Overview
overview
10Static
static
10VenomRAT_v...to.dll
windows10-2004-x64
10VenomRAT_v...nt.exe
windows10-2004-x64
10VenomRAT_v...re.dll
windows10-2004-x64
1VenomRAT_v....2.dll
windows10-2004-x64
1VenomRAT_v....1.dll
windows10-2004-x64
1VenomRAT_v....2.dll
windows10-2004-x64
1VenomRAT_v....1.dll
windows10-2004-x64
1VenomRAT_v....2.dll
windows10-2004-x64
1VenomRAT_v...UI.dll
windows10-2004-x64
1VenomRAT_v....2.dll
windows10-2004-x64
1VenomRAT_v...re.dll
windows10-2004-x64
1VenomRAT_v...re.dll
windows10-2004-x64
1VenomRAT_v....1.dll
windows10-2004-x64
1VenomRAT_v....2.dll
windows10-2004-x64
1VenomRAT_v....2.dll
windows10-2004-x64
1VenomRAT_v...re.dll
windows10-2004-x64
1VenomRAT_v...re.dll
windows10-2004-x64
1VenomRAT_v...re.dll
windows10-2004-x64
1VenomRAT_v...ng.dll
windows10-2004-x64
1VenomRAT_v...re.dll
windows10-2004-x64
1VenomRAT_v...ng.dll
windows10-2004-x64
1VenomRAT_v...re.dll
windows10-2004-x64
1VenomRAT_v...re.dll
windows10-2004-x64
1VenomRAT_v...re.dll
windows10-2004-x64
1VenomRAT_v...re.dll
windows10-2004-x64
1VenomRAT_v...re.dll
windows10-2004-x64
1VenomRAT_v...rt.dll
windows10-2004-x64
1VenomRAT_v...re.dll
windows10-2004-x64
1VenomRAT_v...re.dll
windows10-2004-x64
1VenomRAT_v...ny.exe
windows10-2004-x64
10VenomRAT_v...64.exe
windows10-2004-x64
10VenomRAT_v...86.exe
windows10-2004-x64
10Analysis
-
max time kernel
294s -
max time network
314s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
10-08-2023 02:11
Behavioral task
behavioral1
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/BouncyCastle.Crypto.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral2
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/Client.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral3
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/DevExpress.Charts.v22.2.Core.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral4
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/DevExpress.CodeParser.v22.2.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral5
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/DevExpress.Data.Desktop.v22.1.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral6
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/DevExpress.Data.Desktop.v22.2.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral7
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/DevExpress.Data.v22.1.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral8
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/DevExpress.Data.v22.2.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral9
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/DevExpress.DataAccess.v22.2.UI.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral10
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/DevExpress.DataAccess.v22.2.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral11
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/DevExpress.DataVisualization.v22.2.Core.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral12
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/DevExpress.Diagram.v22.2.Core.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral13
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/DevExpress.Drawing.v22.1.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral14
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/DevExpress.Images.v22.2.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral15
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/DevExpress.Mvvm.v22.2.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral16
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/DevExpress.Office.v22.1.Core.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral17
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/DevExpress.Office.v22.2.Core.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral18
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/DevExpress.Pdf.v22.1.Core.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral19
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/DevExpress.Pdf.v22.1.Drawing.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral20
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/DevExpress.Pdf.v22.2.Core.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral21
