Overview

overview

10

Static

static

10

New folder/7z.exe

windows10-2004-x64

1

New folder...to.dll

windows10-2004-x64

1

New folder...I2.dll

windows10-2004-x64

1

New folder...es.dll

windows10-2004-x64

1

New folder...rd.dll

windows10-2004-x64

1

New folder...ra.dll

windows10-2004-x64

1

New folder...un.dll

windows10-2004-x64

1

New folder...er.exe

windows10-2004-x64

1

New folder...ns.dll

windows10-2004-x64

1

New folder...nt.exe

windows10-2004-x64

10

New folder...le.dll

windows10-2004-x64

1

New folder...fo.dll

windows10-2004-x64

1

New folder...ss.dll

windows10-2004-x64

1

New folder...ls.dll

windows10-2004-x64

1

New folder...es.dll

windows10-2004-x64

1

New folder...me.dll

windows10-2004-x64

1

New folder...rs.dll

windows10-2004-x64

1

New folder...ns.dll

windows10-2004-x64

1

New folder...on.dll

windows10-2004-x64

1

New folder...le.dll

windows10-2004-x64

1

New folder...on.dll

windows10-2004-x64

1

New folder...fo.dll

windows10-2004-x64

1

New folder...es.dll

windows10-2004-x64

1

New folder...er.dll

windows10-2004-x64

1

New folder...em.dll

windows10-2004-x64

1

New folder...ge.dll

windows10-2004-x64

1

New folder...es.dll

windows10-2004-x64

1

New folder...es.dll

windows10-2004-x64

1

New folder...am.dll

windows10-2004-x64

1

New folder...IO.dll

windows10-2004-x64

1

New folder...ns.dll

windows10-2004-x64

1

New folder...NC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-04-2023 14:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New folder/VenomRAT_HVNC.exe

  • Size

    16.6MB

  • MD5

    5384c0396589430eeb3d1a2e05703e9a

  • SHA1

    20da44da7639bbef2f6b5bfc21df7474cd1109af

  • SHA256

    b4250aff983f1f588593baed1adb4797e6c1ab6225595ebd013b50348a57a459

  • SHA512

    9bf613ee62b0e56af500dd88f572b2221ad6df63b0b4c0dcb0ef763efcebeac633a95f10dfce90f6cff038df2810681dd55dcdd272eb9f907c670cc2e4f7363a

  • SSDEEP

    393216:Al9Yl7Elel7ElAlQleTl/l/l/l/l/lzlml/lqlZlHl/l/l/l/l/l/lIlAl+lUl2L:6TXT

Score
10/10
asyncratagilenetrat

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New folder\VenomRAT_HVNC.exe
    "C:\Users\Admin\AppData\Local\Temp\New folder\VenomRAT_HVNC.exe"
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1436
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:888

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ce5561ca-8be2-48c6-aded-c0fd7a17d1be\AgileDotNetRT.dll
      Filesize

      94KB

      MD5

      14ff402962ad21b78ae0b4c43cd1f194

      SHA1

      f8a510eb26666e875a5bdd1cadad40602763ad72

      SHA256

      fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

      SHA512

      daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ce5561ca-8be2-48c6-aded-c0fd7a17d1be\AgileDotNetRT.dll
      Filesize

      94KB

      MD5

      14ff402962ad21b78ae0b4c43cd1f194

      SHA1

      f8a510eb26666e875a5bdd1cadad40602763ad72

      SHA256

      fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

      SHA512

      daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

      Download Submit
    • C:\Users\Admin\AppData\Local\VenomRAT_HVNC\VenomRAT_HVNC.exe_Url_qke1dwpj51gii1442axu3vv4l0pxgtp1\5.0.4.0\hcmokmmd.newcfg
      Filesize

      459B

      MD5

      a62280a7bda22985a7011ba4fd03dee7

      SHA1

      e8f07b9300334f9aed943f178108739fe9b83d51

      SHA256

      5b984f96393800acb5e12531fa0ae093f814a3c7c0329f8c8c06e3f0eade895b

      SHA512

      81398211be01e9cf04865b67f194fa5bab92ba151a1e81e82b2203fe0fbd6353a19f12e14e85dc3d6ded9b0d27618af6b21587bef54ed5f12d0f49b82c16b4ae

      Download Submit
    • C:\Users\Admin\AppData\Local\VenomRAT_HVNC\VenomRAT_HVNC.exe_Url_qke1dwpj51gii1442axu3vv4l0pxgtp1\5.0.4.0\user.config
      Filesize

      337B

      MD5

      11b6e128fe1d399f09d6c91197e3d3f7

      SHA1

      f5f205664c52933930eafa74ebcbda141a39787e

      SHA256

      19e270cfd60519790a510502673ee715cce937b2cae3b059793eea83e42bec7e

      SHA512

      cbcec3af6b28bb94f0c8308edc543fa3d2058764f4c9ef2d03a0c17d630afb5083b618ecd3cc7bcc5bb9902de0e62d67b0851bc5d0135a12fbd00bd16c7958b5

      Download Submit
    • memory/1436-147-0x0000000005AA0000-0x0000000005AB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1436-149-0x0000000005AA0000-0x0000000005AB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1436-137-0x0000000005B80000-0x0000000005B8A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1436-136-0x0000000005A50000-0x0000000005A62000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1436-133-0x0000000000050000-0x00000000010EA000-memory.dmp
      Filesize

      16.6MB

      Download
    • memory/1436-146-0x0000000073900000-0x0000000073989000-memory.dmp
      Filesize

      548KB

      Download
    • memory/1436-148-0x0000000005AA0000-0x0000000005AB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1436-138-0x0000000005EE0000-0x00000000060F0000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/1436-150-0x0000000005AA0000-0x0000000005AB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1436-151-0x000000000BB80000-0x000000000BDD2000-memory.dmp
      Filesize

      2.3MB

      Download
    • memory/1436-154-0x0000000005AA0000-0x0000000005AB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1436-135-0x0000000005AD0000-0x0000000005B62000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1436-134-0x0000000006160000-0x0000000006704000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1436-205-0x0000000005AA0000-0x0000000005AB0000-memory.dmp
      Filesize

      64KB

      Download