venomrat | 5e74c2b7ac2d1ad593abac2e47d690a083bf96f1566901e58a5f59d221bc9853

General

Target

7-Venom.exe
Size

625KB
MD5

8e0459ea44e2e136a66683b4bb1b9c66
SHA1

e675cd144db3f6adeef99c1d790caae6df4d2b49
SHA256

5e74c2b7ac2d1ad593abac2e47d690a083bf96f1566901e58a5f59d221bc9853
SHA512

257f134d34a6016295e2807e1ff94afb84e25897ae5dd346a8c17e5e28e9dbc130055d22adadfd1f31776d4d62c055d204f3f1293df9c58da2daa9244e2f5059

Score

10^/10

evasion trojan rat rootkit stealer venomrat

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 1 IoCs

Processes:

windowsrc.exe

pid	Process
3420	windowsrc.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

7-Venom.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	7-Venom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	7-Venom.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2	ip-api.com

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
3768	schtasks.exe
3744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exe7-Venom.exe

pid	Process
3436	powershell.exe
3436	powershell.exe
3436	powershell.exe
3044	7-Venom.exe
3044	7-Venom.exe
3044	7-Venom.exe
3044	7-Venom.exe
3044	7-Venom.exe
3044	7-Venom.exe
3044	7-Venom.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7-Venom.exepowershell.exewindowsrc.exe

description	pid	Process
Token: SeDebugPrivilege	3044	7-Venom.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	3420	windowsrc.exe
Token: SeDebugPrivilege	3420	windowsrc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

windowsrc.exe

pid	Process
3420	windowsrc.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

7-Venom.exewindowsrc.execmd.execmd.exe

description	pid	Process	procid_target
PID 3044 wrote to memory of 3768	3044	7-Venom.exe	68
PID 3044 wrote to memory of 3768	3044	7-Venom.exe	68
PID 3044 wrote to memory of 3768	3044	7-Venom.exe	68
PID 3044 wrote to memory of 3420	3044	7-Venom.exe	70
PID 3044 wrote to memory of 3420	3044	7-Venom.exe	70
PID 3044 wrote to memory of 3420	3044	7-Venom.exe	70
PID 3044 wrote to memory of 3436	3044	7-Venom.exe	71
PID 3044 wrote to memory of 3436	3044	7-Venom.exe	71
PID 3044 wrote to memory of 3436	3044	7-Venom.exe	71
PID 3420 wrote to memory of 3744	3420	windowsrc.exe	73
PID 3420 wrote to memory of 3744	3420	windowsrc.exe	73
PID 3420 wrote to memory of 3744	3420	windowsrc.exe	73
PID 3044 wrote to memory of 568	3044	7-Venom.exe	75
PID 3044 wrote to memory of 568	3044	7-Venom.exe	75
PID 3044 wrote to memory of 568	3044	7-Venom.exe	75
PID 568 wrote to memory of 800	568	cmd.exe	77
PID 568 wrote to memory of 800	568	cmd.exe	77
PID 568 wrote to memory of 800	568	cmd.exe	77
PID 3044 wrote to memory of 2524	3044	7-Venom.exe	78
PID 3044 wrote to memory of 2524	3044	7-Venom.exe	78
PID 3044 wrote to memory of 2524	3044	7-Venom.exe	78
PID 2524 wrote to memory of 484	2524	cmd.exe	80
PID 2524 wrote to memory of 484	2524	cmd.exe	80
PID 2524 wrote to memory of 484	2524	cmd.exe	80

C:\Users\Admin\AppData\Local\Temp\7-Venom.exe
"C:\Users\Admin\AppData\Local\Temp\7-Venom.exe"
1⤵
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Windows Registry Handler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\7-Venom.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:3768
- C:\Users\Admin\AppData\Roaming\bin\windowsrc.exe
  "C:\Users\Admin\AppData\Roaming\bin\windowsrc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3420
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Registry Handler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\bin\windowsrc.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:3744
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3436
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
    3⤵
    PID:800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xVXzfSpkN9Xo.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xVXzfSpkN9Xo.bat

Download Submit
C:\Users\Admin\AppData\Roaming\bin\windowsrc.exe

Download Submit
C:\Users\Admin\AppData\Roaming\bin\windowsrc.exe

Download Submit
memory/484-53-0x0000000000000000-mapping.dmp

Download
memory/568-48-0x0000000000000000-mapping.dmp

Download
memory/800-51-0x0000000000000000-mapping.dmp

Download
memory/800-49-0x0000000000000000-mapping.dmp

Download
memory/2524-50-0x0000000000000000-mapping.dmp

Download
memory/3044-4-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/3044-0-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/3044-7-0x00000000064F0000-0x00000000064F1000-memory.dmp

Filesize
4KB

Download
memory/3044-6-0x0000000006120000-0x0000000006121000-memory.dmp

Filesize
4KB

Download
memory/3044-5-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/3044-3-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/3044-1-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/3420-9-0x0000000000000000-mapping.dmp

Download
memory/3420-13-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/3420-32-0x0000000006530000-0x0000000006531000-memory.dmp

Filesize
4KB

Download
memory/3436-24-0x0000000008460000-0x0000000008461000-memory.dmp

Filesize
4KB

Download
memory/3436-43-0x0000000009D20000-0x0000000009D21000-memory.dmp

Filesize
4KB

Download
memory/3436-26-0x0000000008C70000-0x0000000008C71000-memory.dmp

Filesize
4KB

Download
memory/3436-27-0x0000000008A90000-0x0000000008A91000-memory.dmp

Filesize
4KB

Download
memory/3436-11-0x0000000000000000-mapping.dmp

Download
memory/3436-22-0x0000000008090000-0x0000000008091000-memory.dmp

Filesize
4KB

Download
memory/3436-34-0x0000000009800000-0x0000000009833000-memory.dmp

Filesize
204KB

Download
memory/3436-41-0x00000000097E0000-0x00000000097E1000-memory.dmp

Filesize
4KB

Download
memory/3436-42-0x0000000009B70000-0x0000000009B71000-memory.dmp

Filesize
4KB

Download
memory/3436-25-0x00000000081D0000-0x00000000081D1000-memory.dmp

Filesize
4KB

Download
memory/3436-44-0x0000000009CD0000-0x0000000009CD1000-memory.dmp

Filesize
4KB

Download
memory/3436-46-0x0000000009CC0000-0x0000000009CC1000-memory.dmp

Filesize
4KB

Download
memory/3436-21-0x00000000078D0000-0x00000000078D1000-memory.dmp

Filesize
4KB

Download
memory/3436-20-0x0000000007A60000-0x0000000007A61000-memory.dmp

Filesize
4KB

Download
memory/3436-19-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/3436-17-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/3744-31-0x0000000000000000-mapping.dmp

Download
memory/3768-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads