Overview

overview

10

Static

static

10

Venom Imag...config

windows7-x64

3

Venom Imag...config

windows10-2004-x64

3

Venom Imag...om.exe

windows7-x64

10

Venom Imag...om.exe

windows10-2004-x64

10

Venom Imag...in.exe

windows7-x64

7

Venom Imag...in.exe

windows10-2004-x64

7

Venom Imag...fig.py

windows7-x64

3

Venom Imag...fig.py

windows10-2004-x64

3

Analysis

  • max time kernel
    25s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    07-04-2024 06:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Venom Image Logger v3.1/Venom-main/Venom.exe

  • Size

    17.8MB

  • MD5

    184d5385057d79ef13d899df4bd19a77

  • SHA1

    fb5d34444109e9c7a6c87b7361f4a05fa9fb7643

  • SHA256

    a6ca738e8be3671c8bd98a967c997e9f14c2fc35a148ecaecb4a3ffb89b895b9

  • SHA512

    36cd4c45e9e5679cb38be18c8556bac30f53a9b50c75147379a58daaded41d93b3511cba77d89d2f10a31ece448268c29e223ab36ff2220fd29944f09bd866e6

  • SSDEEP

    393216:EqPnLFXlrSQ8DOETgsvfGFngYGvEt9T7Gq:lPLFXNSQhEE7f/7

Score
10/10
discordratpersistencepyinstallerratrootkitstealerupx

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIxODU0OTg5NjI3ODE3OTg0MA.Gth7Ad._9yVHP6c6O1_Ou788tvd-6Y6nGBkJoenuGkkls

  • server_id

    1218545788821438475

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 12 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Detects Pyinstaller 2 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Venom Image Logger v3.1\Venom-main\Venom.exe
    "C:\Users\Admin\AppData\Local\Temp\Venom Image Logger v3.1\Venom-main\Venom.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Users\Admin\AppData\Roaming\Commet Image Logger.exe
      "C:\Users\Admin\AppData\Roaming\Commet Image Logger.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2352
      • C:\Users\Admin\AppData\Roaming\main.exe
        "C:\Users\Admin\AppData\Roaming\main.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3012
        • C:\Users\Admin\AppData\Roaming\main.exe
          "C:\Users\Admin\AppData\Roaming\main.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2152
      • C:\Users\Admin\AppData\Roaming\blx image logger.exe
        "C:\Users\Admin\AppData\Roaming\blx image logger.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2704 -s 600
          4⤵
          • Loads dropped DLL
          PID:2764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI30122\python310.dll
    Filesize

    1.4MB

    MD5

    69d4f13fbaeee9b551c2d9a4a94d4458

    SHA1

    69540d8dfc0ee299a7ff6585018c7db0662aa629

    SHA256

    801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

    SHA512

    8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

    Download Submit

  • \Users\Admin\AppData\Roaming\Commet Image Logger.exe
    Filesize

    17.8MB

    MD5

    a0cd7e9738e86dfa8084757a01668cc9

    SHA1

    541dfc75737dfe4cd9bfae07636df85ce57692a1

    SHA256

    1a4bbdad996cc7e3e62c2376a82e2a1a87a5cafffff8bb3941b80dacf1f8d4bf

    SHA512

    bbef170dc8b6dd8b710372cc980977b9cb1c57fd4e6135d042636b66636ef119343b5ece189e5aaf6f47b43a111eabf753c65d148bbd51e7ad74e614e098ae77

    Download Submit

  • \Users\Admin\AppData\Roaming\blx image logger.exe
    Filesize

    78KB

    MD5

    d371e3e18e5f67fcd5048836ba77a591

    SHA1

    534ad06b58738e96fd63a807104943dcced838e1

    SHA256

    56fbafc5f45eaa548a93ceb7a0a07f479ff1b93077a9922a42fef5707886cc58

    SHA512

    cca449737b33479588a0e51af3f0c685c3582cba33bd4f91da3d7ace4176147edf94cd5ab43cec6c9b3c81338081a6bc7548ab64df394867754aa73f0ee1c4ee

    Download Submit

  • \Users\Admin\AppData\Roaming\main.exe
    Filesize

    17.7MB

    MD5

    230758495042a4a9fa8babf332440386

    SHA1

    3eeb7dd97b2369803ac7badebc9a88698850bebc

    SHA256

    ef5024e4f0920bd936c3e2a9fae11ddde4cef76e646831a98e1a5281c45f30bd

    SHA512

    4cd1c6f60a293a57bfe8ca900cd8152359e73691e1b10a08d5fd9a8312bac1eb401828d8ccfee50f6b41d2bed4c563c35b1d6d3dfdfdde9b4f6b4e135954c34c

    Download Submit

  • memory/2152-144-0x000007FEF4430000-0x000007FEF489E000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2172-1-0x0000000074E90000-0x000000007543B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2172-2-0x0000000000140000-0x0000000000180000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2172-0-0x0000000074E90000-0x000000007543B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2172-20-0x0000000074E90000-0x000000007543B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2352-10-0x0000000074E90000-0x000000007543B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2352-98-0x0000000074E90000-0x000000007543B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2352-19-0x00000000017D0000-0x0000000001810000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2352-68-0x0000000074E90000-0x000000007543B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2704-134-0x000000013F270000-0x000000013F288000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2704-143-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2704-145-0x000000001B880000-0x000000001B900000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2704-154-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2704-265-0x000000001B880000-0x000000001B900000-memory.dmp

    Filesize

    512KB

    Download