Overview
overview
10Static
static
10New folder/7z.exe
windows10-2004-x64
1New folder...to.dll
windows10-2004-x64
1New folder...I2.dll
windows10-2004-x64
1New folder...es.dll
windows10-2004-x64
1New folder...rd.dll
windows10-2004-x64
1New folder...ra.dll
windows10-2004-x64
1New folder...un.dll
windows10-2004-x64
1New folder...er.exe
windows10-2004-x64
1New folder...ns.dll
windows10-2004-x64
1New folder...nt.exe
windows10-2004-x64
10New folder...le.dll
windows10-2004-x64
1New folder...fo.dll
windows10-2004-x64
1New folder...ss.dll
windows10-2004-x64
1New folder...ls.dll
windows10-2004-x64
1New folder...es.dll
windows10-2004-x64
1New folder...me.dll
windows10-2004-x64
1New folder...rs.dll
windows10-2004-x64
1New folder...ns.dll
windows10-2004-x64
1New folder...on.dll
windows10-2004-x64
1New folder...le.dll
windows10-2004-x64
1New folder...on.dll
windows10-2004-x64
1New folder...fo.dll
windows10-2004-x64
1New folder...es.dll
windows10-2004-x64
1New folder...er.dll
windows10-2004-x64
1New folder...em.dll
windows10-2004-x64
1New folder...ge.dll
windows10-2004-x64
1New folder...es.dll
windows10-2004-x64
1New folder...es.dll
windows10-2004-x64
1New folder...am.dll
windows10-2004-x64
1New folder...IO.dll
windows10-2004-x64
1New folder...ns.dll
windows10-2004-x64
1New folder...NC.exe
windows10-2004-x64
10Analysis
-
max time kernel
154s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-04-2023 14:50
Behavioral task
behavioral1
Sample
New folder/7z.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral2
Sample
New folder/BouncyCastle.Crypto.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
New folder/Guna.UI2.dll
Resource
win10v2004-20230221-en
Behavioral task
behavioral4
Sample
New folder/Microsoft.Win32.Primitives.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
New folder/Plugins/Discord.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral6
Sample
New folder/Plugins/Extra.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
New folder/Plugins/Fun.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral8
Sample
New folder/Plugins/Keylogger.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
New folder/Plugins/Options.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral10
Sample
New folder/Stub/Client.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral11
Sample
New folder/System.Console.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral12
Sample
New folder/System.Diagnostics.FileVersionInfo.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
New folder/System.Diagnostics.Process.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral14
Sample
New folder/System.Diagnostics.Tools.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral15
Sample
New folder/System.Drawing.Primitives.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral16
Sample
New folder/System.Dynamic.Runtime.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral17
Sample
New folder/System.Globalization.Calendars.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral18
Sample
New folder/System.Globalization.Extensions.dll
Resource
win10v2004-20230221-en
Behavioral task
behavioral19
Sample
New folder/System.Globalization.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral20
Sample
New folder/System.IO.Compression.ZipFile.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral21
Sample
New folder/System.IO.Compression.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral22
Sample
New folder/System.IO.FileSystem.DriveInfo.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral23
Sample
New folder/System.IO.FileSystem.Primitives.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral24
Sample
New folder/System.IO.FileSystem.Watcher.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral25
Sample
New folder/System.IO.FileSystem.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral26
Sample
New folder/System.IO.IsolatedStorage.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral27
Sample
New folder/System.IO.MemoryMappedFiles.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral28
Sample
New folder/System.IO.Pipes.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral29
Sample
New folder/System.IO.UnmanagedMemoryStream.dll
Resource
win10v2004-20230221-en
Behavioral task
behavioral30
Sample
New folder/System.IO.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral31
Sample
New folder/System.Linq.Expressions.dll
Resource
win10v2004-20230221-en
General
-
Target
New folder/VenomRAT_HVNC.exe
-
Size
16.6MB
-
MD5
5384c0396589430eeb3d1a2e05703e9a
-
SHA1
20da44da7639bbef2f6b5bfc21df7474cd1109af
-
SHA256
b4250aff983f1f588593baed1adb4797e6c1ab6225595ebd013b50348a57a459
-
SHA512
9bf613ee62b0e56af500dd88f572b2221ad6df63b0b4c0dcb0ef763efcebeac633a95f10dfce90f6cff038df2810681dd55dcdd272eb9f907c670cc2e4f7363a
-
SSDEEP
393216:Al9Yl7Elel7ElAlQleTl/l/l/l/l/lzlml/lqlZlHl/l/l/l/l/l/lIlAl+lUl2L:6TXT
Malware Config
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral32/memory/1436-133-0x0000000000050000-0x00000000010EA000-memory.dmp asyncrat -
Loads dropped DLL 1 IoCs
pid Process 1436 VenomRAT_HVNC.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral32/memory/1436-138-0x0000000005EE0000-0x00000000060F0000-memory.dmp agile_net -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 VenomRAT_HVNC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz VenomRAT_HVNC.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1436 VenomRAT_HVNC.exe 1436 VenomRAT_HVNC.exe 1436 VenomRAT_HVNC.exe 1436 VenomRAT_HVNC.exe 1436 VenomRAT_HVNC.exe 1436 VenomRAT_HVNC.exe 1436 VenomRAT_HVNC.exe 1436 VenomRAT_HVNC.exe 1436 VenomRAT_HVNC.exe 1436 VenomRAT_HVNC.exe 1436 VenomRAT_HVNC.exe 1436 VenomRAT_HVNC.exe 1436 VenomRAT_HVNC.exe 1436 VenomRAT_HVNC.exe 1436 VenomRAT_HVNC.exe 1436 VenomRAT_HVNC.exe 1436 VenomRAT_HVNC.exe 1436 VenomRAT_HVNC.exe 1436 VenomRAT_HVNC.exe 1436 VenomRAT_HVNC.exe 1436 VenomRAT_HVNC.exe 1436 VenomRAT_HVNC.exe 1436 VenomRAT_HVNC.exe 1436 VenomRAT_HVNC.exe 1436 VenomRAT_HVNC.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1436 VenomRAT_HVNC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1436 VenomRAT_HVNC.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1436 VenomRAT_HVNC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New folder\VenomRAT_HVNC.exe"C:\Users\Admin\AppData\Local\Temp\New folder\VenomRAT_HVNC.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1436
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:888
Network
-
Remote address:8.8.8.8:53Request240.232.18.117.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request71.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request0.77.109.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestassets.msn.comIN AResponseassets.msn.comIN CNAMEassets.msn.com.edgekey.netassets.msn.com.edgekey.netIN CNAMEe28578.d.akamaiedge.nete28578.d.akamaiedge.netIN A104.109.250.170e28578.d.akamaiedge.netIN A104.109.250.194e28578.d.akamaiedge.netIN A104.109.250.180e28578.d.akamaiedge.netIN A104.109.250.178
-
GEThttps://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=7b2683a9-4492-4ce4-b5ad-3f93812d3890&ocid=windows-windowsShell-feeds&user=m-81279b69b0d24a4e92f189cdcac91583&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtaskRemote address:104.109.250.170:443RequestGET /serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=7b2683a9-4492-4ce4-b5ad-3f93812d3890&ocid=windows-windowsShell-feeds&user=m-81279b69b0d24a4e92f189cdcac91583&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtask HTTP/2.0
host: assets.msn.com
x-search-account: None
accept-encoding: gzip, deflate
x-device-machineid: {BC929805-684E-4860-BCA8-5ABA63544476}
x-userageclass: Unknown
x-bm-market: US
x-bm-dateformat: M/d/yyyy
x-device-ossku: 48
x-bm-dtz: 0
x-deviceid: 0100B2E609000CC3
x-bm-windowsflights: FX:117B9872,FX:119E26AD,FX:11D898D7,FX:11DB147C,FX:11DE505A,FX:11E11E97,FX:11E3E2BA,FX:11E50151,FX:11E9EE98,FX:11F1992A,FX:11F4161E,FX:11F41B68,FX:11FB0F2F,FX:1201B330,FX:1202B7FC,FX:120BB68E,FX:121A20E1,FX:121BF15F,FX:121E5EC8,FX:122D8E86,FX:123031A3,FX:1231B88B,FX:123371B1,FX:1233C945,FX:123D7C31,FX:1240013C,FX:1246E4A3,FX:1248306D,FX:124B38D0,FX:1250080B,FX:125A7FDA,FX:1264FA75,FX:126DBC22,FX:127159BE,FX:12769734,FX:127C935B,FX:127DC03A,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB
sitename: www.msn.com
x-bm-theme: 000000;0078d7
muid: 81279B69B0D24A4E92F189CDCAC91583
x-agent-deviceid: 0100B2E609000CC3
x-bm-onlinesearchdisabled: true
x-bm-cbt: 1680713652
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.2.19041; 10.0.0.0.19041.1288) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
x-device-isoptin: false
accept-language: en-US, en
x-device-touch: false
x-device-clientsession: 71CACF29D49043F2B35AB655800BC251
cookie: MUID=81279B69B0D24A4E92F189CDCAC91583
ResponseHTTP/2.0 200
server: Kestrel
access-control-allow-credentials: true
access-control-allow-headers: TicketType,RequestContinuationKey,AuthToken,Content-Type,x-client-activityid,ms-cv,signedInCookieName,muid,appid,User-Location,user-location,userauthtoken,usertickettype,sitename,s2sauthtoken,thumbprint,Authorization,Ent-Authorization,UserIdToken,DDD-TMPL,DDD-ActivityId,DDD-FeatureSet,DDD-Session-ID,Date,date,ads-referer,ads-referer,taboola-sessionId,taboola-sessionid,Akamai-Request-ID,Akamai-Server-IP,X-MSEdge-Ref,DDD-DebugId,s-xbox-token,OneWebServiceLatency,X-FD-Features,DDD-UserType,traceparent
access-control-allow-methods: PUT,PATCH,POST,GET,OPTIONS,DELETE
access-control-allow-origin: *.msn.com
access-control-expose-headers: TicketType,RequestContinuationKey,AuthToken,Content-Type,x-client-activityid,ms-cv,signedInCookieName,muid,appid,User-Location,user-location,userauthtoken,usertickettype,sitename,s2sauthtoken,thumbprint,Authorization,Ent-Authorization,UserIdToken,DDD-TMPL,DDD-ActivityId,DDD-FeatureSet,DDD-Session-ID,Date,date,ads-referer,ads-referer,taboola-sessionId,taboola-sessionid,Akamai-Request-ID,Akamai-Server-IP,X-MSEdge-Ref,DDD-DebugId,s-xbox-token,OneWebServiceLatency,X-FD-Features,DDD-UserType,traceparent
content-encoding: gzip
ddd-authenticatedwithjwtflow: False
ddd-usertype: AnonymousMuid
ddd-tmpl: coldStart:1;lowT:0;TeaserTemp_cold:1;TeaserVisibility_cold:1;winbadge:1;SevereWeather_cold:1;Nowcast_cold:1;lowC:0;WildFire_cold:1;tbn:0;coldStartUpsell:1;SportsMatch_all:1;partialResponse:1
