Analysis Overview
SHA256
46c17ffefbfcaa044cbbcbb33d6219da84538c22a51e53bff647c87da33a0bd9
Threat Level: Known bad
The file VenomRAT v6.0.3 (+SOURCE).7z was found to be: Known bad.
Malicious Activity Summary
Asyncrat family
StormKitty payload
Async RAT payload
Stormkitty family
AsyncRat
Async RAT payload
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-08-22 05:59
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Asyncrat family
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-22 05:58
Reported
2023-08-22 06:05
Platform
win7-20230712-en
Max time kernel
131s
Max time network
155s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Client.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Client.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Client.exe"
Network
| Country | Destination | Domain | Proto |
| FI | 95.216.52.21:7575 | tcp | |
| FI | 95.216.52.21:7575 | tcp | |
| FI | 95.216.52.21:7575 | tcp | |
| FI | 95.216.52.21:7575 | tcp | |
| FI | 95.216.52.21:7575 | tcp | |
| FI | 95.216.52.21:7575 | tcp |
Files
memory/2628-54-0x00000000000B0000-0x00000000000C6000-memory.dmp
memory/2628-55-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp
memory/2628-56-0x000000001B1A0000-0x000000001B220000-memory.dmp
memory/2628-57-0x0000000077A50000-0x0000000077BF9000-memory.dmp
memory/2628-58-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp
memory/2628-59-0x000000001B1A0000-0x000000001B220000-memory.dmp
memory/2628-60-0x0000000077A50000-0x0000000077BF9000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2023-08-22 05:58
Reported
2023-08-22 06:05
Platform
win10v2004-20230703-en
Max time kernel
103s
Max time network
161s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\DevExpress.WinRTPresenter.Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\DevExpress.WinRTPresenter.Launcher.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
memory/4932-133-0x0000000000BA0000-0x0000000000BAA000-memory.dmp
memory/4932-135-0x00007FFB001F0000-0x00007FFB00CB1000-memory.dmp
memory/4932-136-0x00007FFB001F0000-0x00007FFB00CB1000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2023-08-22 05:58
Reported
2023-08-22 06:05
Platform
win7-20230712-en
Max time kernel
121s
Max time network
139s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Plugins\hvnc.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Plugins\hvnc.exe"
Network
Files
memory/2548-54-0x0000000001340000-0x0000000001350000-memory.dmp
memory/2548-55-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp
memory/2548-56-0x000000001B040000-0x000000001B0C0000-memory.dmp
memory/2548-57-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2023-08-22 05:58
Reported
2023-08-22 06:05
Platform
win10v2004-20230703-en
Max time kernel
128s
Max time network
160s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Plugins\hvnc.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Plugins\hvnc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.132.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
memory/2756-133-0x0000000000D40000-0x0000000000D50000-memory.dmp
memory/2756-134-0x00007FFA0D230000-0x00007FFA0DCF1000-memory.dmp
memory/2756-136-0x00007FFA0D230000-0x00007FFA0DCF1000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2023-08-22 05:58
Reported
2023-08-22 06:05
Platform
win10v2004-20230703-en
Max time kernel
86s
Max time network
184s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\ClientAny.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\ClientAny.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\ClientAny.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\ClientAny.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 748 -ip 748
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 748 -s 952
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
memory/748-133-0x00000000006C0000-0x00000000006D8000-memory.dmp
memory/748-134-0x00007FF8644E0000-0x00007FF864FA1000-memory.dmp
memory/748-136-0x000000001B4F0000-0x000000001B500000-memory.dmp
memory/748-137-0x00007FF8644E0000-0x00007FF864FA1000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2023-08-22 05:58
Reported
2023-08-22 06:05
Platform
win7-20230712-en
Max time kernel
120s
Max time network
142s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\Clientx64.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\Clientx64.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2480 wrote to memory of 2212 | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\Clientx64.exe | C:\Windows\system32\WerFault.exe |
| PID 2480 wrote to memory of 2212 | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\Clientx64.exe | C:\Windows\system32\WerFault.exe |
| PID 2480 wrote to memory of 2212 | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\Clientx64.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\Clientx64.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\Clientx64.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2480 -s 600
Network
Files
memory/2480-55-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp
memory/2480-54-0x0000000000B30000-0x0000000000B48000-memory.dmp
memory/2480-57-0x000000001AE90000-0x000000001AF10000-memory.dmp
memory/2480-58-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp
memory/2480-59-0x000000001AE90000-0x000000001AF10000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2023-08-22 05:58
Reported
2023-08-22 06:05
Platform
win7-20230712-en
Max time kernel
156s
Max time network
137s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
Files
memory/2788-55-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp
memory/2788-54-0x00000000004B0000-0x00000000012E4000-memory.dmp
memory/2788-56-0x000000001BEA0000-0x000000001D2A4000-memory.dmp
memory/2788-57-0x000000001D810000-0x000000001DD22000-memory.dmp
memory/2788-58-0x000000001DD30000-0x000000001DF82000-memory.dmp
memory/2788-59-0x000000001D350000-0x000000001D3D0000-memory.dmp
memory/2788-60-0x000000001E330000-0x000000001E408000-memory.dmp
memory/2788-61-0x0000000001420000-0x0000000001470000-memory.dmp
memory/2788-62-0x00000000215F0000-0x0000000021DAE000-memory.dmp
memory/2788-63-0x0000000021DB0000-0x0000000022442000-memory.dmp
memory/2788-64-0x000000001F190000-0x000000001F52C000-memory.dmp
memory/2788-65-0x0000000022450000-0x00000000228D4000-memory.dmp
memory/2788-66-0x000000001D350000-0x000000001D3D0000-memory.dmp
memory/2788-67-0x000000001F530000-0x000000001F742000-memory.dmp
memory/2788-68-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp
memory/2788-69-0x000000001D350000-0x000000001D3D0000-memory.dmp
memory/2788-70-0x000000001D350000-0x000000001D3D0000-memory.dmp
memory/2788-73-0x0000000003140000-0x000000000314A000-memory.dmp
memory/2788-74-0x000000001D350000-0x000000001D3D0000-memory.dmp
memory/2788-75-0x000000001D350000-0x000000001D3D0000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2023-08-22 05:58
Reported
2023-08-22 06:05
Platform
win10v2004-20230703-en
Max time kernel
138s
Max time network
158s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Plugins\Keylogger.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Plugins\Keylogger.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Plugins\Keylogger.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Plugins\Keylogger.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Plugins\Keylogger.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Plugins\Keylogger.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 436 -p 856 -ip 856
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 856 -s 1000
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
Files
memory/856-133-0x0000000000AE0000-0x0000000000AEA000-memory.dmp
memory/856-134-0x00007FF8AF260000-0x00007FF8AFD21000-memory.dmp
memory/856-135-0x000000001B7A0000-0x000000001B7B0000-memory.dmp
memory/856-136-0x00007FF8AF260000-0x00007FF8AFD21000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2023-08-22 05:58
Reported
2023-08-22 06:05
Platform
win10v2004-20230703-en
Max time kernel
134s
Max time network
160s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 1100 -ip 1100
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1100 -s 1712
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 1100 -ip 1100
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1100 -s 2452
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.141.123.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
memory/1100-133-0x00007FF92CBA0000-0x00007FF92D661000-memory.dmp
memory/1100-134-0x00000243B14E0000-0x00000243B2314000-memory.dmp
memory/1100-135-0x00000243CDE00000-0x00000243CF204000-memory.dmp
memory/1100-136-0x00000243CCF10000-0x00000243CD422000-memory.dmp
memory/1100-137-0x00000243CCC50000-0x00000243CCEA2000-memory.dmp
memory/1100-138-0x00000243B2740000-0x00000243B2750000-memory.dmp
memory/1100-139-0x00000243CD540000-0x00000243CD618000-memory.dmp
memory/1100-140-0x00000243B4020000-0x00000243B4070000-memory.dmp
memory/1100-141-0x00000243D0910000-0x00000243D10CE000-memory.dmp
memory/1100-142-0x00000243D10D0000-0x00000243D1762000-memory.dmp
memory/1100-143-0x00000243D04F0000-0x00000243D088C000-memory.dmp
memory/1100-144-0x00000243D1C00000-0x00000243D2084000-memory.dmp
memory/1100-145-0x00000243B2740000-0x00000243B2750000-memory.dmp
memory/1100-146-0x00000243CC970000-0x00000243CC990000-memory.dmp
memory/1100-147-0x00000243D2090000-0x00000243D22A2000-memory.dmp
memory/1100-148-0x00007FF92CBA0000-0x00007FF92D661000-memory.dmp
memory/1100-149-0x00000243B2740000-0x00000243B2750000-memory.dmp
memory/1100-150-0x00000243B2740000-0x00000243B2750000-memory.dmp
memory/1100-151-0x00007FF92CBA0000-0x00007FF92D661000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-08-22 05:58
Reported
2023-08-22 06:05
Platform
win7-20230712-en
Max time kernel
120s
Max time network
139s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\DevExpress.WinRTPresenter.Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\DevExpress.WinRTPresenter.Launcher.exe"
Network
Files
memory/2012-54-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp
memory/2012-55-0x0000000000A90000-0x0000000000A9A000-memory.dmp
memory/2012-56-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2023-08-22 05:58
Reported
2023-08-22 06:05
Platform
win7-20230712-en
Max time kernel
118s
Max time network
137s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Keylogger.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Keylogger.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Keylogger.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Keylogger.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Keylogger.exe"
Network
Files
memory/1464-54-0x000007FEF5370000-0x000007FEF5D5C000-memory.dmp
memory/1464-55-0x0000000000D40000-0x0000000000D48000-memory.dmp
memory/1464-56-0x000000001B060000-0x000000001B0E0000-memory.dmp
memory/1464-57-0x000007FEF5370000-0x000007FEF5D5C000-memory.dmp
memory/1464-58-0x000000001B060000-0x000000001B0E0000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2023-08-22 05:58
Reported
2023-08-22 06:05
Platform
win10v2004-20230703-en
Max time kernel
128s
Max time network
164s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Keylogger.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Keylogger.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Keylogger.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Keylogger.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Keylogger.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.254.224.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
memory/4476-133-0x0000000000460000-0x0000000000468000-memory.dmp
memory/4476-134-0x00007FF8C6980000-0x00007FF8C7441000-memory.dmp
memory/4476-135-0x000000001B110000-0x000000001B120000-memory.dmp
memory/4476-136-0x00007FF8C6980000-0x00007FF8C7441000-memory.dmp
memory/4476-137-0x000000001B110000-0x000000001B120000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2023-08-22 05:58
Reported
2023-08-22 06:05
Platform
win7-20230712-en
Max time kernel
122s
Max time network
136s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Plugins\Keylogger.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Plugins\Keylogger.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Plugins\Keylogger.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Plugins\Keylogger.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2416 wrote to memory of 628 | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Plugins\Keylogger.exe | C:\Windows\system32\WerFault.exe |
| PID 2416 wrote to memory of 628 | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Plugins\Keylogger.exe | C:\Windows\system32\WerFault.exe |
| PID 2416 wrote to memory of 628 | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Plugins\Keylogger.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Plugins\Keylogger.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Plugins\Keylogger.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2416 -s 632
Network
Files
memory/2416-54-0x00000000002C0000-0x00000000002CA000-memory.dmp
memory/2416-55-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp
memory/2416-56-0x000000001AEC0000-0x000000001AF40000-memory.dmp
memory/2416-57-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp
memory/2416-58-0x000000001AEC0000-0x000000001AF40000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2023-08-22 05:58
Reported
2023-08-22 06:05
Platform
win7-20230712-en
Max time kernel
117s
Max time network
132s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\ClientAny.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\ClientAny.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2300 wrote to memory of 2852 | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\ClientAny.exe | C:\Windows\system32\WerFault.exe |
| PID 2300 wrote to memory of 2852 | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\ClientAny.exe | C:\Windows\system32\WerFault.exe |
| PID 2300 wrote to memory of 2852 | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\ClientAny.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\ClientAny.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\ClientAny.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2300 -s 604
Network
Files
memory/2300-54-0x00000000011E0000-0x00000000011F8000-memory.dmp
memory/2300-55-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp
memory/2300-57-0x000000001AEC0000-0x000000001AF40000-memory.dmp
memory/2300-58-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp
memory/2300-59-0x000000001AEC0000-0x000000001AF40000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2023-08-22 05:58
Reported
2023-08-22 06:05
Platform
win10v2004-20230703-en
Max time kernel
129s
Max time network
169s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\Clientx64.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\Clientx64.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\Clientx64.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\Clientx64.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 1724 -ip 1724
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1724 -s 952
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
memory/1724-133-0x0000000000F60000-0x0000000000F78000-memory.dmp
memory/1724-135-0x00007FFCEC6B0000-0x00007FFCED171000-memory.dmp
memory/1724-136-0x000000001BC20000-0x000000001BC30000-memory.dmp
memory/1724-137-0x00007FFCEC6B0000-0x00007FFCED171000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-22 05:58
Reported
2023-08-22 06:05
Platform
win10v2004-20230703-en
Max time kernel
148s
Max time network
171s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Client.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Client.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.177.238.8.in-addr.arpa | udp |
| FI | 95.216.52.21:7575 | tcp | |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| FI | 95.216.52.21:7575 | tcp | |
| FI | 95.216.52.21:7575 | tcp | |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| FI | 95.216.52.21:7575 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| FI | 95.216.52.21:7575 | tcp | |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
| FI | 95.216.52.21:7575 | tcp | |
| FI | 95.216.52.21:7575 | tcp |
Files
memory/4836-133-0x0000000000550000-0x0000000000566000-memory.dmp
memory/4836-134-0x00007FFEF4B20000-0x00007FFEF55E1000-memory.dmp
memory/4836-135-0x000000001B0F0000-0x000000001B100000-memory.dmp
memory/4836-136-0x00007FFEF4B20000-0x00007FFEF55E1000-memory.dmp
memory/4836-137-0x000000001B0F0000-0x000000001B100000-memory.dmp