Overview

overview

10

Static

static

10

Venom_RAT_...NC.exe

windows10-1703-x64

10

Venom_RAT_...NC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    18-03-2023 11:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Venom_RAT_5.6_[tombstone3#3883]/Venom_RAT_COMPILED/Venom RAT + HVNC.exe

  • Size

    15.5MB

  • MD5

    dc7afff0e35d307b937803c0c9ce9950

  • SHA1

    25763c899b1e0f1d7073f287513338c2f52fd560

  • SHA256

    91fd819114314284f960159ca85b160ff39a025c55cf51960bb5262878db97f5

  • SHA512

    68e86c1e7b72c7592e3d6a911cfbc1339f9b638312ef59ae6b81bf733676813c3a6512f5d79c685e324cb0be7ae1ffafd72dd75a45116fb7c3762d78f797698b

  • SSDEEP

    196608:UA5PPrnA5PPr3lAA5PPrJSe6PC7aIahLkNPFCZZwiJl1NLIsPA8fxvuIMzd/95Un:PebljNd60T7P+Zw6NLIsFfskh1BmXG

Score
10/10
asyncratrat

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Venom_RAT_5.6_[tombstone3#3883]\Venom_RAT_COMPILED\Venom RAT + HVNC.exe
    "C:\Users\Admin\AppData\Local\Temp\Venom_RAT_5.6_[tombstone3#3883]\Venom_RAT_COMPILED\Venom RAT + HVNC.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:4452
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:3768
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3376
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:4828
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:436
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:1564
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
        PID:3692

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\PYYS3P9L\favicon[1].png
        Filesize

        6KB

        MD5

        6aa46ede086bc0ca615bc229c0576455

        SHA1

        fcd2ef2d09e93c4d93d8348aa56147968a27ca4c

        SHA256

        323e0386709d099d7f793722c1d97aca90c8e0b9c7ac3ab26e34c3879800de8c

        SHA512

        121be3fe727650f52c1c721d9cc8ed5e3d687fda0c917699d12b7b45854caac668f70c5c2a292825a5c6593cefb29211ce29977dc7ad6d33c6d2e1237acf1148

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\2e467f22-fd46-4a8b-b54a-a1ebefcab704\SiticoneDotNetRT64.dll
        Filesize

        75KB

        MD5

        42b2c266e49a3acd346b91e3b0e638c0

        SHA1

        2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

        SHA256

        adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

        SHA512

        770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

        Download Submit
      • \Users\Admin\AppData\Local\Temp\2e467f22-fd46-4a8b-b54a-a1ebefcab704\SiticoneDotNetRT64.dll
        Filesize

        75KB

        MD5

        42b2c266e49a3acd346b91e3b0e638c0

        SHA1

        2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

        SHA256

        adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

        SHA512

        770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

        Download Submit
      • memory/1564-409-0x0000018D73B90000-0x0000018D73B92000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1564-413-0x0000018D73BD0000-0x0000018D73BD2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1564-359-0x0000018D743A0000-0x0000018D743A2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1564-429-0x0000018D753B0000-0x0000018D753B2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1564-427-0x0000018D75390000-0x0000018D75392000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1564-361-0x0000018D743C0000-0x0000018D743C2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1564-423-0x0000018D75350000-0x0000018D75352000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1564-421-0x0000018D75330000-0x0000018D75338000-memory.dmp
        Filesize

        32KB

        Download
      • memory/1564-419-0x0000018D745C0000-0x0000018D745C3000-memory.dmp
        Filesize

        12KB

        Download
      • memory/1564-417-0x0000018D743F0000-0x0000018D743F2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1564-415-0x0000018D73BF0000-0x0000018D73BF2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1564-411-0x0000018D73BB0000-0x0000018D73BB2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1564-407-0x0000018D73B70000-0x0000018D73B72000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1564-405-0x0000018D73B60000-0x0000018D73B62000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1564-403-0x0000018D73A60000-0x0000018D73A62000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1564-401-0x0000018D73860000-0x0000018D73862000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1564-399-0x0000018D73840000-0x0000018D73842000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1564-397-0x0000018D73820000-0x0000018D73822000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1564-368-0x0000018D72870000-0x0000018D72890000-memory.dmp
        Filesize

        128KB

        Download
      • memory/1564-425-0x0000018D75370000-0x0000018D75372000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1564-431-0x0000018D753D0000-0x0000018D753D2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1564-353-0x0000018D74160000-0x0000018D74162000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1564-355-0x0000018D74360000-0x0000018D74362000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1564-351-0x0000018D72DF0000-0x0000018D72DF2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1564-357-0x0000018D74380000-0x0000018D74382000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3376-150-0x0000025741020000-0x0000025741030000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3376-187-0x00000257411E0000-0x00000257411E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3376-189-0x00000257416B0000-0x00000257416B2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3376-191-0x0000025745B40000-0x0000025745B42000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3376-168-0x0000025741840000-0x0000025741850000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3376-382-0x0000025747540000-0x0000025747541000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3376-383-0x0000025747550000-0x0000025747551000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3376-192-0x0000025745BA0000-0x0000025745BA2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4452-121-0x0000013539E10000-0x0000013539E22000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4452-137-0x00000135547B0000-0x00000135547C0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4452-138-0x00000135547B0000-0x00000135547C0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4452-141-0x00000135547B0000-0x00000135547C0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4452-140-0x00000135547B0000-0x00000135547C0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4452-120-0x0000013538AF0000-0x0000013539A82000-memory.dmp
        Filesize

        15.6MB

        Download
      • memory/4452-139-0x00000135547B0000-0x00000135547C0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4452-142-0x00000135547B0000-0x00000135547C0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4452-123-0x0000013554B10000-0x0000013554D78000-memory.dmp
        Filesize

        2.4MB

        Download
      • memory/4452-143-0x00000135586D0000-0x0000013558922000-memory.dmp
        Filesize

        2.3MB

        Download
      • memory/4452-136-0x0000013557960000-0x000001355799E000-memory.dmp
        Filesize

        248KB

        Download
      • memory/4452-135-0x00000135547B0000-0x00000135547C0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4452-134-0x00000135547B0000-0x00000135547C0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4452-133-0x00000135547B0000-0x00000135547C0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4452-131-0x00000135547B0000-0x00000135547C0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4452-132-0x00000135547B0000-0x00000135547C0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4452-130-0x00007FFB7F840000-0x00007FFB7F96C000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/4452-122-0x00000135547B0000-0x00000135547C0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4452-609-0x00000135547B0000-0x00000135547C0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4452-610-0x00000135547B0000-0x00000135547C0000-memory.dmp
        Filesize

        64KB

        Download