ddd-feednewsitemcount: 0
x-wpo-activityid: F802A5CF-B2C6-41B2-B91A-2AE4AA92C02A|2023-04-05T14:54:15.9432670Z|fabric:/wpo|WEU|WPO_20
ddd-activityid: f802a5cf-b2c6-41b2-b91a-2ae4aa92c02a
ddd-strategyexecutionlatency: 00:00:00.6365030
ddd-debugid: f802a5cf-b2c6-41b2-b91a-2ae4aa92c02a|2023-04-05T14:54:15.9529395Z|fabric:/winfeed|WEU|WinFeed_195
onewebservicelatency: 638
x-msedge-responseinfo: 638
x-ceto-ref: 642d8b97f576485680b78fbd66e76f11|2023-04-05T14:54:15.311Z
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://deff.nelreports.net/api/report?cat=msn"}]}
expires: Wed, 05 Apr 2023 14:54:15 GMT
date: Wed, 05 Apr 2023 14:54:15 GMT
content-length: 9211
akamai-request-bc: [a=104.109.250.166,b=1217940122,c=g,n=CH_ZH_GLATTBRUGG,o=20940],[a=20.23.114.34,c=o]
server-timing: clientrtt; dur=49, clienttt; dur=656, origin; dur=655 , cdntime; dur=1
akamai-cache-status: Miss from child
akamai-server-ip: 104.109.250.166
akamai-request-id: 48984a9a
x-as-suppresssetcookie: 1
cache-control: private, max-age=0
timing-allow-origin: *
vary: Origin
-
Remote address:8.8.8.8:53Request108.211.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request170.250.109.104.in-addr.arpaIN PTRResponse170.250.109.104.in-addr.arpaIN PTRa104-109-250-170deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request250.255.255.239.in-addr.arpaIN PTRResponse
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
104.109.250.170:443https://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=7b2683a9-4492-4ce4-b5ad-3f93812d3890&ocid=windows-windowsShell-feeds&user=m-81279b69b0d24a4e92f189cdcac91583&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtasktls, http22.9kB 18.7kB 26 25
HTTP Request
GET https://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=7b2683a9-4492-4ce4-b5ad-3f93812d3890&ocid=windows-windowsShell-feeds&user=m-81279b69b0d24a4e92f189cdcac91583&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtaskHTTP Response
200 -
46 B 1
-
73 B 144 B 1 1
DNS Request
240.232.18.117.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
71.31.126.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
0.77.109.52.in-addr.arpa
-
60 B 198 B 1 1
DNS Request
assets.msn.com
DNS Response
104.109.250.170104.109.250.194104.109.250.180104.109.250.178
-
74 B 145 B 1 1
DNS Request
108.211.229.192.in-addr.arpa
-
74 B 141 B 1 1
DNS Request
170.250.109.104.in-addr.arpa
-
74 B 131 B 1 1
DNS Request
250.255.255.239.in-addr.arpa
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD514ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
Filesize
94KB
MD514ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
C:\Users\Admin\AppData\Local\VenomRAT_HVNC\VenomRAT_HVNC.exe_Url_qke1dwpj51gii1442axu3vv4l0pxgtp1\5.0.4.0\hcmokmmd.newcfg
Filesize459B
MD5a62280a7bda22985a7011ba4fd03dee7
SHA1e8f07b9300334f9aed943f178108739fe9b83d51
SHA2565b984f96393800acb5e12531fa0ae093f814a3c7c0329f8c8c06e3f0eade895b
SHA51281398211be01e9cf04865b67f194fa5bab92ba151a1e81e82b2203fe0fbd6353a19f12e14e85dc3d6ded9b0d27618af6b21587bef54ed5f12d0f49b82c16b4ae
-
C:\Users\Admin\AppData\Local\VenomRAT_HVNC\VenomRAT_HVNC.exe_Url_qke1dwpj51gii1442axu3vv4l0pxgtp1\5.0.4.0\user.config
Filesize337B
MD511b6e128fe1d399f09d6c91197e3d3f7
SHA1f5f205664c52933930eafa74ebcbda141a39787e
SHA25619e270cfd60519790a510502673ee715cce937b2cae3b059793eea83e42bec7e
SHA512cbcec3af6b28bb94f0c8308edc543fa3d2058764f4c9ef2d03a0c17d630afb5083b618ecd3cc7bcc5bb9902de0e62d67b0851bc5d0135a12fbd00bd16c7958b5