venomrat | b126d2bf73da9bce2f1a0748febb99510127eee852284a75c777ebac33b39649

Analysis

max time kernel
146s
max time network
115s
platform
windows10_x64
resource
win10
submitted
25-10-2020 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8920c6867df1eeaec33e3e6253524700.exe
Size

534KB
MD5

8920c6867df1eeaec33e3e6253524700
SHA1

4ce786281b76b6949166092faa9bfccee4e2c599
SHA256

b126d2bf73da9bce2f1a0748febb99510127eee852284a75c777ebac33b39649
SHA512

fec621690ca21fc62a46c6b285a0bad0d6f3e4c792997616216b227b5a01db78b1b769c4847f3b6d0bc70d95f12b73885156b3164f319cda5d44b34861ef12e2

Score

10^/10

rat rootkit stealer venomrat evasion trojan spyware quasar

Malware Config

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/files/0x000200000001ab4e-12.dat	disable_win_def
behavioral2/files/0x000200000001ab4e-10.dat	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid	Process
3892	Client.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

8920c6867df1eeaec33e3e6253524700.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	8920c6867df1eeaec33e3e6253524700.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	8920c6867df1eeaec33e3e6253524700.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
9	ip-api.com

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
2420	schtasks.exe
3924	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
3972	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exe8920c6867df1eeaec33e3e6253524700.exe8920c6867df1eeaec33e3e6253524700.exe

pid	Process
2820	powershell.exe
2820	powershell.exe
2820	powershell.exe
3244	8920c6867df1eeaec33e3e6253524700.exe
3244	8920c6867df1eeaec33e3e6253524700.exe
3244	8920c6867df1eeaec33e3e6253524700.exe
3244	8920c6867df1eeaec33e3e6253524700.exe
3244	8920c6867df1eeaec33e3e6253524700.exe
3244	8920c6867df1eeaec33e3e6253524700.exe
3244	8920c6867df1eeaec33e3e6253524700.exe
3472	8920c6867df1eeaec33e3e6253524700.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

8920c6867df1eeaec33e3e6253524700.exepowershell.exeClient.exe8920c6867df1eeaec33e3e6253524700.exe

description	pid	Process
Token: SeDebugPrivilege	3244	8920c6867df1eeaec33e3e6253524700.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	3892	Client.exe
Token: SeDebugPrivilege	3892	Client.exe
Token: SeDebugPrivilege	3472	8920c6867df1eeaec33e3e6253524700.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid	Process
3892	Client.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

8920c6867df1eeaec33e3e6253524700.exeClient.execmd.execmd.exe

description	pid	Process	procid_target
PID 3244 wrote to memory of 2420	3244	8920c6867df1eeaec33e3e6253524700.exe	74
PID 3244 wrote to memory of 2420	3244	8920c6867df1eeaec33e3e6253524700.exe	74
PID 3244 wrote to memory of 2420	3244	8920c6867df1eeaec33e3e6253524700.exe	74
PID 3244 wrote to memory of 3892	3244	8920c6867df1eeaec33e3e6253524700.exe	76
PID 3244 wrote to memory of 3892	3244	8920c6867df1eeaec33e3e6253524700.exe	76
PID 3244 wrote to memory of 3892	3244	8920c6867df1eeaec33e3e6253524700.exe	76
PID 3244 wrote to memory of 2820	3244	8920c6867df1eeaec33e3e6253524700.exe	77
PID 3244 wrote to memory of 2820	3244	8920c6867df1eeaec33e3e6253524700.exe	77
PID 3244 wrote to memory of 2820	3244	8920c6867df1eeaec33e3e6253524700.exe	77
PID 3892 wrote to memory of 3924	3892	Client.exe	79
PID 3892 wrote to memory of 3924	3892	Client.exe	79
PID 3892 wrote to memory of 3924	3892	Client.exe	79
PID 3244 wrote to memory of 200	3244	8920c6867df1eeaec33e3e6253524700.exe	84
PID 3244 wrote to memory of 200	3244	8920c6867df1eeaec33e3e6253524700.exe	84
PID 3244 wrote to memory of 200	3244	8920c6867df1eeaec33e3e6253524700.exe	84
PID 200 wrote to memory of 3804	200	cmd.exe	86
PID 200 wrote to memory of 3804	200	cmd.exe	86
PID 200 wrote to memory of 3804	200	cmd.exe	86
PID 3244 wrote to memory of 3880	3244	8920c6867df1eeaec33e3e6253524700.exe	87
PID 3244 wrote to memory of 3880	3244	8920c6867df1eeaec33e3e6253524700.exe	87
PID 3244 wrote to memory of 3880	3244	8920c6867df1eeaec33e3e6253524700.exe	87
PID 3880 wrote to memory of 3928	3880	cmd.exe	89
PID 3880 wrote to memory of 3928	3880	cmd.exe	89
PID 3880 wrote to memory of 3928	3880	cmd.exe	89
PID 3880 wrote to memory of 3972	3880	cmd.exe	90
PID 3880 wrote to memory of 3972	3880	cmd.exe	90
PID 3880 wrote to memory of 3972	3880	cmd.exe	90
PID 3880 wrote to memory of 3472	3880	cmd.exe	91
PID 3880 wrote to memory of 3472	3880	cmd.exe	91
PID 3880 wrote to memory of 3472	3880	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\8920c6867df1eeaec33e3e6253524700.exe
"C:\Users\Admin\AppData\Local\Temp\8920c6867df1eeaec33e3e6253524700.exe"
1⤵
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\8920c6867df1eeaec33e3e6253524700.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2420
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3892
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:3924
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
    3⤵
    PID:3804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YraTizeP4P6K.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:3928
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:3972
- - C:\Users\Admin\AppData\Local\Temp\8920c6867df1eeaec33e3e6253524700.exe
    "C:\Users\Admin\AppData\Local\Temp\8920c6867df1eeaec33e3e6253524700.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8920c6867df1eeaec33e3e6253524700.exe.log

