venomrat | ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2

General

Target

ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe
Size

633KB
MD5

69355b6c74677d03607c78a720b70409
SHA1

0c9e2ed1ae4181e0114c0f0c461c3aa818594dd4
SHA256

ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2
SHA512

e6fb61da8ba421671fbab209492a7af618991806d0b6135c86ba18daa1d6b36e8cf54381996f3d9bbf6112cea65b23fa98bc1be0bb026a200a7e5abdf4dc7f47

Score

10^/10

venomrat persistence rat rootkit stealer

Malware Config

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/2644-17-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral2/memory/2644-18-0x0000000000486C5E-mapping.dmp	disable_win_def

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\NnMbEDLZoX = "C:\\Users\\Admin\\AppData\\Roaming\\gNJKyEHWsc\\fNZGJtcQYN.exe"	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
9	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exead7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe

description	pid	Process	procid_target
PID 584 set thread context of 3028	584	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe	77
PID 3028 set thread context of 2644	3028	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe	78

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exe

pid	Process
2748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe

pid	Process
584	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe
584	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe
584	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe
584	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exead7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe

description	pid	Process
Token: SeDebugPrivilege	584	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe
Token: SeDebugPrivilege	2644	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe
Token: SeDebugPrivilege	2644	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe

pid	Process
2644	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exead7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exead7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe

description	pid	Process	procid_target
PID 584 wrote to memory of 3768	584	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe	75
PID 584 wrote to memory of 3768	584	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe	75
PID 584 wrote to memory of 3768	584	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe	75
PID 584 wrote to memory of 3852	584	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe	76
PID 584 wrote to memory of 3852	584	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe	76
PID 584 wrote to memory of 3852	584	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe	76
PID 584 wrote to memory of 3028	584	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe	77
PID 584 wrote to memory of 3028	584	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe	77
PID 584 wrote to memory of 3028	584	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe	77
PID 584 wrote to memory of 3028	584	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe	77
PID 584 wrote to memory of 3028	584	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe	77
PID 584 wrote to memory of 3028	584	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe	77
PID 584 wrote to memory of 3028	584	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe	77
PID 584 wrote to memory of 3028	584	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe	77
PID 3028 wrote to memory of 2644	3028	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe	78
PID 3028 wrote to memory of 2644	3028	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe	78
PID 3028 wrote to memory of 2644	3028	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe	78
PID 3028 wrote to memory of 2644	3028	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe	78
PID 3028 wrote to memory of 2644	3028	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe	78
PID 3028 wrote to memory of 2644	3028	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe	78
PID 3028 wrote to memory of 2644	3028	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe	78
PID 3028 wrote to memory of 2644	3028	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe	78
PID 2644 wrote to memory of 2748	2644	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe	79
PID 2644 wrote to memory of 2748	2644	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe	79
PID 2644 wrote to memory of 2748	2644	ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe	79

C:\Users\Admin\AppData\Local\Temp\ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe
"C:\Users\Admin\AppData\Local\Temp\ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584
- C:\Users\Admin\AppData\Local\Temp\ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe
  "C:\Users\Admin\AppData\Local\Temp\ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe"
  2⤵
  PID:3768
- C:\Users\Admin\AppData\Local\Temp\ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe
  "C:\Users\Admin\AppData\Local\Temp\ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe"
  2⤵
  PID:3852
- C:\Users\Admin\AppData\Local\Temp\ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe
  "C:\Users\Admin\AppData\Local\Temp\ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Users\Admin\AppData\Local\Temp\ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe
    "C:\Users\Admin\AppData\Local\Temp\ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:2748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ad7db429d4b33b6726ceffebeb9a37ac03b430616f75509029443139bf29a7b2.exe.log

MD5
4cce90d514b02375cc96049f5979fa96

SHA1
336fdb6c53577dbcac509d31bd515757817bff35

SHA256
ab019bbc94253e3afc0fc09d3722a6eecab94857c734fbd75b3e558cc48427d0

SHA512
530e3566fe42db495103a110dd50d665fef013f2ebd09db1b149f51825fd4406d4e5b8272fceb99581b47609940a2994a14893ca3712ae3cf4509c39b060d3d0

Download Submit
memory/584-1-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/584-3-0x0000000001120000-0x0000000001121000-memory.dmp

Filesize
4KB

Download
memory/584-4-0x000000000AC30000-0x000000000AC31000-memory.dmp

Filesize
4KB

Download
memory/584-5-0x000000000A7D0000-0x000000000A7D1000-memory.dmp

Filesize
4KB

Download
memory/584-6-0x000000000A870000-0x000000000A871000-memory.dmp

Filesize
4KB

Download
memory/584-7-0x0000000005250000-0x0000000005253000-memory.dmp

Filesize
12KB

Download
memory/584-0-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/2644-18-0x0000000000486C5E-mapping.dmp

Download
memory/2644-17-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2644-19-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/2644-24-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/2644-25-0x00000000061A0000-0x00000000061A1000-memory.dmp

Filesize
4KB

Download
memory/2644-26-0x00000000066B0000-0x00000000066B1000-memory.dmp

Filesize
4KB

Download
memory/2644-28-0x0000000006A30000-0x0000000006A31000-memory.dmp

Filesize
4KB

Download
memory/2748-27-0x0000000000000000-mapping.dmp

Download
memory/3028-9-0x000000000048D02E-mapping.dmp

Download
memory/3028-11-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/3028-8-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads