Spence.exe
-
Size
20.9MB
-
MD5
3bba4fcdde47709b2f1a7070d9d75bc4
-
SHA1
fc430dffd95f64e962499caaca1a6dc5623a2834
-
SHA256
fdc3dbca5f227819f45bdbff9724050fc87c9f77f6e12215fce4b62dbdb1ecf0
-
SHA512
479da850d2c99458171a76c105eac6bab98d2275840bc4b173fc0e5dccedf0d639ad0e9362cf1e4010f21e3bc33ff333bc4efc29b88b11a09194d37e611f7d7d
-
SSDEEP
393216:hCroZbAGdSrxNM4FUtNsNWzbqXSHhT9zNku8Gl43T/D0hNhIov0vbkfX:yG0jM4ysNmqCHhTh4MKa8osDk
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Detect Xworm Payload
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Async RAT payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1