Overview

overview

10

Static

static

10

System.Xml...nt.dll

windows10-1703-x64

1

System.Xml...nt.dll

windows10-2004-x64

1

VenomRAT_HVNC.exe

windows10-1703-x64

1

VenomRAT_HVNC.exe

windows10-2004-x64

10

VenomRAT_HVNC.exe.xml

windows10-1703-x64

1

VenomRAT_HVNC.exe.xml

windows10-2004-x64

1

Vestris.Re...ib.dll

windows10-1703-x64

1

Vestris.Re...ib.dll

windows10-2004-x64

1

cGeoIp.dll

windows10-1703-x64

1

cGeoIp.dll

windows10-2004-x64

1

protobuf-net.dll

windows10-1703-x64

1

protobuf-net.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Venom5-HVNC-Rat.rar

  • Size

    8.8MB

  • Sample

    230228-gabxfahe7v

  • MD5

    f84fed326b9437ee25ef3164688bd940

  • SHA1

    e510ad05bf62d925f711a404e22d0b78170fb25d

  • SHA256

    883ed64083968eec69d6974ce6f58e5cce6d84319a71a439edcb4f0a06283b97

  • SHA512

    6612cace68d8093d7ee756b3054322283ad48c3397f47d312a9a780996c8e75ac46d179632f1678d0eec728d7e384faa6467a4b752319dd4396e0b6fa6916a1d

  • SSDEEP

    196608:TWtEMYTCvgcJm2KCQtuHTkJJkz5A9bLJgEM4TsZBkuCq4:i1YTCvgcJipgmC+nTsZBkun4

Score
10/10
arrowratasyncrat%group%agilenetrat

Malware Config

Extracted

Family

arrowrat

Botnet

%Group%

C2

%Hosts%:%Ports%

Mutex

%MTX%

Targets

    • Target

      System.Xml.XPath.XDocument.dll

    • Size

      22KB

    • MD5

      a5f541655a9edc24f4b5184a40e40227

    • SHA1

      90e196dcd76168f770abe30098399bc5866adf1b

    • SHA256

      b33d08149a756a401628d11bfddfeeaca1f03c0578395bb061dae44f8a12ce5d

    • SHA512

      c4d13e95114e232300b36ed7b7a72ce786f66d0f68b0ed9d54fef788a831b39c893daa3c2de982b376a56a539c23e8f314ce8552ed7094e6826d5f70bfbe2d4b

    • SSDEEP

      384:58G4YC2W+wW8WpwWOFm0GftpBjBdDcaQHRN78lgCovnt/:2GZ5QVipgLzH/h

    Score
    1/10
    behavioral1behavioral2

    • Target

      VenomRAT_HVNC.exe

    • Size

      16.6MB

    • MD5

      5384c0396589430eeb3d1a2e05703e9a

    • SHA1

      20da44da7639bbef2f6b5bfc21df7474cd1109af

    • SHA256

      b4250aff983f1f588593baed1adb4797e6c1ab6225595ebd013b50348a57a459

    • SHA512

      9bf613ee62b0e56af500dd88f572b2221ad6df63b0b4c0dcb0ef763efcebeac633a95f10dfce90f6cff038df2810681dd55dcdd272eb9f907c670cc2e4f7363a

    • SSDEEP

      393216:Al9Yl7Elel7ElAlQleTl/l/l/l/l/lzlml/lqlZlHl/l/l/l/l/l/lIlAl+lUl2L:6TXT

    Score
    10/10
    asyncratagilenetrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Async RAT payload

      rat

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet
    behavioral3behavioral4

    • Target

      VenomRAT_HVNC.exe.config

    • Size

      2KB

    • MD5

      fa21c166232c3b29f8d2d14557490c9c

    • SHA1

      2cb1a7d4a204fc03bd6bd15aa9f431f3445a08de

    • SHA256

      5c939c46f9d81cb75180c897feb5044176ed44cd0d51e076149bd82425e4ef44

    • SHA512

      cca1dd276a093b62845e5a7652e778d07200b7158cb05a2b44e11e69ce8bc78020eeeb29d55a87a6b87a3fcc25b2883175850467002388a811abfe9945d58fd9

    Score
    1/10
    behavioral5behavioral6

    • Target

      Vestris.ResourceLib.dll

    • Size

      76KB

    • MD5

      22fbd571c82399e06e0a7321eedef722

    • SHA1

      ed5aa859dc8141d93a2bd8a8dd14fc50391b66db

    • SHA256

      c05a6f13106e2dd10ae279c3435fb63fbabdc328f94d8065231c3cacfff5fc4b

    • SHA512

      65aa846054a2b0c0dcb2db15273269d8514e000ac67e71542f910d8f556a0ea11e5ab5400b7f2026e5e51fef185d8e12379ac52fa4788c8940727a3721d134d0

    • SSDEEP

      1536:RS0nOie9ZLjnhULE4ocLF3zqvtm0KMtI9eWG3fL+:M0w9ZPnGLEPc1qvtTKr9eHa

    Score
    1/10
    behavioral7behavioral8

    • Target

      cGeoIp.dll

    • Size

      2.3MB

    • MD5

      6d6e172e7965d1250a4a6f8a0513aa9f

    • SHA1

      b0fd4f64e837f48682874251c93258ee2cbcad2b

    • SHA256

      d1ddd15e9c727a5ecf78d3918c17aee0512f5b181ad44952686beb89146e6bd0

    • SHA512

      35daa38ad009599145aa241102bcd1f69b4caa55ebc5bb11df0a06567056c0ec5fcd02a33576c54c670755a6384e0229fd2f96622f12304dec58f79e1e834155

    • SSDEEP

      24576:TRgJE8pkCLLe/K43EnnnclQwIqJY0OjklWXQMFBRpmkL/59ah0USm3uwl00odi9p:TRgfX/59a6USdi9Ues6bV6boLO6r

    Score
    1/10
    behavioral10behavioral9

    • Target

      protobuf-net.dll

    • Size

      269KB

    • MD5

      4a4756e227c10623d81228bc4bc49c1d

    • SHA1

      964014f538918d85f6eb6a7b4023b304067b28f7

    • SHA256

      042b8c1c1e0eb7648b164ee48c95168c48324f1fb439cabd5f2e41db0938d807

    • SHA512

      93d2c6f47c618dc9493f5a538cbfb5a32c1e3bb35a623b51561057245f2fa557c452ee18ae274182c3e0440b77353c5490d196f16eda142b6129e8d1108e5a04

    • SSDEEP

      3072:2ne8csJldhXG4JhEj9n8RHq6MY7qLfoDb4LUcqbrKKu55O/u85wcT/0c8yiwo3aa:2nT7JxXJ7qFLMrKXE/9YLy1W2WNU6

    Score
    1/10
    behavioral11behavioral12

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks