Overview

overview

10

Static

static

10

Venom5-HVNC-Rat.zip

windows10-2004-x64

1

System.Xml.XPath.dll

windows10-2004-x64

1

System.Xml...nt.dll

windows10-2004-x64

1

System.Xml...er.dll

windows10-2004-x64

1

VenomRAT_HVNC.exe

windows10-2004-x64

10

VenomRAT_HVNC.exe.xml

windows10-2004-x64

1

VenomRAT_HVNC.pdb

windows10-2004-x64

3

Vestris.Re...ib.dll

windows10-2004-x64

1

Vestris.Re...ib.xml

windows10-2004-x64

1

bhatrussia.url

windows10-2004-x64

3

blackhatrussia.url

windows10-2004-x64

3

cGeoIp.dll

windows10-2004-x64

1

client.exe

windows10-2004-x64

10

dnlib.dll

windows10-2004-x64

1

gbpast - Login.url

windows10-2004-x64

1

learn all ...ng.url

windows10-2004-x64

1

netstandard.dll

windows10-2004-x64

1

packages/V...re.p7s

windows10-2004-x64

7

packages/V....nupkg

windows10-2004-x64

3

packages/V...ib.dll

windows10-2004-x64

1

packages/V...ib.xml

windows10-2004-x64

1

packages/V...ib.dll

windows10-2004-x64

1

packages/V...ib.xml

windows10-2004-x64

1

packages/V...ib.dll

windows10-2004-x64

1

packages/V...ib.xml

windows10-2004-x64

1

packages/V...ib.dll

windows10-2004-x64

1

packages/V...ib.xml

windows10-2004-x64

1

packages/V...ib.dll

windows10-2004-x64

1

packages/V...ib.xml

windows10-2004-x64

1

protobuf-net.dll

windows10-2004-x64

1

readme.txt

windows10-2004-x64

1

svchost.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2023 18:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    client.exe

  • Size

    144KB

  • MD5

    f4fdcb900e7af47100ac9e46945fbd55

  • SHA1

    c1d235a9a2cae8d5a8d4f6ceb4eab9417e1b1fb2

  • SHA256

    9160b90fa4a6a9cf22f943dba92cec64e2dc03c2317b5d9ab50a753fc410ce43

  • SHA512

    236eef98d4695a5e1224a87a1dc598639e5c49f6dd192a96cc1b9f8305faa57078deb62d73906a33ba1c1fac4fa5ccc5f344a0f196dbba718b76a36667984ac2

  • SSDEEP

    3072:Bsp9iv+DYM5ob0HGNSKsstcnZTJQDgWPaySsdH5boWz:Op9iTMSb0mgKFcQjhdH

Score
10/10
arrowratasyncrat%group%persistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

%Group%

C2

%Hosts%:%Ports%

Mutex

%MTX%

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of FindShellTrayWindow 48 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\client.exe
    "C:\Users\Admin\AppData\Local\Temp\client.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3400
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4964
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" %Group% %Hosts% %Ports% %MTX%
      2⤵
        PID:1104
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4896
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:436
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4404
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4324
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3344
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3432
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
        PID:3076

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\PP0GIZJY\microsoft.windows[1].xml
        Filesize

        97B

        MD5

        0dfaf78473f3abc4592af5efa3697131

        SHA1

        e726b34092196e52e4bced2e1a91fde0a4bdc5c8

        SHA256

        fbdc8ff459fcadbdd38ffc007ac8f401a87d0fef760732ecbed7404f2894ded8

        SHA512

        f36c3a0ff9673c555c0509cbfd8767d6a7dc0f2e6e64500b4499eca969e021ee2a8ad2b5bcc9a1391b22d4fa5b4a3e62f4b80ce89006c803374d562853f27c5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{2F519BF2-C697-59F8-8F6A-1E19509CE66B}
        Filesize

        36KB

        MD5

        8aaad0f4eb7d3c65f81c6e6b496ba889

        SHA1

        231237a501b9433c292991e4ec200b25c1589050

        SHA256

        813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

        SHA512

        1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanel
        Filesize

        36KB

        MD5

        fb5f8866e1f4c9c1c7f4d377934ff4b2

        SHA1

        d0a329e387fb7bcba205364938417a67dbb4118a

        SHA256

        1649ec9493be27f76ae7304927d383f8a53dd3e41ea1678bacaff33120ea4170

        SHA512

        0fbe2843dfeab7373cde0643b20c073fdc2fcbefc5ae581fd1656c253dfa94e8bba4d348e95cc40d1e872456ecca894b462860aeac8b92cedb11a7cad634798c

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133437698251781293.txt
        Filesize

        74KB

        MD5

        0770cd8fe6784708d08860d93a5cb762

        SHA1

        ec3a74a70a55ac4e73f6ccaf01a7f4b86ca45cf8

        SHA256

        77c4ad43697c8de81a391a842311a1331fb37da159dcfe94eaa23e193479b1c2

        SHA512

        40c0c9f1e3a29320f68248439afe28ab00eef45b3dfbb9a3cc743a2f83374e6c2e8f36c57131a2c1b840c9f99b6c58b29f40ed453b03cd16607745fedae8e511

