Overview
overview
10Static
static
3Windows_Up...xe.vbs
windows7-x64
1Windows_Up...xe.vbs
windows10-2004-x64
1file.ps1
windows7-x64
1file.ps1
windows10-2004-x64
1fresh.exe
windows7-x64
10fresh.exe
windows10-2004-x64
10loader.ps1
windows7-x64
1loader.ps1
windows10-2004-x64
10payload.ps1
windows7-x64
1payload.ps1
windows10-2004-x64
10update.cmd
windows7-x64
1update.cmd
windows10-2004-x64
10update.vbs
windows7-x64
8update.vbs
windows10-2004-x64
10windows.cmd
windows7-x64
1windows.cmd
windows10-2004-x64
10windows.vbs
windows7-x64
3windows.vbs
windows10-2004-x64
7Analysis
-
max time kernel
141s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-03-2024 03:37
Static task
static1
Behavioral task
behavioral1
Sample
Windows_Update.exe.vbs
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
Windows_Update.exe.vbs
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
file.ps1
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
file.ps1
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
fresh.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
fresh.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
loader.ps1
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
loader.ps1
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
payload.ps1
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
payload.ps1
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
update.cmd
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
update.cmd
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
update.vbs
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral14
Sample
update.vbs
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
windows.cmd
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral16
Sample
windows.cmd
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
windows.vbs
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
windows.vbs
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
loader.ps1
-
Size
14.0MB
-
MD5
fe51ec3ec4510262ca50af133b5cef93
-
SHA1
aba6d26dcfb1fa6c991b2486fc7cda8165b61551
-
SHA256
1877e4bab37f755a1c74d6e03319da7b42b07a45be4da1205609d4e47aa16e7c
-
SHA512
149ee9151f9d94c4fa9308de3b81b3f0a13fa2991c1bbf74e48b85f695d2ef3ef7ba1f39f91ef2619c40f6d0a0dc8f25d5452c538084e26d6301ec9273d15b96
-
SSDEEP
49152:5v8ClP0QiEwg/C5r6iNlqaZg21NY/TQX5I:
Malware Config
Extracted
asyncrat
5.0.5
Venom Clients
kdfsv.duckdns.org:8890
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1760 created 3296 1760 powershell.exe 57 -
Async RAT payload 2 IoCs
resource yara_rule behavioral8/memory/4384-18-0x0000018054760000-0x0000018054776000-memory.dmp family_asyncrat behavioral8/memory/4384-20-0x000001806D090000-0x000001806D0A0000-memory.dmp family_asyncrat -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1760 powershell.exe 1760 powershell.exe 1760 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
pid Process 1760 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1760 powershell.exe Token: SeDebugPrivilege 4384 notepad.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98 PID 1760 wrote to memory of 4384 1760 powershell.exe 98
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3296
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\loader.ps12⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
-
-
C:\Windows\System32\notepad.exeC:\Windows\System32\notepad.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4384
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82