Analysis Overview
SHA256
668bf9ed54120899b86b21a8aa1df1075937b8c05cfca52817746b6e418e2006
Threat Level: Known bad
The file VenomRAT_v6.0.3.rar was found to be: Known bad.
Malicious Activity Summary
Async RAT payload
AsyncRat
Asyncrat family
StormKitty payload
Stormkitty family
.NET Reactor proctector
Unsigned PE
Command and Scripting Interpreter: PowerShell
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-16 22:32
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Asyncrat family
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
190s
Max time network
300s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\Recovery.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
183s
Max time network
303s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Vestris.ResourceLib.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
249s
Max time network
261s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\SendFile.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
303s
Max time network
324s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 532 wrote to memory of 2708 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 532 wrote to memory of 2708 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 532 wrote to memory of 2708 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\SMDiagnostics.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\SMDiagnostics.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
185s
Max time network
304s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\protobuf-net.Core.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
188s
Max time network
302s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\Miscellaneous.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
189s
Max time network
311s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\Netstat.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
303s
Max time network
323s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\Options.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
186s
Max time network
310s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\Regedit.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
183s
Max time network
304s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\RemoteCamera.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
189s
Max time network
291s
Command Line
Signatures
AsyncRat
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Stub\Clientx86.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Stub\Clientx86.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Stub\Clientx86.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Stub\Clientx86.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 988
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.14.97.104.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/1328-0-0x000000007317E000-0x000000007317F000-memory.dmp
memory/1328-1-0x0000000000A80000-0x0000000000A98000-memory.dmp
memory/1328-2-0x0000000005840000-0x0000000005D3E000-memory.dmp
memory/1328-4-0x0000000073170000-0x000000007385E000-memory.dmp
memory/1328-5-0x000000007317E000-0x000000007317F000-memory.dmp
memory/1328-6-0x0000000073170000-0x000000007385E000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
186s
Max time network
261s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\hvnc.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\hvnc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
Files
memory/3044-0-0x00007FFF34733000-0x00007FFF34734000-memory.dmp
memory/3044-1-0x0000000000F80000-0x0000000000F90000-memory.dmp
memory/3044-3-0x00007FFF34730000-0x00007FFF3511C000-memory.dmp
memory/3044-4-0x00007FFF34730000-0x00007FFF3511C000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
189s
Max time network
288s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Server.Properties.Resources.resources.ps1
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.17.178.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/3280-3-0x00007FFE28E63000-0x00007FFE28E64000-memory.dmp
memory/3280-5-0x000001C5AFC70000-0x000001C5AFC92000-memory.dmp
memory/3280-9-0x000001C5AFD20000-0x000001C5AFD96000-memory.dmp
memory/3280-8-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bvad2kqk.nut.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3280-10-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp
memory/3280-34-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp
memory/3280-35-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
189s
Max time network
300s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\RemoteDesktop.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
190s
Max time network
304s
Command Line
Signatures
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | expensivethunderousbutton.ponoaseno.repl.co | udp |
| US | 104.196.248.195:443 | expensivethunderousbutton.ponoaseno.repl.co | tcp |
| US | 8.8.8.8:53 | 195.248.196.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
memory/4092-0-0x00007FFA56F63000-0x00007FFA56F64000-memory.dmp
memory/4092-1-0x000002CD2B3C0000-0x000002CD2BC0C000-memory.dmp
memory/4092-2-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp
memory/4092-3-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp
memory/4092-4-0x000002CD48B60000-0x000002CD49F64000-memory.dmp
memory/4092-5-0x000002CD467A0000-0x000002CD46CB2000-memory.dmp
memory/4092-6-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp
memory/4092-7-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
188s
Max time network
298s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\protobuf-net.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
188s
Max time network
307s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\learn all kind of hacking.url"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
184s
Max time network
299s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\Stealer.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
187s
Max time network
310s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Server.Properties.Resources.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x380
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
memory/4136-3-0x00007FFAD8ED3000-0x00007FFAD8ED4000-memory.dmp
memory/4136-5-0x0000025AF8690000-0x0000025AF86B2000-memory.dmp
memory/4136-7-0x00007FFAD8ED0000-0x00007FFAD98BC000-memory.dmp
memory/4136-9-0x0000025AF8840000-0x0000025AF88B6000-memory.dmp
memory/4136-10-0x00007FFAD8ED0000-0x00007FFAD98BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5odguqgt.v4w.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4136-31-0x00007FFAD8ED0000-0x00007FFAD98BC000-memory.dmp
memory/4136-37-0x00007FFAD8ED0000-0x00007FFAD98BC000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
295s
Max time network
307s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\dnlib.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
294s
Max time network
324s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\gbpast - Login.url"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
191s
Max time network
304s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\ProcessManager.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
189s
Max time network
307s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\SendMemory.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
190s
Max time network
305s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2772 wrote to memory of 8 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2772 wrote to memory of 8 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2772 wrote to memory of 8 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\x86\SQLite.Interop.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\x86\SQLite.Interop.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 656
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 217.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
188s
Max time network
310s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\cGeoIp.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
190s
Max time network
299s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\System.IO.Compression.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
302s
Max time network
323s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2404 wrote to memory of 2520 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2404 wrote to memory of 2520 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2404 wrote to memory of 2520 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\System.ServiceModel.Internals.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\System.ServiceModel.Internals.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
190s
Max time network
304s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\netstandard.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.17.178.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
189s
Max time network
301s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\ReverseProxy.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
190s
Max time network
301s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Plugins\x64\SQLite.Interop.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
71s
Max time network
193s
Command Line
Signatures
AsyncRat
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Stub\ClientAny.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Stub\ClientAny.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Stub\ClientAny.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/3396-0-0x00007FFC74E63000-0x00007FFC74E64000-memory.dmp
memory/3396-1-0x00000000009F0000-0x0000000000A08000-memory.dmp
memory/3396-3-0x00007FFC74E60000-0x00007FFC7584C000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-16 22:30
Reported
2024-05-17 00:07
Platform
win10-20240404-en
Max time kernel
189s
Max time network
301s
Command Line
Signatures
AsyncRat
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Stub\Clientx64.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Stub\Clientx64.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT_v6.0.3\Stub\Clientx64.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
memory/4684-0-0x00007FFCB4523000-0x00007FFCB4524000-memory.dmp
memory/4684-1-0x0000000000140000-0x0000000000156000-memory.dmp
memory/4684-3-0x00007FFCB4520000-0x00007FFCB4F0C000-memory.dmp