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133437698296330008.txt
        Filesize

        74KB

        MD5

        0770cd8fe6784708d08860d93a5cb762

        SHA1

        ec3a74a70a55ac4e73f6ccaf01a7f4b86ca45cf8

        SHA256

        77c4ad43697c8de81a391a842311a1331fb37da159dcfe94eaa23e193479b1c2

        SHA512

        40c0c9f1e3a29320f68248439afe28ab00eef45b3dfbb9a3cc743a2f83374e6c2e8f36c57131a2c1b840c9f99b6c58b29f40ed453b03cd16607745fedae8e511

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\PP0GIZJY\microsoft.windows[1].xml
        Filesize

        97B

        MD5

        0dfaf78473f3abc4592af5efa3697131

        SHA1

        e726b34092196e52e4bced2e1a91fde0a4bdc5c8

        SHA256

        fbdc8ff459fcadbdd38ffc007ac8f401a87d0fef760732ecbed7404f2894ded8

        SHA512

        f36c3a0ff9673c555c0509cbfd8767d6a7dc0f2e6e64500b4499eca969e021ee2a8ad2b5bcc9a1391b22d4fa5b4a3e62f4b80ce89006c803374d562853f27c5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\PP0GIZJY\microsoft.windows[1].xml
        Filesize

        97B

        MD5

        0dfaf78473f3abc4592af5efa3697131

        SHA1

        e726b34092196e52e4bced2e1a91fde0a4bdc5c8

        SHA256

        fbdc8ff459fcadbdd38ffc007ac8f401a87d0fef760732ecbed7404f2894ded8

        SHA512

        f36c3a0ff9673c555c0509cbfd8767d6a7dc0f2e6e64500b4499eca969e021ee2a8ad2b5bcc9a1391b22d4fa5b4a3e62f4b80ce89006c803374d562853f27c5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\PP0GIZJY\microsoft.windows[1].xml
        Filesize

        97B

        MD5

        0dfaf78473f3abc4592af5efa3697131

        SHA1

        e726b34092196e52e4bced2e1a91fde0a4bdc5c8

        SHA256

        fbdc8ff459fcadbdd38ffc007ac8f401a87d0fef760732ecbed7404f2894ded8

        SHA512

        f36c3a0ff9673c555c0509cbfd8767d6a7dc0f2e6e64500b4499eca969e021ee2a8ad2b5bcc9a1391b22d4fa5b4a3e62f4b80ce89006c803374d562853f27c5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\PP0GIZJY\microsoft.windows[1].xml
        Filesize

        97B

        MD5

        0dfaf78473f3abc4592af5efa3697131

        SHA1

        e726b34092196e52e4bced2e1a91fde0a4bdc5c8

        SHA256

        fbdc8ff459fcadbdd38ffc007ac8f401a87d0fef760732ecbed7404f2894ded8

        SHA512

        f36c3a0ff9673c555c0509cbfd8767d6a7dc0f2e6e64500b4499eca969e021ee2a8ad2b5bcc9a1391b22d4fa5b4a3e62f4b80ce89006c803374d562853f27c5b

        Download Submit

      • memory/436-18-0x0000025263570000-0x0000025263590000-memory.dmp

        Filesize

        128KB

        Download

      • memory/436-20-0x0000025263530000-0x0000025263550000-memory.dmp

        Filesize

        128KB

        Download

      • memory/436-22-0x0000025263A10000-0x0000025263A30000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1104-7-0x0000000005960000-0x0000000005970000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1104-11-0x0000000075340000-0x0000000075AF0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1104-9-0x0000000006120000-0x00000000066C4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1104-1-0x0000000000400000-0x0000000000410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1104-6-0x00000000057F0000-0x000000000588C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/1104-5-0x00000000056F0000-0x0000000005782000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1104-4-0x0000000075340000-0x0000000075AF0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3344-106-0x0000024B8AF00000-0x0000024B8AF20000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3344-104-0x0000024B8AF40000-0x0000024B8AF60000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3344-109-0x0000024B8B300000-0x0000024B8B320000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3400-33-0x00007FFB371B0000-0x00007FFB37C71000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3400-3-0x00007FFB371B0000-0x00007FFB37C71000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3400-0-0x000001E5F1FA0000-0x000001E5F1FCA000-memory.dmp

        Filesize

        168KB

        Download

      • memory/3432-125-0x000001725DC20000-0x000001725DC40000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3432-128-0x000001725D9E0000-0x000001725DA00000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3432-131-0x000001725DFF0000-0x000001725E010000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4324-87-0x000002CEA2A30000-0x000002CEA2A50000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4324-85-0x000002CEA2620000-0x000002CEA2640000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4324-83-0x000002CEA2660000-0x000002CEA2680000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4404-65-0x0000028C34080000-0x0000028C340A0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4404-63-0x0000028C33A60000-0x0000028C33A80000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4404-61-0x0000028C33AA0000-0x0000028C33AC0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4964-26-0x00000000037D0000-0x00000000037D1000-memory.dmp

        Filesize

        4KB

        Download