Overview

overview

10

Static

static

10

VenomRAT/P...er.exe

windows10-2004-x64

1

VenomRAT/S...nt.exe

windows10-2004-x64

10

VenomRAT/S...nt.exe

windows10-2004-x64

10

VenomRAT/V...NC.exe

windows10-2004-x64

10

VenomRAT/client.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    VenomRAT.rar

  • Size

    6.8MB

  • Sample

    230129-1kln6sdh47

  • MD5

    f3ee8c380e07eb30c5f5780bdc23d60e

  • SHA1

    8f55e9f20f4be614cfaf21f001b49c18ee55d173

  • SHA256

    929b11e9d778f3fb3753f2bfec104862dd325bd91546afc7dfe15803d1726a13

  • SHA512

    b10411c97b709d49b71b884e4ded9ff8ac08c8cf4c39d86b859cd9d074d2e1da4cf1f41a35d939700f032f4d11f965e92f423a3ba740af140fbc81e35511b48b

  • SSDEEP

    196608:Qkz5znlJS+E4H5ED0r3uHTtKU3H9kXTkjvANy:t7j1ghKU3d+kjV

Score
10/10
arrowratasyncrat%group%agilenetpersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

%Group%

C2

%Hosts%:%Ports%

Mutex

%MTX%

Targets

    • Target

      VenomRAT/Plugins/Keylogger.exe

    • Size

      10KB

    • MD5

      4f846f2117c4eab285289b0090521b1e

    • SHA1

      e25287c39bad32159417c5f0bf798625b6beff45

    • SHA256

      a17a5bf35d8b784c3111632ba7e0c30a2c1a9c2c95b549235affc16d6d055477

    • SHA512

      fd946b5f7c3c7d32f226897283de7ba3b4a4ecc2919c363877f1258cd24ed1a52bce53af2fe4ef34c4ac30d00fc456fd4e1593b79c37f7c22211f2c4f6092e5e

    • SSDEEP

      192:irtmcuq65SoDxi4maEYbRzmEsLkjgv5JHT1eJYHcwY7fazB+LEi:irtlF60GE9rUhVsLF5p1rYydmE

    Score
    1/10
    behavioral1

    • Target

      VenomRAT/Stub/Client.exe

    • Size

      63KB

    • MD5

      6158c0682f86511060619bba0fe864be

    • SHA1

      63a1738c87ba9449b1d572ee470da2b242742643

    • SHA256

      5bf4fc2c4d3115229d60511cad1af48019a4c291ad6144e73393e88e319f80a5

    • SHA512

      baef40b589d8717f419185ad0885173f790394827d72d78520890ae737c7ee1cebe3af062340847cfe705c223669562e7116f48ab11d59654653a0b269026bd1

    • SSDEEP

      1536:8WP+BbY58krxvI0TTCNsOoIK7q6LgRAIM8pqKmY7:8WP+BbY5xrxvI0Z7P8R8Xz

    Score
    10/10
    asyncratrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Async RAT payload

      rat
    behavioral2

    • Target

      VenomRAT/Stub/client

    • Size

      144KB

    • MD5

      f4fdcb900e7af47100ac9e46945fbd55

    • SHA1

      c1d235a9a2cae8d5a8d4f6ceb4eab9417e1b1fb2

    • SHA256

      9160b90fa4a6a9cf22f943dba92cec64e2dc03c2317b5d9ab50a753fc410ce43

    • SHA512

      236eef98d4695a5e1224a87a1dc598639e5c49f6dd192a96cc1b9f8305faa57078deb62d73906a33ba1c1fac4fa5ccc5f344a0f196dbba718b76a36667984ac2

    • SSDEEP

      3072:Bsp9iv+DYM5ob0HGNSKsstcnZTJQDgWPaySsdH5boWz:Op9iTMSb0mgKFcQjhdH

    Score
    10/10
    arrowratasyncrat%group%persistencerat

    • ArrowRat

      Remote access tool with various capabilities first seen in late 2021.

      ratarrowrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Async RAT payload

      rat

    • Modifies Installed Components in the registry

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      VenomRAT/VenomRAT_HVNC.exe

    • Size

      16.5MB

    • MD5

      c90bb028354000acc74485f2db4ab492

    • SHA1

      28e6ce32a075669b3e382eaeb4871f7c3fc3bbef

    • SHA256

      54df65f59a153e58faafc63addf325b7c492f000b8cda7e3cf527f5c0080325d

    • SHA512

      9400521f9dd1fd76a914006133cd9b9dc5c8783407ff6b99fbb5a74c1a81e45818772ef4e1cabc9c67232bf60d977b48c2fadcb9401ae05e7c8e23fcf9ba7406

    • SSDEEP

      393216:sl9Yl7Elel7ElAlQleTl/l/l/l/l/lzlml/lqlZlHl/l/l/l/l/l/lIlAl+lUl2x:WTXT

    Score
    10/10
    asyncratagilenetrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Async RAT payload

      rat

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet
    behavioral4

    • Target

      VenomRAT/client.bin

    • Size

      144KB

    • MD5

      f4fdcb900e7af47100ac9e46945fbd55

    • SHA1

      c1d235a9a2cae8d5a8d4f6ceb4eab9417e1b1fb2

    • SHA256

      9160b90fa4a6a9cf22f943dba92cec64e2dc03c2317b5d9ab50a753fc410ce43

    • SHA512

      236eef98d4695a5e1224a87a1dc598639e5c49f6dd192a96cc1b9f8305faa57078deb62d73906a33ba1c1fac4fa5ccc5f344a0f196dbba718b76a36667984ac2

    • SSDEEP

      3072:Bsp9iv+DYM5ob0HGNSKsstcnZTJQDgWPaySsdH5boWz:Op9iTMSb0mgKFcQjhdH

    Score
    10/10
    arrowratasyncrat%group%persistencerat

    • ArrowRat

      Remote access tool with various capabilities first seen in late 2021.

      ratarrowrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Async RAT payload

      rat

    • Modifies Installed Components in the registry

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral5

MITRE ATT&CK Enterprise v6

Tasks