Analysis
-
max time kernel
151s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
18-03-2023 15:33
General
-
Target
Venom5-HVNC-Rat.exe
-
Size
9.6MB
-
MD5
7e0817e3a41335f54a977e51fc226d16
-
SHA1
7d8d8fa29e93485411c9071e5add28027ca6b4b5
-
SHA256
13c2f14da985be19ee598514bd96e8a7a75ebfa297560d8bc64f9673693b3c67
-
SHA512
ccfab96b17073a70f85e01f8e322a0836439ca08fab58de359a732ed48136ee2a08c1cb55f1a63f421f70f3a778960bb3392c69fce448637a62e0f2e88e899d8
-
SSDEEP
196608:J1hG0XvXdb5e0hnHTW3GwhXscv84MzaVpXeEWgJfbC1xllS7o/rlf4:J15db5eaHT4GYrvbMG6K+jQ4hw
Malware Config
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Async RAT payload 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 5 IoCs
-
Obfuscated with Agile.Net obfuscator 4 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 47 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 48 IoCs
-
Suspicious use of SendNotifyMessage 48 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat.exe"C:\Users\Admin\AppData\Local\Temp\Venom5-HVNC-Rat.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\crack.exe"C:\Users\Admin\AppData\Local\Temp\crack.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\VenomRAT_HVNC.exe"C:\Users\Admin\AppData\Local\Temp\VenomRAT_HVNC.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dllFilesize
2.0MB
MD50188fce753516183a41c4d146e337778
SHA1eb0f5324e8dd08a181d4bdfc1d90543077b2ee67
SHA256ee4449bccf826cbc56c13087d54a1a69fd42464d437ce8f355ac6afb61df6829
SHA512b3aafc9a80eec37556f4e60ab23579dd7d42c060b3ca2064d6d0c16901b54500503750868bef651a01401551551e372ac9fd459029c5d0efdd2aa385384916fc
-
C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dllFilesize
2.0MB
MD50188fce753516183a41c4d146e337778
SHA1eb0f5324e8dd08a181d4bdfc1d90543077b2ee67
SHA256ee4449bccf826cbc56c13087d54a1a69fd42464d437ce8f355ac6afb61df6829
SHA512b3aafc9a80eec37556f4e60ab23579dd7d42c060b3ca2064d6d0c16901b54500503750868bef651a01401551551e372ac9fd459029c5d0efdd2aa385384916fc
-
C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dllFilesize
2.0MB
MD50188fce753516183a41c4d146e337778
SHA1eb0f5324e8dd08a181d4bdfc1d90543077b2ee67
SHA256ee4449bccf826cbc56c13087d54a1a69fd42464d437ce8f355ac6afb61df6829
SHA512b3aafc9a80eec37556f4e60ab23579dd7d42c060b3ca2064d6d0c16901b54500503750868bef651a01401551551e372ac9fd459029c5d0efdd2aa385384916fc
-
C:\Users\Admin\AppData\Local\Temp\ServerCertificate.p12Filesize
1KB
MD59eb35831c5fc4c2faa95c0490da1fd97
SHA1e9bd2d635feb0ed64b64d20b3443e479cd1778bc
SHA256676b682456910aec732f9061663309d79b1bd84a8956492881fb45d757a8427f
SHA5124ce36d18b4c06c7af205413dd155741dfa5de7a5a0058283b54fc5fd09d89323a93d21d0205a252d3f0fe70f30dec8a9133b519c113b2f975c73c0d20a144ab3
