venomrat | e83d13fcdc0f133482d558c8ce25b45a491ba3aff13849ce8169f05bb4972f0d

Analysis

max time kernel
143s
max time network
149s
platform
windows7_x64
resource
win7
submitted
15-08-2020 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77-Venom.exe
Size

576KB
MD5

a4a92cfdc1b3a949970eb6f5b20e1f21
SHA1

6f46b5386bb1cdcf83861666ddeb2be02ae7ee5f
SHA256

e83d13fcdc0f133482d558c8ce25b45a491ba3aff13849ce8169f05bb4972f0d
SHA512

8b9153e6ab420e088de44005f5bc8d335ae83ad2b7705802c6140cd407df6a6f690adb172806846e39ce2a899ea849520a0b71c2a7057cf5adb58df436369447

Score

10^/10

rat rootkit stealer venomrat evasion trojan spyware quasar

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 1 IoCs

Processes:

Discord.exe

pid	Process
1676	Discord.exe

Loads dropped DLL 1 IoCs

Processes:

77-Venom.exe

pid	Process
1496	77-Venom.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

77-Venom.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	77-Venom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	77-Venom.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2	ip-api.com

Drops file in System32 directory 5 IoCs

Processes:

77-Venom.exeDiscord.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\SubDir\Discord.exe	77-Venom.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\Discord.exe	77-Venom.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\Discord.exe	Discord.exe
File opened for modification	C:\Windows\SysWOW64\SubDir	Discord.exe
File created	C:\Windows\SysWOW64\SubDir\r77-x64.dll	77-Venom.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
1036	schtasks.exe
1820	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

77-Venom.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	77-Venom.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	77-Venom.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exe77-Venom.exe

pid	Process
1756	powershell.exe
1756	powershell.exe
1496	77-Venom.exe
1496	77-Venom.exe
1496	77-Venom.exe
1496	77-Venom.exe
1496	77-Venom.exe
1496	77-Venom.exe
1496	77-Venom.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

77-Venom.exepowershell.exeDiscord.exe

description	pid	Process
Token: SeDebugPrivilege	1496	77-Venom.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	1676	Discord.exe
Token: SeDebugPrivilege	1676	Discord.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Discord.exe

pid	Process
1676	Discord.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

77-Venom.exeDiscord.execmd.exe

description	pid	Process	procid_target
PID 1496 wrote to memory of 1036	1496	77-Venom.exe	25
PID 1496 wrote to memory of 1036	1496	77-Venom.exe	25
PID 1496 wrote to memory of 1036	1496	77-Venom.exe	25
PID 1496 wrote to memory of 1036	1496	77-Venom.exe	25
PID 1496 wrote to memory of 1676	1496	77-Venom.exe	27
PID 1496 wrote to memory of 1676	1496	77-Venom.exe	27
PID 1496 wrote to memory of 1676	1496	77-Venom.exe	27
PID 1496 wrote to memory of 1676	1496	77-Venom.exe	27
PID 1496 wrote to memory of 1756	1496	77-Venom.exe	28
PID 1496 wrote to memory of 1756	1496	77-Venom.exe	28
PID 1496 wrote to memory of 1756	1496	77-Venom.exe	28
PID 1496 wrote to memory of 1756	1496	77-Venom.exe	28
PID 1676 wrote to memory of 1820	1676	Discord.exe	30
PID 1676 wrote to memory of 1820	1676	Discord.exe	30
PID 1676 wrote to memory of 1820	1676	Discord.exe	30
PID 1676 wrote to memory of 1820	1676	Discord.exe	30
PID 1496 wrote to memory of 1404	1496	77-Venom.exe	32
PID 1496 wrote to memory of 1404	1496	77-Venom.exe	32
PID 1496 wrote to memory of 1404	1496	77-Venom.exe	32
PID 1496 wrote to memory of 1404	1496	77-Venom.exe	32
PID 1404 wrote to memory of 1308	1404	cmd.exe	34
PID 1404 wrote to memory of 1308	1404	cmd.exe	34
PID 1404 wrote to memory of 1308	1404	cmd.exe	34
PID 1404 wrote to memory of 1308	1404	cmd.exe	34
PID 1496 wrote to memory of 1316	1496	77-Venom.exe	35
PID 1496 wrote to memory of 1316	1496	77-Venom.exe	35
PID 1496 wrote to memory of 1316	1496	77-Venom.exe	35
PID 1496 wrote to memory of 1316	1496	77-Venom.exe	35

C:\Users\Admin\AppData\Local\Temp\77-Venom.exe
"C:\Users\Admin\AppData\Local\Temp\77-Venom.exe"
1⤵
- Loads dropped DLL
- Windows security modification
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\77-Venom.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1036
- C:\Windows\SysWOW64\SubDir\Discord.exe
  "C:\Windows\SysWOW64\SubDir\Discord.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Discord.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1820
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
    3⤵
    PID:1308
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ynmsEu3L7aXj.bat" "
  2⤵
  PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ynmsEu3L7aXj.bat

Download Submit
C:\Windows\SysWOW64\SubDir\Discord.exe

Download Submit
C:\Windows\SysWOW64\SubDir\Discord.exe

Download Submit
\Windows\SysWOW64\SubDir\Discord.exe

Download Submit
memory/1036-3-0x0000000000000000-mapping.dmp

Download
memory/1308-51-0x0000000000000000-mapping.dmp

Download
memory/1308-53-0x0000000000000000-mapping.dmp

Download
memory/1316-52-0x0000000000000000-mapping.dmp

Download
memory/1404-50-0x0000000000000000-mapping.dmp

Download
memory/1496-0-0x0000000073B80000-0x000000007426E000-memory.dmp

Filesize
6.9MB

Download
memory/1496-1-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/1676-5-0x0000000000000000-mapping.dmp

Download
memory/1676-8-0x0000000073B80000-0x000000007426E000-memory.dmp

Filesize
6.9MB

Download
memory/1676-9-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/1756-16-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/1756-48-0x00000000063A0000-0x00000000063A1000-memory.dmp

Filesize
4KB

Download
memory/1756-20-0x0000000006080000-0x0000000006081000-memory.dmp

Filesize
4KB

Download
memory/1756-25-0x0000000006140000-0x0000000006141000-memory.dmp

Filesize
4KB

Download
memory/1756-26-0x0000000006240000-0x0000000006241000-memory.dmp

Filesize
4KB

Download
memory/1756-33-0x0000000006320000-0x0000000006321000-memory.dmp

Filesize
4KB

Download
memory/1756-34-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/1756-17-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/1756-49-0x00000000063B0000-0x00000000063B1000-memory.dmp

Filesize
4KB

Download
memory/1756-11-0x0000000000000000-mapping.dmp

Download
memory/1756-14-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/1756-13-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/1756-12-0x0000000073B80000-0x000000007426E000-memory.dmp

Filesize
6.9MB

Download
memory/1820-15-0x0000000000000000-mapping.dmp

Download