 that downloads VenomRAT (AsyncRAT). For the LNK file to disguise itself as a legitimate Word file, it was distributed with the name 'Survey.docx.lnk' inside a compressed file which also contained a legitimate text file. Above all, users need to remain vigilant, as the executable file (blues.exe) used in the attack is disguised as a Korean company's certificate){kind=link}
Source Name: Blog Post
Source Reliability: A-Reliable
Information Reliability: 1-Confirmed
Summary:
Researchers have found a shortcut file (.lnk) that downloads VenomRAT (AsyncRAT). For the LNK file to disguise itself as a legitimate Word file, it was distributed with the name ‘Survey.docx.lnk’ inside a compressed file which also contained a legitimate text file. Above all, users need to remain vigilant, as the executable file (blues.exe) used in the attack is disguised as a Korean company’s certificate.
Motivation: Unknown
Source Category: Technical Intelligence
Relevance Rating: Low
IOC Table:
| SR NO | IOC Type | IOC | Malicious Info |
|---|---|---|---|
| 1 | hash | 2d09f6e032bf7f5a5d1203c7f8d508e4 | VT Malicious=Not availableHash=585f9d699807c982dac2f8384a20d510736aa771653de965fe7bb2c40b4a3fa8 Kaspersky Zone=None Kaspersky Hits = Not available AV Detected=Not available |
| 2 | hash | 2dfaa1dbd05492eb4e9d0561bd29813b | VT Malicious=Not availableHash=bd23b38717e8fec3a17dc23020ffc985172f7683d2d46d0080eff8a80825845c Kaspersky Zone=None Kaspersky Hits = Not available AV Detected=Not available |
| 3 | hash | 335b8d0ffa6dffa06bce23b5ad0cf9d6 | VT Malicious=Not availableHash=2aa569b95d506b163ce498b9bb864a28b560029c574b1abd4558016d26a0093d Kaspersky Zone=None Kaspersky Hits = Not available AV Detected=Not available |
| 4 | hash | e494fc161f1189138d1ab2a706b39303 | VT Malicious=Not availableHash=5d6cc4d7e7ce998cf1d7bc8b78f787f9b034ab3dbdf8c91a33ad0233ddef2ac4 Kaspersky Zone=None Kaspersky Hits = Not available AV Detected=Not available |
| 5 | hash | f57918785e7cd4f430555e6efb00ff0f | VT Malicious=Not availableHash=27ec0c704261af619ce67a04c2f71b34e5c74110970b555208afb4aa65b4a723 Kaspersky Zone=None Kaspersky Hits = Not available AV Detected=Not available |
| 6 | url | http://194.33.191.248:7287/adb.dll | VT Malicious=23Kaspersky Zone=Not available Kaspersky Hits = Not available AV Detected=3 |
| 7 | url | http://194.33.191.248:7287/blues.exe | VT Malicious=20Kaspersky Zone=Not available Kaspersky Hits = Not available AV Detected=3 |
| 8 | url | http://194.33.191.248:7287/docx1.hta | VT Malicious=23Kaspersky Zone=Not available Kaspersky Hits = Not available AV Detected=3 |
| 9 | url | http://194.33.191.248:7287/qfqe.docx | VT Malicious=23Kaspersky Zone=Not available Kaspersky Hits = Not available AV Detected=3 |
| 10 | url | http://194.33.191.248:7287/sys.ps1 | VT Malicious=23Kaspersky Zone=Not available Kaspersky Hits = Not available AV Detected=3 |
| 11 | ip | 5.42.92.32 | VT Malicious=4 Confidence=0Kaspersky Zone=Grey Kaspersky Hits = 0 AV Detected=0 |
| 12 | ip | 5.42.92.37 | VT Malicious=4 Confidence=0Kaspersky Zone=Grey Kaspersky Hits = 0 AV Detected=0 |
| 13 | ip | 5.42.92.44 | VT Malicious=4 Confidence=0Kaspersky Zone=Grey Kaspersky Hits = 0 AV Detected=0 |