-
C:\Users\Admin\AppData\Local\Temp\VenomRAT_HVNC.exeFilesize
16.6MB
MD55384c0396589430eeb3d1a2e05703e9a
SHA120da44da7639bbef2f6b5bfc21df7474cd1109af
SHA256b4250aff983f1f588593baed1adb4797e6c1ab6225595ebd013b50348a57a459
SHA5129bf613ee62b0e56af500dd88f572b2221ad6df63b0b4c0dcb0ef763efcebeac633a95f10dfce90f6cff038df2810681dd55dcdd272eb9f907c670cc2e4f7363a
-
C:\Users\Admin\AppData\Local\Temp\VenomRAT_HVNC.exeFilesize
16.6MB
MD55384c0396589430eeb3d1a2e05703e9a
SHA120da44da7639bbef2f6b5bfc21df7474cd1109af
SHA256b4250aff983f1f588593baed1adb4797e6c1ab6225595ebd013b50348a57a459
SHA5129bf613ee62b0e56af500dd88f572b2221ad6df63b0b4c0dcb0ef763efcebeac633a95f10dfce90f6cff038df2810681dd55dcdd272eb9f907c670cc2e4f7363a
-
C:\Users\Admin\AppData\Local\Temp\VenomRAT_HVNC.exe.configFilesize
2KB
MD5fa21c166232c3b29f8d2d14557490c9c
SHA12cb1a7d4a204fc03bd6bd15aa9f431f3445a08de
SHA2565c939c46f9d81cb75180c897feb5044176ed44cd0d51e076149bd82425e4ef44
SHA512cca1dd276a093b62845e5a7652e778d07200b7158cb05a2b44e11e69ce8bc78020eeeb29d55a87a6b87a3fcc25b2883175850467002388a811abfe9945d58fd9
-
C:\Users\Admin\AppData\Local\Temp\VenomRAT_HVNC.pdbFilesize
927KB
MD52364cc04dedcc2ee6b346b1f2e59eb39
SHA10d024bb95415848661bef34961c1b343803c6dd9
SHA256c754a924a7b1df1c44a0dfc330b2e051ef47c03b711e6bf3b499035f3652ad61
SHA51224b0006cc7ebe8d45cfa7315fafc0d5cc076d83db080cb9173ea4fe4b3458bccdd571f3cec15eddd00492d8d4309a6020037cf7cb663f1410a01aa202a9dfac5
-
C:\Users\Admin\AppData\Local\Temp\cGeoIp.dllFilesize
2.3MB
MD56d6e172e7965d1250a4a6f8a0513aa9f
SHA1b0fd4f64e837f48682874251c93258ee2cbcad2b
SHA256d1ddd15e9c727a5ecf78d3918c17aee0512f5b181ad44952686beb89146e6bd0
SHA51235daa38ad009599145aa241102bcd1f69b4caa55ebc5bb11df0a06567056c0ec5fcd02a33576c54c670755a6384e0229fd2f96622f12304dec58f79e1e834155
-
C:\Users\Admin\AppData\Local\Temp\cGeoIp.dllFilesize
2.3MB
MD56d6e172e7965d1250a4a6f8a0513aa9f
SHA1b0fd4f64e837f48682874251c93258ee2cbcad2b
SHA256d1ddd15e9c727a5ecf78d3918c17aee0512f5b181ad44952686beb89146e6bd0
SHA51235daa38ad009599145aa241102bcd1f69b4caa55ebc5bb11df0a06567056c0ec5fcd02a33576c54c670755a6384e0229fd2f96622f12304dec58f79e1e834155
-
C:\Users\Admin\AppData\Local\Temp\cGeoIp.dllFilesize
2.3MB
MD56d6e172e7965d1250a4a6f8a0513aa9f
SHA1b0fd4f64e837f48682874251c93258ee2cbcad2b
SHA256d1ddd15e9c727a5ecf78d3918c17aee0512f5b181ad44952686beb89146e6bd0
SHA51235daa38ad009599145aa241102bcd1f69b4caa55ebc5bb11df0a06567056c0ec5fcd02a33576c54c670755a6384e0229fd2f96622f12304dec58f79e1e834155
-
C:\Users\Admin\AppData\Local\Temp\ce5561ca-8be2-48c6-aded-c0fd7a17d1be\AgileDotNetRT.dllFilesize
94KB
MD514ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