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/DevExpress.Pdf.v22.2.Drawing.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral22
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/DevExpress.PivotGrid.v22.2.Core.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral23
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/DevExpress.Printing.v22.1.Core.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral24
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/DevExpress.Printing.v22.2.Core.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral25
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/DevExpress.RichEdit.v22.1.Core.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral26
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/DevExpress.RichEdit.v22.2.Core.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral27
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/DevExpress.RichEdit.v22.2.Export.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral28
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/DevExpress.Sparkline.v22.1.Core.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral29
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/DevExpress.Sparkline.v22.2.Core.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral30
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/Stub/ClientAny.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral31
Sample
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/Stub/Clientx64.exe
Resource
win10v2004-20230703-en
General
-
Target
VenomRAT_v6.0.3_WITH_SOURCE/VenomRAT v6.0.3 (SOURCE)/BouncyCastle.Crypto.dll
-
Size
2.5MB
-
MD5
f0b3e112ce4807a28e2b5d66a840ed7f
-
SHA1
54a6743781fd4ceb720331fce92f16186931192d
-
SHA256
333903c7d22a27098e45fc64b77a264aa220605cfbd3e329c200d7e4b42c881c
-
SHA512
dc8ec9754c5e86f7e54e75ff3e5859c1b057f90e9c41788037b944a5db2cb3b70060763d0efcbe55ec595bcc47a9c0ff847a4876821470ca1659c31afd5b0190
-
SSDEEP
49152:OSSJ+G1PjodumkjD6Oc0mqHZwueCtbu9kQN:6xodumo6Lr
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
93.82.44.26:4040
nheplizwdi
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 14 IoCs
resource yara_rule behavioral1/files/0x0003000000000735-151.dat asyncrat behavioral1/files/0x0003000000000735-157.dat asyncrat behavioral1/files/0x0003000000000735-156.dat asyncrat behavioral1/memory/4868-160-0x0000000000690000-0x00000000006A8000-memory.dmp asyncrat behavioral1/files/0x000300000000073b-165.dat asyncrat behavioral1/files/0x000300000000073b-172.dat asyncrat behavioral1/files/0x000300000000073b-171.dat asyncrat behavioral1/memory/404-174-0x000001A0A4C00000-0x000001A0A5A34000-memory.dmp asyncrat behavioral1/files/0x000300000000073b-183.dat asyncrat behavioral1/files/0x0003000000000735-216.dat asyncrat behavioral1/files/0x0003000000000735-217.dat asyncrat behavioral1/files/0x000300000000073b-231.dat asyncrat behavioral1/files/0x000300000000073b-230.dat asyncrat behavioral1/files/0x000300000000073b-235.dat asyncrat -
Executes dropped EXE 8 IoCs
pid Process 1044 sistrdzthu.exe 4868 Venomrat.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 4192 sistrdzthu.exe 392 Venomrat.exe 1464 Venom RAT + HVNC + Stealer + Grabber.exe 2124 Venom RAT + HVNC + Stealer + Grabber.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 8 IoCs
pid pid_target Process procid_target 3416 3744 WerFault.exe 96 4720 404 WerFault.exe 95 1808 3744 WerFault.exe 96 5036 404 WerFault.exe 95 3584 1464 WerFault.exe 116 2804 2124 WerFault.exe 117 4356 1464 WerFault.exe 116 4544 2124 WerFault.exe 117 -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 5072 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3312 Client.exe 3312 Client.exe 3312 Client.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 3312 Client.exe 3312 Client.exe 3312 Client.exe 1464 Venom RAT + HVNC + Stealer + Grabber.exe 1464 Venom RAT + HVNC + Stealer + Grabber.exe 1464 Venom RAT + HVNC + Stealer + Grabber.exe 1464 Venom RAT + HVNC + Stealer + Grabber.exe 1464 Venom RAT + HVNC + Stealer + Grabber.exe 1464 Venom RAT + HVNC + Stealer + Grabber.exe 1464 Venom RAT + HVNC + Stealer + Grabber.exe 1464 Venom RAT + HVNC + Stealer + Grabber.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3456 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3312 Client.exe Token: SeDebugPrivilege 4868 Venomrat.exe Token: SeDebugPrivilege 392 Venomrat.exe Token: SeDebugPrivilege 3872 Keylogger.exe Token: SeDebugPrivilege 4388 Keylogger.exe -
