Analysis

  • max time kernel
    154s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-04-2023 14:50

General

  • Target

    New folder/VenomRAT_HVNC.exe

  • Size

    16.6MB

  • MD5

    5384c0396589430eeb3d1a2e05703e9a

  • SHA1

    20da44da7639bbef2f6b5bfc21df7474cd1109af

  • SHA256

    b4250aff983f1f588593baed1adb4797e6c1ab6225595ebd013b50348a57a459

  • SHA512

    9bf613ee62b0e56af500dd88f572b2221ad6df63b0b4c0dcb0ef763efcebeac633a95f10dfce90f6cff038df2810681dd55dcdd272eb9f907c670cc2e4f7363a

  • SSDEEP

    393216:Al9Yl7Elel7ElAlQleTl/l/l/l/l/lzlml/lqlZlHl/l/l/l/l/l/lIlAl+lUl2L:6TXT

Score
10/10

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New folder\VenomRAT_HVNC.exe
    "C:\Users\Admin\AppData\Local\Temp\New folder\VenomRAT_HVNC.exe"
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1436
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:888

    Network

    • flag-us
      DNS
      240.232.18.117.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.232.18.117.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      71.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      71.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      209.205.72.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.205.72.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      0.77.109.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      0.77.109.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      assets.msn.com
      Remote address:
      8.8.8.8:53
      Request
      assets.msn.com
      IN A
      Response
      assets.msn.com
      IN CNAME
      assets.msn.com.edgekey.net
      assets.msn.com.edgekey.net
      IN CNAME
      e28578.d.akamaiedge.net
      e28578.d.akamaiedge.net
      IN A
      104.109.250.170
      e28578.d.akamaiedge.net
      IN A
      104.109.250.194
      e28578.d.akamaiedge.net
      IN A
      104.109.250.180
      e28578.d.akamaiedge.net
      IN A
      104.109.250.178
    • flag-ch
      GET
      https://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=7b2683a9-4492-4ce4-b5ad-3f93812d3890&ocid=windows-windowsShell-feeds&user=m-81279b69b0d24a4e92f189cdcac91583&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtask
      Remote address:
      104.109.250.170:443
      Request
      GET /serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=7b2683a9-4492-4ce4-b5ad-3f93812d3890&ocid=windows-windowsShell-feeds&user=m-81279b69b0d24a4e92f189cdcac91583&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtask HTTP/2.0
      host: assets.msn.com
      x-search-account: None
      accept-encoding: gzip, deflate
      x-device-machineid: {BC929805-684E-4860-BCA8-5ABA63544476}
      x-userageclass: Unknown
      x-bm-market: US
      x-bm-dateformat: M/d/yyyy
      x-device-ossku: 48
      x-bm-dtz: 0
      x-deviceid: 0100B2E609000CC3
      x-bm-windowsflights: FX:117B9872,FX:119E26AD,FX:11D898D7,FX:11DB147C,FX:11DE505A,FX:11E11E97,FX:11E3E2BA,FX:11E50151,FX:11E9EE98,FX:11F1992A,FX:11F4161E,FX:11F41B68,FX:11FB0F2F,FX:1201B330,FX:1202B7FC,FX:120BB68E,FX:121A20E1,FX:121BF15F,FX:121E5EC8,FX:122D8E86,FX:123031A3,FX:1231B88B,FX:123371B1,FX:1233C945,FX:123D7C31,FX:1240013C,FX:1246E4A3,FX:1248306D,FX:124B38D0,FX:1250080B,FX:125A7FDA,FX:1264FA75,FX:126DBC22,FX:127159BE,FX:12769734,FX:127C935B,FX:127DC03A,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB
      sitename: www.msn.com
      x-bm-theme: 000000;0078d7
      muid: 81279B69B0D24A4E92F189CDCAC91583
      x-agent-deviceid: 0100B2E609000CC3
      x-bm-onlinesearchdisabled: true
      x-bm-cbt: 1680713652
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.2.19041; 10.0.0.0.19041.1288) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      x-device-isoptin: false
      accept-language: en-US, en
      x-device-touch: false
      x-device-clientsession: 71CACF29D49043F2B35AB655800BC251
      cookie: MUID=81279B69B0D24A4E92F189CDCAC91583
      Response
      HTTP/2.0 200
      content-type: application/json; charset=utf-8
      server: Kestrel
      access-control-allow-credentials: true
      access-control-allow-headers: TicketType,RequestContinuationKey,AuthToken,Content-Type,x-client-activityid,ms-cv,signedInCookieName,muid,appid,User-Location,user-location,userauthtoken,usertickettype,sitename,s2sauthtoken,thumbprint,Authorization,Ent-Authorization,UserIdToken,DDD-TMPL,DDD-ActivityId,DDD-FeatureSet,DDD-Session-ID,Date,date,ads-referer,ads-referer,taboola-sessionId,taboola-sessionid,Akamai-Request-ID,Akamai-Server-IP,X-MSEdge-Ref,DDD-DebugId,s-xbox-token,OneWebServiceLatency,X-FD-Features,DDD-UserType,traceparent