C:\Users\Admin\AppData\Local\Temp\ce5561ca-8be2-48c6-aded-c0fd7a17d1be\AgileDotNetRT.dllFilesize
94KB
MD514ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
C:\Users\Admin\AppData\Local\Temp\crack.exeFilesize
18KB
MD5163bdc6f6240d733abf9083ac7e4eced
SHA1cf59478a54791bdbfc7e72e66e6e350cd6940a08
SHA256cb184f8c1aeb967c72b3ff6093ba3e275e3bdec4b40de4d570e92bceaaced1e9
SHA512e125e72b4066024fb38629a5c60f73fbde34e1e51425bc30170467d872410c080e59f4faa1af9b07eb2e1b288142aca86da68ba3009ad4d3236ea3f9d376f311
-
C:\Users\Admin\AppData\Local\Temp\crack.exeFilesize
18KB
MD5163bdc6f6240d733abf9083ac7e4eced
SHA1cf59478a54791bdbfc7e72e66e6e350cd6940a08
SHA256cb184f8c1aeb967c72b3ff6093ba3e275e3bdec4b40de4d570e92bceaaced1e9
SHA512e125e72b4066024fb38629a5c60f73fbde34e1e51425bc30170467d872410c080e59f4faa1af9b07eb2e1b288142aca86da68ba3009ad4d3236ea3f9d376f311
-
C:\Users\Admin\AppData\Local\Temp\crack.exeFilesize
18KB
MD5163bdc6f6240d733abf9083ac7e4eced
SHA1cf59478a54791bdbfc7e72e66e6e350cd6940a08
SHA256cb184f8c1aeb967c72b3ff6093ba3e275e3bdec4b40de4d570e92bceaaced1e9
SHA512e125e72b4066024fb38629a5c60f73fbde34e1e51425bc30170467d872410c080e59f4faa1af9b07eb2e1b288142aca86da68ba3009ad4d3236ea3f9d376f311
-
C:\Users\Admin\AppData\Local\Temp\crack.exeFilesize
18KB
MD5163bdc6f6240d733abf9083ac7e4eced
SHA1cf59478a54791bdbfc7e72e66e6e350cd6940a08
SHA256cb184f8c1aeb967c72b3ff6093ba3e275e3bdec4b40de4d570e92bceaaced1e9
SHA512e125e72b4066024fb38629a5c60f73fbde34e1e51425bc30170467d872410c080e59f4faa1af9b07eb2e1b288142aca86da68ba3009ad4d3236ea3f9d376f311
-
C:\Users\Admin\AppData\Local\Temp\packages\Vestris.ResourceLib.2.2.0-beta0004\lib\net40\Vestris.ResourceLib.xmlFilesize
286KB
MD55d2dee455b4003b6624b6dd890edb279
SHA14cdb025c8c5935bfc49871fca80fc4a346acd579
SHA25602b4fd6d46ffc9411e4688a5b088fbc7d34062024e1c93637535e093319c35b6
SHA51290f0123b6300a2fe53b7da8b50253c5807950da96dd0010e2494cc9f14d339d7a131c9653f29a585c2647634537cfbc1a1d84debc33a1b96bf7f01b88eaedee9
-
C:\Users\Admin\AppData\Local\VenomRAT_HVNC\VenomRAT_HVNC.exe_Url_5cz5fpuyjl12et1mepvmd5dp1sycc15w\5.0.4.0\user.configFilesize
337B
MD5b5763604c0fac9db744369988d8dc4d5
SHA11093595809be379a8112206e7bf7ce01d43e7f59
SHA256124d4c2e09f12760def84a0e725944533405b41bc2f2fc481fb74c10fe7ba36a
SHA512d475c1a8877347d9498280fa6080f9bdb8738a33b5030aea9e04a5ab9dd6e68e42f01d129667f51974fce5942ba1b0dda95d87490e1f387645df97dd3afa860c
-
C:\Users\Admin\AppData\Local\VenomRAT_HVNC\VenomRAT_HVNC.exe_Url_5cz5fpuyjl12et1mepvmd5dp1sycc15w\5.0.4.0\usvutrhy.newcfgFilesize
459B
MD5bcc5c03a535e667be5f555ecebd9e8ba
SHA1200469a59924edfb906706caf83d1780bc4c6c18
SHA25619fb41c1060c72be295baab9c6a564601d8461401f3f24315eead171c441e231
SHA512547b2407dcdae631c79cb9894f8bf972f89929b9c6879a523ade0a73d4959f059565aab804e12aa98fbbbe3397e62f98705bed16ddd56b519793a28959b25ab5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exeFilesize
18KB
MD5163bdc6f6240d733abf9083ac7e4eced
SHA1cf59478a54791bdbfc7e72e66e6e350cd6940a08
SHA256cb184f8c1aeb967c72b3ff6093ba3e275e3bdec4b40de4d570e92bceaaced1e9
SHA512e125e72b4066024fb38629a5c60f73fbde34e1e51425bc30170467d872410c080e59f4faa1af9b07eb2e1b288142aca86da68ba3009ad4d3236ea3f9d376f311
-
memory/1876-471-0x0000000005FF0000-0x0000000006082000-memory.dmpFilesize
584KB
-
memory/1876-492-0x00000000062C0000-0x00000000062D0000-memory.dmpFilesize
64KB
-
memory/1876-470-0x00000000066B0000-0x0000000006C54000-memory.dmpFilesize
5.6MB
-
memory/1876-664-0x00000000062C0000-0x00000000062D0000-memory.dmpFilesize
64KB
-
memory/1876-472-0x0000000005FA0000-0x0000000005FB2000-memory.dmpFilesize
72KB
-
memory/1876-473-0x00000000060C0000-0x00000000060CA000-memory.dmpFilesize
40KB
-
memory/1876-497-0x00000000062C0000-0x00000000062D0000-memory.dmpFilesize
64KB
-
memory/1876-493-0x00000000062C0000-0x00000000062D0000-memory.dmpFilesize
64KB
-
memory/1876-469-0x00000000005C0000-0x000000000165A000-memory.dmpFilesize
16.6MB
-
memory/1876-477-0x0000000006E70000-0x0000000007080000-memory.dmpFilesize
2.1MB
-
memory/1876-491-0x000000000C170000-0x000000000C3C2000-memory.dmpFilesize
2.3MB
-
memory/1876-485-0x0000000073D60000-0x0000000073DE9000-memory.dmpFilesize
548KB
-
memory/1876-487-0x00000000062C0000-0x00000000062D0000-memory.dmpFilesize
64KB
-
memory/1876-486-0x00000000062C0000-0x00000000062D0000-memory.dmpFilesize
64KB
-
memory/3268-450-0x000000001CA00000-0x000000001CA10000-memory.dmpFilesize
64KB
-
memory/3268-446-0x0000000000BD0000-0x0000000000BDC000-memory.dmpFilesize
48KB
-
memory/3268-449-0x000000001CA00000-0x000000001CA10000-memory.dmpFilesize
64KB
-
memory/4752-461-0x000001CEAD360000-0x000001CEAD361000-memory.dmpFilesize
4KB
-
memory/4752-452-0x000001CEAD360000-0x000001CEAD361000-memory.dmpFilesize
4KB
-
memory/4752-460-0x000001CEAD360000-0x000001CEAD361000-memory.dmpFilesize
4KB
-
memory/4752-459-0x000001CEAD360000-0x000001CEAD361000-memory.dmpFilesize
4KB
-
memory/4752-451-0x000001CEAD360000-0x000001CEAD361000-memory.dmpFilesize
4KB
-
memory/4752-458-0x000001CEAD360000-0x000001CEAD361000-memory.dmpFilesize
4KB
-
memory/4752-462-0x000001CEAD360000-0x000001CEAD361000-memory.dmpFilesize
4KB
-
memory/4752-453-0x000001CEAD360000-0x000001CEAD361000-memory.dmpFilesize
4KB
-
memory/4752-457-0x000001CEAD360000-0x000001CEAD361000-memory.dmpFilesize
4KB
-
memory/4752-463-0x000001CEAD360000-0x000001CEAD361000-memory.dmpFilesize
4KB