Malware Analysis Report

2024-09-23 01:36

Sample ID 240516-2faxjsbg73
Target VenomRAT_v6.0.3.rar
SHA256 668bf9ed54120899b86b21a8aa1df1075937b8c05cfca52817746b6e418e2006
Tags
rat stormkitty asyncrat execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

668bf9ed54120899b86b21a8aa1df1075937b8c05cfca52817746b6e418e2006

Threat Level: Known bad

The file VenomRAT_v6.0.3.rar was found to be: Known bad.

Malicious Activity Summary

rat stormkitty asyncrat execution

Async RAT payload

AsyncRat

Asyncrat family

StormKitty payload

Stormkitty family

.NET Reactor proctector

Unsigned PE

Command and Scripting Interpreter: PowerShell

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-16 22:32

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Asyncrat family

asyncrat

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

190s

Max time network

300s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\Recovery.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\Recovery.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

183s

Max time network

303s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Vestris.ResourceLib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Vestris.ResourceLib.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

249s

Max time network

261s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\SendFile.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\SendFile.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

303s

Max time network

324s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\SMDiagnostics.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 532 wrote to memory of 2708 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 532 wrote to memory of 2708 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 532 wrote to memory of 2708 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\SMDiagnostics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\SMDiagnostics.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

185s

Max time network

304s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\protobuf-net.Core.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\protobuf-net.Core.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

188s

Max time network

302s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\Miscellaneous.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\Miscellaneous.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

189s

Max time network

311s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\Netstat.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\Netstat.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

303s

Max time network

323s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\Options.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\Options.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

186s

Max time network

310s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\Regedit.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\Regedit.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

183s

Max time network

304s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\RemoteCamera.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\RemoteCamera.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

189s

Max time network

291s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Stub\Clientx86.exe"

Signatures

AsyncRat

rat asyncrat

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Stub\Clientx86.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Stub\Clientx86.exe

"C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Stub\Clientx86.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 988

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.14.97.104.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/1328-0-0x000000007317E000-0x000000007317F000-memory.dmp

memory/1328-1-0x0000000000A80000-0x0000000000A98000-memory.dmp

memory/1328-2-0x0000000005840000-0x0000000005D3E000-memory.dmp

memory/1328-4-0x0000000073170000-0x000000007385E000-memory.dmp

memory/1328-5-0x000000007317E000-0x000000007317F000-memory.dmp

memory/1328-6-0x0000000073170000-0x000000007385E000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

186s

Max time network

261s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\hvnc.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\hvnc.exe

"C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\hvnc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

memory/3044-0-0x00007FFF34733000-0x00007FFF34734000-memory.dmp

memory/3044-1-0x0000000000F80000-0x0000000000F90000-memory.dmp

memory/3044-3-0x00007FFF34730000-0x00007FFF3511C000-memory.dmp

memory/3044-4-0x00007FFF34730000-0x00007FFF3511C000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

189s

Max time network

288s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Server.Properties.Resources.resources.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Server.Properties.Resources.resources.ps1

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 234.17.178.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/3280-3-0x00007FFE28E63000-0x00007FFE28E64000-memory.dmp

memory/3280-5-0x000001C5AFC70000-0x000001C5AFC92000-memory.dmp

memory/3280-9-0x000001C5AFD20000-0x000001C5AFD96000-memory.dmp

memory/3280-8-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bvad2kqk.nut.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3280-10-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

memory/3280-34-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

memory/3280-35-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

189s

Max time network

300s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\RemoteDesktop.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\RemoteDesktop.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

190s

Max time network

304s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe"

Signatures

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe

"C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 expensivethunderousbutton.ponoaseno.repl.co udp
US 104.196.248.195:443 expensivethunderousbutton.ponoaseno.repl.co tcp
US 8.8.8.8:53 195.248.196.104.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

memory/4092-0-0x00007FFA56F63000-0x00007FFA56F64000-memory.dmp

memory/4092-1-0x000002CD2B3C0000-0x000002CD2BC0C000-memory.dmp

memory/4092-2-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

memory/4092-3-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

memory/4092-4-0x000002CD48B60000-0x000002CD49F64000-memory.dmp

memory/4092-5-0x000002CD467A0000-0x000002CD46CB2000-memory.dmp

memory/4092-6-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

memory/4092-7-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

188s

Max time network

298s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\protobuf-net.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\protobuf-net.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

188s

Max time network

307s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\learn all kind of hacking.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\learn all kind of hacking.url"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

184s

Max time network

299s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\Stealer.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\Stealer.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

187s

Max time network

310s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Server.Properties.Resources.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Server.Properties.Resources.ps1

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x380

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

memory/4136-3-0x00007FFAD8ED3000-0x00007FFAD8ED4000-memory.dmp

memory/4136-5-0x0000025AF8690000-0x0000025AF86B2000-memory.dmp

memory/4136-7-0x00007FFAD8ED0000-0x00007FFAD98BC000-memory.dmp

memory/4136-9-0x0000025AF8840000-0x0000025AF88B6000-memory.dmp

memory/4136-10-0x00007FFAD8ED0000-0x00007FFAD98BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5odguqgt.v4w.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4136-31-0x00007FFAD8ED0000-0x00007FFAD98BC000-memory.dmp

memory/4136-37-0x00007FFAD8ED0000-0x00007FFAD98BC000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

295s

Max time network

307s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\dnlib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\dnlib.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

294s

Max time network

324s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\gbpast - Login.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\gbpast - Login.url"

Network

Country Destination Domain Proto
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

191s

Max time network

304s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\ProcessManager.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\ProcessManager.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

189s

Max time network

307s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\SendMemory.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\SendMemory.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

190s

Max time network

305s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\x86\SQLite.Interop.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2772 wrote to memory of 8 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2772 wrote to memory of 8 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2772 wrote to memory of 8 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\x86\SQLite.Interop.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\x86\SQLite.Interop.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 656

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 217.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

188s

Max time network

310s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\cGeoIp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\cGeoIp.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

190s

Max time network

299s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\System.IO.Compression.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\System.IO.Compression.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

302s

Max time network

323s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\System.ServiceModel.Internals.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2404 wrote to memory of 2520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2404 wrote to memory of 2520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2404 wrote to memory of 2520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\System.ServiceModel.Internals.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\System.ServiceModel.Internals.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

190s

Max time network

304s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\netstandard.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\netstandard.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 234.17.178.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

189s

Max time network

301s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\ReverseProxy.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\ReverseProxy.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

190s

Max time network

301s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\x64\SQLite.Interop.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\x64\SQLite.Interop.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

71s

Max time network

193s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Stub\ClientAny.exe"

Signatures

AsyncRat

rat asyncrat

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Stub\ClientAny.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Stub\ClientAny.exe

"C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Stub\ClientAny.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/3396-0-0x00007FFC74E63000-0x00007FFC74E64000-memory.dmp

memory/3396-1-0x00000000009F0000-0x0000000000A08000-memory.dmp

memory/3396-3-0x00007FFC74E60000-0x00007FFC7584C000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-16 22:30

Reported

2024-05-17 00:07

Platform

win10-20240404-en

Max time kernel

189s

Max time network

301s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Stub\Clientx64.exe"

Signatures

AsyncRat

rat asyncrat

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Stub\Clientx64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Stub\Clientx64.exe

"C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Stub\Clientx64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

memory/4684-0-0x00007FFCB4523000-0x00007FFCB4524000-memory.dmp

memory/4684-1-0x0000000000140000-0x0000000000156000-memory.dmp

memory/4684-3-0x00007FFCB4520000-0x00007FFCB4F0C000-memory.dmp