      access-control-allow-methods: PUT,PATCH,POST,GET,OPTIONS,DELETE
      access-control-allow-origin: *.msn.com
      access-control-expose-headers: TicketType,RequestContinuationKey,AuthToken,Content-Type,x-client-activityid,ms-cv,signedInCookieName,muid,appid,User-Location,user-location,userauthtoken,usertickettype,sitename,s2sauthtoken,thumbprint,Authorization,Ent-Authorization,UserIdToken,DDD-TMPL,DDD-ActivityId,DDD-FeatureSet,DDD-Session-ID,Date,date,ads-referer,ads-referer,taboola-sessionId,taboola-sessionid,Akamai-Request-ID,Akamai-Server-IP,X-MSEdge-Ref,DDD-DebugId,s-xbox-token,OneWebServiceLatency,X-FD-Features,DDD-UserType,traceparent
      content-encoding: gzip
      ddd-authenticatedwithjwtflow: False
      ddd-usertype: AnonymousMuid
      ddd-tmpl: coldStart:1;lowT:0;TeaserTemp_cold:1;TeaserVisibility_cold:1;winbadge:1;SevereWeather_cold:1;Nowcast_cold:1;lowC:0;WildFire_cold:1;tbn:0;coldStartUpsell:1;SportsMatch_all:1;partialResponse:1
      ddd-feednewsitemcount: 0
      x-wpo-activityid: F802A5CF-B2C6-41B2-B91A-2AE4AA92C02A|2023-04-05T14:54:15.9432670Z|fabric:/wpo|WEU|WPO_20
      ddd-activityid: f802a5cf-b2c6-41b2-b91a-2ae4aa92c02a
      ddd-strategyexecutionlatency: 00:00:00.6365030
      ddd-debugid: f802a5cf-b2c6-41b2-b91a-2ae4aa92c02a|2023-04-05T14:54:15.9529395Z|fabric:/winfeed|WEU|WinFeed_195
      onewebservicelatency: 638
      x-msedge-responseinfo: 638
      x-ceto-ref: 642d8b97f576485680b78fbd66e76f11|2023-04-05T14:54:15.311Z
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://deff.nelreports.net/api/report?cat=msn"}]}
      expires: Wed, 05 Apr 2023 14:54:15 GMT
      date: Wed, 05 Apr 2023 14:54:15 GMT
      content-length: 9211
      akamai-request-bc: [a=104.109.250.166,b=1217940122,c=g,n=CH_ZH_GLATTBRUGG,o=20940],[a=20.23.114.34,c=o]
      server-timing: clientrtt; dur=49, clienttt; dur=656, origin; dur=655 , cdntime; dur=1
      akamai-cache-status: Miss from child
      akamai-server-ip: 104.109.250.166
      akamai-request-id: 48984a9a
      x-as-suppresssetcookie: 1
      cache-control: private, max-age=0
      timing-allow-origin: *
      vary: Origin
    • flag-us
      DNS
      108.211.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      108.211.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      170.250.109.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      170.250.109.104.in-addr.arpa
      IN PTR
      Response
      170.250.109.104.in-addr.arpa
      IN PTR
      a104-109-250-170deploystaticakamaitechnologiescom
    • flag-us
      DNS
      250.255.255.239.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      250.255.255.239.in-addr.arpa
      IN PTR
      Response
    • 20.44.10.123:443
      322 B
      7
    • 93.184.221.240:80
      322 B
      7
    • 93.184.221.240:80
      322 B
      7
    • 93.184.220.29:80
      322 B
      7
    • 93.184.220.29:80
      322 B
      7
    • 209.197.3.8:80
      322 B
      7
    • 173.223.113.164:443
      322 B
      7
    • 173.223.113.131:80
      322 B
      7
    • 204.79.197.203:80
      322 B
      7
    • 104.109.250.170:443
      https://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=7b2683a9-4492-4ce4-b5ad-3f93812d3890&ocid=windows-windowsShell-feeds&user=m-81279b69b0d24a4e92f189cdcac91583&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtask
      tls, http2
      2.9kB
      18.7kB
      26
      25

      HTTP Request

      GET https://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=7b2683a9-4492-4ce4-b5ad-3f93812d3890&ocid=windows-windowsShell-feeds&user=m-81279b69b0d24a4e92f189cdcac91583&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtask

      HTTP Response

      200
    • 117.18.232.240:80
      46 B
      1
    • 8.8.8.8:53
      240.232.18.117.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      240.232.18.117.in-addr.arpa

    • 8.8.8.8:53
      58.55.71.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      58.55.71.13.in-addr.arpa

    • 8.8.8.8:53
      71.31.126.40.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      71.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      209.205.72.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      209.205.72.20.in-addr.arpa

    • 8.8.8.8:53
      0.77.109.52.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      0.77.109.52.in-addr.arpa

    • 8.8.8.8:53
      assets.msn.com
      dns
      60 B
      198 B
      1
      1

      DNS Request

      assets.msn.com

      DNS Response

      104.109.250.170
      104.109.250.194
      104.109.250.180
      104.109.250.178

    • 8.8.8.8:53
      108.211.229.192.in-addr.arpa
      dns
      74 B
      145 B
      1
      1

      DNS Request

      108.211.229.192.in-addr.arpa

    • 8.8.8.8:53
      170.250.109.104.in-addr.arpa
      dns
      74 B
      141 B
      1
      1

      DNS Request

      170.250.109.104.in-addr.arpa

    • 8.8.8.8:53
      250.255.255.239.in-addr.arpa
      dns
      74 B
      131 B
      1
      1

      DNS Request

      250.255.255.239.in-addr.arpa

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ce5561ca-8be2-48c6-aded-c0fd7a17d1be\AgileDotNetRT.dll

      Filesize

      94KB

      MD5

      14ff402962ad21b78ae0b4c43cd1f194

      SHA1

      f8a510eb26666e875a5bdd1cadad40602763ad72

      SHA256

      fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

      SHA512

      daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

    • C:\Users\Admin\AppData\Local\Temp\ce5561ca-8be2-48c6-aded-c0fd7a17d1be\AgileDotNetRT.dll

      Filesize

      94KB

      MD5

      14ff402962ad21b78ae0b4c43cd1f194

      SHA1

      f8a510eb26666e875a5bdd1cadad40602763ad72

      SHA256

      fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

      SHA512

      daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

    • C:\Users\Admin\AppData\Local\VenomRAT_HVNC\VenomRAT_HVNC.exe_Url_qke1dwpj51gii1442axu3vv4l0pxgtp1\5.0.4.0\hcmokmmd.newcfg

      Filesize

      459B

      MD5

      a62280a7bda22985a7011ba4fd03dee7

      SHA1

      e8f07b9300334f9aed943f178108739fe9b83d51

      SHA256

      5b984f96393800acb5e12531fa0ae093f814a3c7c0329f8c8c06e3f0eade895b

      SHA512

      81398211be01e9cf04865b67f194fa5bab92ba151a1e81e82b2203fe0fbd6353a19f12e14e85dc3d6ded9b0d27618af6b21587bef54ed5f12d0f49b82c16b4ae

    • C:\Users\Admin\AppData\Local\VenomRAT_HVNC\VenomRAT_HVNC.exe_Url_qke1dwpj51gii1442axu3vv4l0pxgtp1\5.0.4.0\user.config

      Filesize

      337B

      MD5

      11b6e128fe1d399f09d6c91197e3d3f7

      SHA1

      f5f205664c52933930eafa74ebcbda141a39787e

      SHA256

      19e270cfd60519790a510502673ee715cce937b2cae3b059793eea83e42bec7e

      SHA512

      cbcec3af6b28bb94f0c8308edc543fa3d2058764f4c9ef2d03a0c17d630afb5083b618ecd3cc7bcc5bb9902de0e62d67b0851bc5d0135a12fbd00bd16c7958b5

    • memory/1436-147-0x0000000005AA0000-0x0000000005AB0000-memory.dmp

      Filesize

      64KB

    • memory/1436-149-0x0000000005AA0000-0x0000000005AB0000-memory.dmp

      Filesize

      64KB

    • memory/1436-137-0x0000000005B80000-0x0000000005B8A000-memory.dmp

      Filesize

      40KB

    • memory/1436-136-0x0000000005A50000-0x0000000005A62000-memory.dmp

      Filesize

      72KB

    • memory/1436-133-0x0000000000050000-0x00000000010EA000-memory.dmp

      Filesize

      16.6MB

    • memory/1436-146-0x0000000073900000-0x0000000073989000-memory.dmp

      Filesize

      548KB

    • memory/1436-148-0x0000000005AA0000-0x0000000005AB0000-memory.dmp

      Filesize

      64KB

    • memory/1436-138-0x0000000005EE0000-0x00000000060F0000-memory.dmp

      Filesize

      2.1MB

    • memory/1436-150-0x0000000005AA0000-0x0000000005AB0000-memory.dmp

      Filesize

      64KB

    • memory/1436-151-0x000000000BB80000-0x000000000BDD2000-memory.dmp

      Filesize

      2.3MB

    • memory/1436-154-0x0000000005AA0000-0x0000000005AB0000-memory.dmp

      Filesize

      64KB

    • memory/1436-135-0x0000000005AD0000-0x0000000005B62000-memory.dmp

      Filesize

      584KB

    • memory/1436-134-0x0000000006160000-0x0000000006704000-memory.dmp

      Filesize

      5.6MB

    • memory/1436-205-0x0000000005AA0000-0x0000000005AB0000-memory.dmp

      Filesize

      64KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.