Suspicious use of SetWindowsHookEx 30 IoCs
pid Process 3312 Client.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 404 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 3744 Venom RAT + HVNC + Stealer + Grabber.exe 3456 OpenWith.exe 3456 OpenWith.exe 3456 OpenWith.exe 3456 OpenWith.exe 3456 OpenWith.exe 3456 OpenWith.exe 3456 OpenWith.exe 3456 OpenWith.exe 3456 OpenWith.exe 3456 OpenWith.exe 3456 OpenWith.exe 3456 OpenWith.exe 3456 OpenWith.exe 3456 OpenWith.exe 3456 OpenWith.exe 3456 OpenWith.exe 3456 OpenWith.exe 3456 OpenWith.exe 3456 OpenWith.exe 1464 Venom RAT + HVNC + Stealer + Grabber.exe 1464 Venom RAT + HVNC + Stealer + Grabber.exe 2124 Venom RAT + HVNC + Stealer + Grabber.exe 2124 Venom RAT + HVNC + Stealer + Grabber.exe 3872 Keylogger.exe 4388 Keylogger.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1512 wrote to memory of 1044 1512 Venom v6.0.3.exe 93 PID 1512 wrote to memory of 1044 1512 Venom v6.0.3.exe 93 PID 1512 wrote to memory of 1044 1512 Venom v6.0.3.exe 93 PID 1512 wrote to memory of 4868 1512 Venom v6.0.3.exe 94 PID 1512 wrote to memory of 4868 1512 Venom v6.0.3.exe 94 PID 1044 wrote to memory of 404 1044 sistrdzthu.exe 95 PID 1044 wrote to memory of 404 1044 sistrdzthu.exe 95 PID 3456 wrote to memory of 5072 3456 OpenWith.exe 112 PID 3456 wrote to memory of 5072 3456 OpenWith.exe 112 PID 4492 wrote to memory of 4192 4492 Venom v6.0.3.exe 114 PID 4492 wrote to memory of 4192 4492 Venom v6.0.3.exe 114 PID 4492 wrote to memory of 4192 4492 Venom v6.0.3.exe 114 PID 4492 wrote to memory of 392 4492 Venom v6.0.3.exe 115 PID 4492 wrote to memory of 392 4492 Venom v6.0.3.exe 115 PID 4192 wrote to memory of 1464 4192 sistrdzthu.exe 116 PID 4192 wrote to memory of 1464 4192 sistrdzthu.exe 116
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3_WITH_SOURCE\VenomRAT v6.0.3 (SOURCE)\BouncyCastle.Crypto.dll",#11⤵PID:4296
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3_WITH_SOURCE\VenomRAT v6.0.3 (SOURCE)\Client.exe"C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3_WITH_SOURCE\VenomRAT v6.0.3 (SOURCE)\Client.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3312
-
C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3_WITH_SOURCE\VenomRAT v6.0.3 (SOURCE)\Venom v6.0.3.exe"C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3_WITH_SOURCE\VenomRAT v6.0.3 (SOURCE)\Venom v6.0.3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\sistrdzthu.exe"C:\Users\Admin\AppData\Local\Temp\sistrdzthu.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3_WITH_SOURCE\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe"C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3_WITH_SOURCE\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:404 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 404 -s 24204⤵
- Program crash
PID:4720
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 404 -s 24204⤵
- Program crash
PID:5036
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Venomrat.exe"C:\Users\Admin\AppData\Local\Temp\Venomrat.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4868
-
-
C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3_WITH_SOURCE\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe"C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3_WITH_SOURCE\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3744 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3744 -s 17162⤵
- Program crash
PID:3416
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3744 -s 17082⤵
- Program crash
PID:1808
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1120
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 416 -p 3744 -ip 37441⤵PID:4188
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 500 -p 404 -ip 4041⤵PID:3660
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 520 -p 3744 -ip 37441⤵PID:1544
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 548 -p 404 -ip 4041⤵PID:1652
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3_WITH_SOURCE\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe.config2⤵
- Opens file in notepad (likely ransom note)
PID:5072
-
-
C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3_WITH_SOURCE\VenomRAT v6.0.3 (SOURCE)\Venom v6.0.3.exe"C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3_WITH_SOURCE\VenomRAT v6.0.3 (SOURCE)\Venom v6.0.3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Users\Admin\AppData\Local\Temp\sistrdzthu.exe"C:\Users\Admin\AppData\Local\Temp\sistrdzthu.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3_WITH_SOURCE\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe"C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3_WITH_SOURCE\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1464 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1464 -s 14004⤵
- Program crash
PID:3584
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1464 -s 14004⤵
- Program crash
PID:4356
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Venomrat.exe"C:\Users\Admin\AppData\Local\Temp\Venomrat.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:392
-
-
C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3_WITH_SOURCE\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe"C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3_WITH_SOURCE\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2124 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2124 -s 13962⤵
- Program crash
PID:2804
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2124 -s 23242⤵
- Program crash
PID:4544
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3732
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 540 -p 1464 -ip 14641⤵PID:3716
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1580
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 544 -p 2124 -ip 21241⤵PID:1520
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 580 -p 1464 -ip 14641⤵PID:3984
-
C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3_WITH_SOURCE\VenomRAT v6.0.3 (SOURCE)\Keylogger.exe"C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3_WITH_SOURCE\VenomRAT v6.0.3 (SOURCE)\Keylogger.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3872
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 520 -p 2124 -ip 21241⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3_WITH_SOURCE\VenomRAT v6.0.3 (SOURCE)\Keylogger.exe"C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3_WITH_SOURCE\VenomRAT v6.0.3 (SOURCE)\Keylogger.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4388
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3_WITH_SOURCE\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe
Filesize14.2MB
MD53b3a304c6fc7a3a1d9390d7cbff56634
SHA1e8bd5244e6362968f5017680da33f1e90ae63dd7
SHA2567331368c01b2a16bda0f013f376a039e6aeb4cb2dd8b0c2afc7ca208fb544c58
SHA5127f1beacb6449b3b3e108016c8264bb9a21ecba526c2778794f16a7f9c817c0bbd5d4cf0c208d706d25c54322a875da899ab047aab1e07684f6b7b6083981abe5
-
C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3_WITH_SOURCE\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe
Filesize14.2MB
MD53b3a304c6fc7a3a1d9390d7cbff56634
SHA1e8bd5244e6362968f5017680da33f1e90ae63dd7
SHA2567331368c01b2a16bda0f013f376a039e6aeb4cb2dd8b0c2afc7ca208fb544c58
SHA5127f1beacb6449b3b3e108016c8264bb9a21ecba526c2778794f16a7f9c817c0bbd5d4cf0c208d706d25c54322a875da899ab047aab1e07684f6b7b6083981abe5
-
C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3_WITH_SOURCE\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe
Filesize14.2MB
MD53b3a304c6fc7a3a1d9390d7cbff56634
SHA1e8bd5244e6362968f5017680da33f1e90ae63dd7
SHA2567331368c01b2a16bda0f013f376a039e6aeb4cb2dd8b0c2afc7ca208fb544c58
SHA5127f1beacb6449b3b3e108016c8264bb9a21ecba526c2778794f16a7f9c817c0bbd5d4cf0c208d706d25c54322a875da899ab047aab1e07684f6b7b6083981abe5
-
C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3_WITH_SOURCE\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe
Filesize14.2MB
MD53b3a304c6fc7a3a1d9390d7cbff56634
SHA1e8bd5244e6362968f5017680da33f1e90ae63dd7
SHA2567331368c01b2a16bda0f013f376a039e6aeb4cb2dd8b0c2afc7ca208fb544c58
SHA5127f1beacb6449b3b3e108016c8264bb9a21ecba526c2778794f16a7f9c817c0bbd5d4cf0c208d706d25c54322a875da899ab047aab1e07684f6b7b6083981abe5
-
C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3_WITH_SOURCE\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe
Filesize14.2MB
MD53b3a304c6fc7a3a1d9390d7cbff56634
SHA1e8bd5244e6362968f5017680da33f1e90ae63dd7
SHA2567331368c01b2a16bda0f013f376a039e6aeb4cb2dd8b0c2afc7ca208fb544c58
SHA5127f1beacb6449b3b3e108016c8264bb9a21ecba526c2778794f16a7f9c817c0bbd5d4cf0c208d706d25c54322a875da899ab047aab1e07684f6b7b6083981abe5
-
C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3_WITH_SOURCE\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe
Filesize14.2MB
MD53b3a304c6fc7a3a1d9390d7cbff56634
SHA1e8bd5244e6362968f5017680da33f1e90ae63dd7
SHA2567331368c01b2a16bda0f013f376a039e6aeb4cb2dd8b0c2afc7ca208fb544c58
SHA5127f1beacb6449b3b3e108016c8264bb9a21ecba526c2778794f16a7f9c817c0bbd5d4cf0c208d706d25c54322a875da899ab047aab1e07684f6b7b6083981abe5
-
C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3_WITH_SOURCE\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe
Filesize14.2MB
MD53b3a304c6fc7a3a1d9390d7cbff56634
SHA1e8bd5244e6362968f5017680da33f1e90ae63dd7
SHA2567331368c01b2a16bda0f013f376a039e6aeb4cb2dd8b0c2afc7ca208fb544c58
SHA5127f1beacb6449b3b3e108016c8264bb9a21ecba526c2778794f16a7f9c817c0bbd5d4cf0c208d706d25c54322a875da899ab047aab1e07684f6b7b6083981abe5
-
Filesize
74KB
MD5f6cd31be1b934e979780c63ee6dca10c
SHA17f802a7409345d03bef6d292b91e096a97c7f25a
SHA256c7d808cc2f536c8aef33b34415bffa55d32ecdfb23dd34ec95d76f934c40ea12
SHA512bef7835728afb40e05a322a331b6a7a7f99b37d0dea0d883b4c0afa0e697f0801847680202d19d99f934b29d3b934a6d41a0e623945c7af469fb842354a0c6f9
-
Filesize
74KB
MD5f6cd31be1b934e979780c63ee6dca10c
SHA17f802a7409345d03bef6d292b91e096a97c7f25a
SHA256c7d808cc2f536c8aef33b34415bffa55d32ecdfb23dd34ec95d76f934c40ea12
SHA512bef7835728afb40e05a322a331b6a7a7f99b37d0dea0d883b4c0afa0e697f0801847680202d19d99f934b29d3b934a6d41a0e623945c7af469fb842354a0c6f9
-
Filesize
74KB
MD5f6cd31be1b934e979780c63ee6dca10c
SHA17f802a7409345d03bef6d292b91e096a97c7f25a
SHA256c7d808cc2f536c8aef33b34415bffa55d32ecdfb23dd34ec95d76f934c40ea12
SHA512bef7835728afb40e05a322a331b6a7a7f99b37d0dea0d883b4c0afa0e697f0801847680202d19d99f934b29d3b934a6d41a0e623945c7af469fb842354a0c6f9
-
Filesize
74KB
MD5f6cd31be1b934e979780c63ee6dca10c
SHA17f802a7409345d03bef6d292b91e096a97c7f25a
SHA256c7d808cc2f536c8aef33b34415bffa55d32ecdfb23dd34ec95d76f934c40ea12
SHA512bef7835728afb40e05a322a331b6a7a7f99b37d0dea0d883b4c0afa0e697f0801847680202d19d99f934b29d3b934a6d41a0e623945c7af469fb842354a0c6f9
-
Filesize
74KB
MD5f6cd31be1b934e979780c63ee6dca10c
SHA17f802a7409345d03bef6d292b91e096a97c7f25a
SHA256c7d808cc2f536c8aef33b34415bffa55d32ecdfb23dd34ec95d76f934c40ea12
SHA512bef7835728afb40e05a322a331b6a7a7f99b37d0dea0d883b4c0afa0e697f0801847680202d19d99f934b29d3b934a6d41a0e623945c7af469fb842354a0c6f9
-
Filesize
14.2MB
MD57e8d3bcd4b3ee0a20deb79e5818f06a0
SHA173acfa8fbe3aa5ab8372cf8d11eba9242ba4592e
SHA256baa304c80cd2acc0df7968024a0754d560dfd2fafc14dfc6383783e3d2f8127e
SHA5122ca9b6ec0f22d586388caf3d4da20e25ba46aac0cee7d6e98f8ddeb3cddbc346d632a3717c6902b065e6fb5d8628ff08f8a306f1ca539f905fbfb1a06f7222c9
-
Filesize
14.2MB
MD57e8d3bcd4b3ee0a20deb79e5818f06a0
SHA173acfa8fbe3aa5ab8372cf8d11eba9242ba4592e
SHA256baa304c80cd2acc0df7968024a0754d560dfd2fafc14dfc6383783e3d2f8127e
SHA5122ca9b6ec0f22d586388caf3d4da20e25ba46aac0cee7d6e98f8ddeb3cddbc346d632a3717c6902b065e6fb5d8628ff08f8a306f1ca539f905fbfb1a06f7222c9
-
Filesize
14.2MB
MD57e8d3bcd4b3ee0a20deb79e5818f06a0
SHA173acfa8fbe3aa5ab8372cf8d11eba9242ba4592e
SHA256baa304c80cd2acc0df7968024a0754d560dfd2fafc14dfc6383783e3d2f8127e
SHA5122ca9b6ec0f22d586388caf3d4da20e25ba46aac0cee7d6e98f8ddeb3cddbc346d632a3717c6902b065e6fb5d8628ff08f8a306f1ca539f905fbfb1a06f7222c9
-
Filesize
14.2MB
MD57e8d3bcd4b3ee0a20deb79e5818f06a0
SHA173acfa8fbe3aa5ab8372cf8d11eba9242ba4592e
SHA256baa304c80cd2acc0df7968024a0754d560dfd2fafc14dfc6383783e3d2f8127e
SHA5122ca9b6ec0f22d586388caf3d4da20e25ba46aac0cee7d6e98f8ddeb3cddbc346d632a3717c6902b065e6fb5d8628ff08f8a306f1ca539f905fbfb1a06f7222c9
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b