Overview

overview

10

Static

static

10

_-Venom.exe

windows7_x64

10

_-Venom.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    130s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-06-2022 10:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    _-Venom.exe

  • Size

    534KB

  • MD5

    b0f6e15f83e03ea0ab502951b62c3dbf

  • SHA1

    feeb74ad283f27e9eb5e96dccc9fa1c44eab00be

  • SHA256

    6b39407f3c2b6064f483c474c9359f344f2aa8e0afef0941d33deddbc275fdb2

  • SHA512

    8641c8a0b9b46e62a91d2d47a240a8df030394fbf2460d1327428daa46fc8fbf6950d799f9c17c710473712cf44cdb016ba7d4dffeabd6f0912b65874429da45

Score
10/10
quasarvenomratoffice04ratrootkitspywarestealersuricatatrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

littlehf.ddns.net:4566

Mutex

VNM_MUTEX_au1VZH90ssfu7up6jn

Attributes
  • encryption_key

    XZHIHOgylm3qxGXtmm9j

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Quasar Payload 1 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\_-Venom.exe
    "C:\Users\Admin\AppData\Local\Temp\_-Venom.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4688-130-0x0000000000F80000-0x000000000100C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/4688-131-0x0000000005FD0000-0x0000000006574000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4688-132-0x0000000005A20000-0x0000000005AB2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4688-133-0x0000000005E10000-0x0000000005E76000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4688-134-0x00000000069E0000-0x00000000069F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4688-135-0x0000000006E10000-0x0000000006E4C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4688-136-0x0000000007180000-0x000000000718A000-memory.dmp

    Filesize

    40KB

    Download