Behavioral task
behavioral1
Sample
VenomRAT.exe
Resource
win10v2004-20240226-en
General
-
Target
VenomRAT.zip
-
Size
2.7MB
-
MD5
78870c277a959c207991b9af55e8b3db
-
SHA1
dfd571fec1275eb9d57f6bedc81f6084666d712a
-
SHA256
bed566efa17d36676370408a804d916195a9dcd86e8eda8b5c279b4c84a527f2
-
SHA512
c0e4c358775c8d34192bbf11fcfc57360d23b89bffcacd5e9c50b1c3550162d797261ad8e8f9807023b7b606f400bab075aac1950900fe452f457cba232c5a0a
-
SSDEEP
49152:q3z5cQkHNtWRbwuHhlB9MOXevldPI5GPgDzPc8joCcnNCXMVrSaeODSRXZCnc0MQ:Y3k/W1bHbMOX4ldg5FzP3HXMNS1Rpyc0
Malware Config
Extracted
lucastealer
https://api.telegram.org/bot5428876226:AAFBchyLgjGmB_WG7TBXAtjIewC0an-KRm4
Signatures
-
Lucastealer family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource unpack001/VenomRAT.exe
Files
-
VenomRAT.zip.zip
-
VenomRAT.exe.exe windows:6 windows x64 arch:x64
df0f0c28f90bf207b2315fb226e672f7
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
secur32
InitializeSecurityContextW
AcceptSecurityContext
EncryptMessage
ApplyControlToken
QueryContextAttributesW
DeleteSecurityContext
FreeContextBuffer
LsaFreeReturnBuffer
LsaGetLogonSessionData
FreeCredentialsHandle
DecryptMessage
AcquireCredentialsHandleA
LsaEnumerateLogonSessions
kernel32
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
InitializeSListHead
GetCurrentThreadId
TryEnterCriticalSection
InitializeCriticalSection
AreFileApisANSI
HeapCreate
WriteFile
GetDiskFreeSpaceW
IsDebuggerPresent
HeapFree
CloseHandle
FindClose
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
GetLastError
GetSystemInfo
WakeAllConditionVariable
RemoveDirectoryW
GetModuleFileNameW
SetFileInformationByHandle
GetUserPreferredUILanguages
GetTickCount64
GetLogicalDrives
GetComputerNameExW
LoadLibraryExW
GetProcAddress
FreeLibrary
GetFileInformationByHandleEx
AddVectoredExceptionHandler
SetThreadStackGuarantee
HeapReAlloc
SleepConditionVariableSRW
GetModuleHandleW
CreateFileW
SwitchToThread
TryAcquireSRWLockExclusive
GetQueuedCompletionStatusEx
CreateIoCompletionPort
SetFileCompletionNotificationModes
WakeConditionVariable
AcquireSRWLockShared
ReleaseSRWLockShared
GetFileInformationByHandle
GetCurrentProcess
DuplicateHandle
GetModuleHandleA
GetStdHandle
GetConsoleMode
WaitForSingleObject
WriteConsoleW
WaitForSingleObjectEx
LoadLibraryA
CreateMutexA
ReleaseMutex
SetLastError
GetEnvironmentVariableW
RtlLookupFunctionEntry
FormatMessageW
GetTempPathW
DeviceIoControl
GetFullPathNameW
SetFilePointerEx
GetFinalPathNameByHandleW
FindNextFileW
CreateDirectoryW
SetHandleInformation
CreateThread
GetCurrentThread
QueryPerformanceFrequency
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetCurrentDirectoryW
RtlCaptureContext
FindFirstFileW
CopyFileExW
GetProcessTimes
GetSystemTimes
GetProcessIoCounters
GetProcessHeap
ReadProcessMemory
LocalFree
OpenProcess
HeapAlloc
VirtualQueryEx
GetDriveTypeW
GetVolumeInformationW
GetDiskFreeSpaceExW
GlobalMemoryStatusEx
PostQueuedCompletionStatus
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
SleepEx
GetSystemDirectoryA
GetTickCount
Sleep
MultiByteToWideChar
WideCharToMultiByte
MoveFileExA
GetEnvironmentVariableA
VerSetConditionMask
VerifyVersionInfoW
CreateFileA
GetFileSizeEx
ReadFile
RtlVirtualUnwind
FlushFileBuffers
MapViewOfFile
CreateFileMappingW
FormatMessageA
GetSystemTime
SystemTimeToFileTime
GetCurrentProcessId
GetFileSize
LockFileEx
UnlockFile
HeapDestroy
HeapCompact
LoadLibraryW
DeleteFileW
DeleteFileA
FlushViewOfFile
OutputDebugStringW
GetFileAttributesExW
GetFileAttributesA
GetDiskFreeSpaceA
GetTempPathA
HeapSize
HeapValidate
UnmapViewOfFile
GetFileAttributesW
CreateMutexW
UnlockFileEx
SetEndOfFile
GetFullPathNameA
SetFilePointer
LockFile
OutputDebugStringA
ntdll
NtCreateFile
NtQuerySystemInformation
RtlGetVersion