MD5
1efce85e583a7a2f123317a20f889d04

SHA1
60f71aa73ea2e2a48ed1c17e3c6d440abf39c914

SHA256
2b5532a94879134a876b11c188ade1a61deaba6a80fe1f3a3a77cc442f1cca0d

SHA512
45a5cd283e6a6ac34c3d8b1a6d73dc1cf52d8c974cf84624e8e9924eddaf354ccda929bce728b47db2b62175e47bdc3eaca6bc6b84d3565881fa87c50319d24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YraTizeP4P6K.bat

MD5
a73acca21437a5a03a1d507b7b28584e

SHA1
20a717c25367e9a2a8dceace53abb80dbfa366ba

SHA256
4737dcfc0c8930b34c3b0c679ecf5fc63c35892aba56cf0be4a0c2206b75c040

SHA512
afe973c28947a0e60e023fa8eeb28cb10ae8c96d7521f62bf899a332e7afe69ba756b75d9e3ba780eb516f44dd1a5432ee1f84f3215da253fbe569e15126a7ff

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5
8920c6867df1eeaec33e3e6253524700

SHA1
4ce786281b76b6949166092faa9bfccee4e2c599

SHA256
b126d2bf73da9bce2f1a0748febb99510127eee852284a75c777ebac33b39649

SHA512
fec621690ca21fc62a46c6b285a0bad0d6f3e4c792997616216b227b5a01db78b1b769c4847f3b6d0bc70d95f12b73885156b3164f319cda5d44b34861ef12e2

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5
8920c6867df1eeaec33e3e6253524700

SHA1
4ce786281b76b6949166092faa9bfccee4e2c599

SHA256
b126d2bf73da9bce2f1a0748febb99510127eee852284a75c777ebac33b39649

SHA512
fec621690ca21fc62a46c6b285a0bad0d6f3e4c792997616216b227b5a01db78b1b769c4847f3b6d0bc70d95f12b73885156b3164f319cda5d44b34861ef12e2

Download Submit
memory/200-48-0x0000000000000000-mapping.dmp

Download
memory/2420-8-0x0000000000000000-mapping.dmp

Download
memory/2820-11-0x0000000000000000-mapping.dmp

Download
memory/2820-25-0x0000000007B40000-0x0000000007B41000-memory.dmp

Filesize
4KB

Download
memory/2820-46-0x0000000009630000-0x0000000009631000-memory.dmp

Filesize
4KB

Download
memory/2820-44-0x0000000009640000-0x0000000009641000-memory.dmp

Filesize
4KB

Download
memory/2820-43-0x0000000009690000-0x0000000009691000-memory.dmp

Filesize
4KB

Download
memory/2820-42-0x00000000094D0000-0x00000000094D1000-memory.dmp

Filesize
4KB

Download
memory/2820-41-0x0000000009160000-0x0000000009161000-memory.dmp

Filesize
4KB

Download
memory/2820-18-0x0000000074100000-0x00000000747EE000-memory.dmp

Filesize
6.9MB

Download
memory/2820-19-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/2820-20-0x00000000073E0000-0x00000000073E1000-memory.dmp

Filesize
4KB

Download
memory/2820-21-0x0000000007240000-0x0000000007241000-memory.dmp

Filesize
4KB

Download
memory/2820-22-0x0000000007A10000-0x0000000007A11000-memory.dmp

Filesize
4KB

Download
memory/2820-24-0x0000000007CF0000-0x0000000007CF1000-memory.dmp

Filesize
4KB

Download
memory/2820-34-0x0000000009180000-0x00000000091B3000-memory.dmp

Filesize
204KB

Download
memory/2820-26-0x0000000008100000-0x0000000008101000-memory.dmp

Filesize
4KB

Download
memory/2820-27-0x0000000008430000-0x0000000008431000-memory.dmp

Filesize
4KB

Download
memory/3244-1-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/3244-3-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/3244-5-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/3244-0-0x0000000074100000-0x00000000747EE000-memory.dmp

Filesize
6.9MB

Download
memory/3244-6-0x0000000006340000-0x0000000006341000-memory.dmp

Filesize
4KB

Download
memory/3244-4-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/3244-7-0x0000000006710000-0x0000000006711000-memory.dmp

Filesize
4KB

Download
memory/3472-55-0x0000000000000000-mapping.dmp

Download
memory/3472-58-0x0000000074100000-0x00000000747EE000-memory.dmp

Filesize
6.9MB

Download
memory/3472-56-0x0000000000000000-mapping.dmp

Download
memory/3804-50-0x0000000000000000-mapping.dmp

Download
memory/3804-49-0x0000000000000000-mapping.dmp

Download
memory/3880-51-0x0000000000000000-mapping.dmp

Download
memory/3892-32-0x0000000006900000-0x0000000006901000-memory.dmp

Filesize
4KB

Download
memory/3892-13-0x0000000074100000-0x00000000747EE000-memory.dmp

Filesize
6.9MB

Download
memory/3892-9-0x0000000000000000-mapping.dmp

Download
memory/3924-31-0x0000000000000000-mapping.dmp

Download
memory/3928-53-0x0000000000000000-mapping.dmp

Download
memory/3972-54-0x0000000000000000-mapping.dmp

Download