NtCancelIoFileEx
NtDeviceIoControlFile
RtlNtStatusToDosError
NtQueryInformationProcess
oleaut32
SysAllocString
SysAllocStringLen
SysFreeString
SafeArrayUnaccessData
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayAccessData
VariantClear
pdh
PdhCloseQuery
PdhCollectQueryData
PdhAddEnglishCounterW
PdhGetFormattedCounterValue
PdhOpenQueryA
PdhRemoveCounter
crypt32
CertEnumCertificatesInStore
CertAddCertificateContextToStore
CertDuplicateCertificateChain
CertVerifyCertificateChainPolicy
CertFreeCertificateChain
CertGetCertificateChain
CertDuplicateStore
CertDuplicateCertificateContext
CertCloseStore
CertFreeCertificateContext
CertGetEnhancedKeyUsage
CertFindCertificateInStore
CertOpenStore
CryptStringToBinaryA
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringA
CertFindExtension
CryptDecodeObjectEx
PFXImportCertStore
CryptUnprotectData
ole32
CoCreateInstance
CoInitializeEx
CoSetProxyBlanket
CoUninitialize
CoInitializeSecurity
iphlpapi
FreeMibTable
GetIfEntry2
GetIfTable2
netapi32
NetUserEnum
NetApiBufferFree
NetUserGetLocalGroups
user32
GetMonitorInfoW
EnumDisplaySettingsExW
EnumDisplayMonitors
gdi32
GetObjectW
DeleteObject
GetDIBits
StretchBlt
SetStretchBltMode
SelectObject
CreateCompatibleBitmap
CreateCompatibleDC
CreateDCW
GetDeviceCaps
DeleteDC
advapi32
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextA
RegCloseKey
RegOpenKeyExW
RegQueryValueExW
GetUserNameW
SystemFunction036
LookupAccountSidW
GetTokenInformation
OpenProcessToken
bcrypt
BCryptGenRandom
ws2_32
getsockopt
WSAIoctl
WSARecv
WSASend
getsockname
recv
closesocket
recvfrom
WSAGetLastError
getpeername
WSAStartup
ioctlsocket
connect
setsockopt
select
WSACloseEvent
WSACreateEvent
WSAEnumNetworkEvents
WSAEventSelect
freeaddrinfo
WSAResetEvent
WSAWaitForMultipleEvents
WSACleanup
htons
ntohs
socket
WSASetLastError
__WSAFDIsSet
accept
htonl
listen
WSASocketW
getaddrinfo
shutdown
bind
send
shell32
CommandLineToArgvW
powrprof
CallNtPowerInformation
psapi
GetModuleFileNameExW
GetPerformanceInfo
vcruntime140
memcmp
memcpy
memset
memmove
__CxxFrameHandler3
strchr
strrchr
strstr
memchr
__C_specific_handler
__current_exception
__current_exception_context
api-ms-win-crt-string-l1-1-0
strncpy
wcslen
strlen
strcpy
strpbrk
strcmp
_strdup
strspn
strcspn
strncmp
api-ms-win-crt-heap-l1-1-0
realloc
calloc
free
malloc
_set_new_mode
_msize
api-ms-win-crt-runtime-l1-1-0
abort
__p___argv
_wassert
_seh_filter_exe
_set_app_type
__p___argc
_initialize_onexit_table
_endthreadex
_configure_narrow_argv
_cexit
_initialize_narrow_environment
_get_initial_narrow_environment
_initterm
_initterm_e
exit
terminate
_crt_atexit
_c_exit
_register_thread_local_exe_atexit_callback
_exit
_register_onexit_function
_errno
__sys_errlist
__sys_nerr
_beginthreadex
api-ms-win-crt-convert-l1-1-0
strtoul
atoi
strtoll
strtol
wcstombs
api-ms-win-crt-stdio-l1-1-0
fputs
fclose
__stdio_common_vsscanf
fopen
_lseeki64
fseek
_close
fwrite
fread
__acrt_iob_func
__p__commode
_write
feof
_set_fmode
ftell
fgets
fputc
__stdio_common_vsprintf
fflush
_read
_open
api-ms-win-crt-utility-l1-1-0
qsort
api-ms-win-crt-time-l1-1-0
_localtime64_s
_gmtime64
_time64
strftime
api-ms-win-crt-filesystem-l1-1-0
_access
_unlink
_stat64
_fstat64
api-ms-win-crt-math-l1-1-0
_dclass
_fdopen
log
__setusermatherr
api-ms-win-crt-locale-l1-1-0
_configthreadlocale
Sections
.text Size: 3.9MB - Virtual size: 3.9MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 1.3MB - Virtual size: 1.3MB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 28KB - Virtual size: 32KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 94KB - Virtual size: 94KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 30KB - Virtual size: 29KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