Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
-
submitted
31-05-2024 11:20
General
-
Target
Venom-Rat-Cracked--main/Venom Software RAT Activated Cracked.exe
-
Size
9.8MB
-
MD5
1947749a785b384a9bfe51d57c796ae9
-
SHA1
db986cb4503589a2319e596b799c878ec4d4a990
-
SHA256
6018e4099dca3d452ecc8fe34f5e6d00b2b43c5c21cdea1b4c53c7025376048a
-
SHA512
3e82f60c595a5fc25043729366137ea35f2037bf23b78248cf8946a2edb39c6af4c9159c9c5b6c876148ef8b06468d975a4f6e413319b6ebc9712920f3c5829e
-
SSDEEP
196608:w6+0f/ylacMb5mCbClb12UK4RDx5gRIAL1xXPm68DwOHRR+kc4N4FmDdgW7U:40f/KacMbR2J2UKEdiRIAL1xXPCwkEn3
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Drops startup file 4 IoCs
-
Executes dropped EXE 6 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
-
Suspicious use of AdjustPrivilegeToken 63 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 57 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Venom-Rat-Cracked--main\Venom Software RAT Activated Cracked.exe"C:\Users\Admin\AppData\Local\Temp\Venom-Rat-Cracked--main\Venom Software RAT Activated Cracked.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Venom Cracked.exe"C:\Users\Admin\AppData\Local\Temp\Venom Cracked.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker Website.exe"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker Website.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\microsoft corporation.exe"C:\Users\Admin\AppData\Local\Temp\microsoft corporation.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\microsoft corporation.exe"C:\ProgramData\microsoft corporation.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\microsoft corporation.exe" "microsoft corporation.exe" ENABLE5⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\windows.exe"C:\Users\Admin\AppData\Local\Temp\windows.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Adobe\Updates\windows.exe"C:\Users\Admin\AppData\Roaming\Adobe\Updates\windows.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\SysWOW64\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs" /elevate4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 25⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 05⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 65⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 65⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 65⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD57562771811fd8c8a86936abdd287f0ec
SHA1d9903d0dead9710bed125bfeef3f290e86701b7b
SHA2563bb43c7de86bbfc0cc5835ceb2fc9b7f0b33b1d94dcbc9afc56dfa4f13d3bb47
SHA512f68fa2221b90119136346a5d7f3d6efaa943a69f42b64eee83fe6ca52797d66ad0119001cd50015577dacf428b7a2c3f4eedeeeb0a409d63497d560e335bc89f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5702a6df445d94ac3736bac0c1dc1947a
SHA147a9d9df011df964d2f2293c1ecefe92f6757eba
SHA25629cbc69e6a8cdccc57a0eb11cf8703b4eb187b0ee39a7a3917f6a497b18f45da
SHA5125fc3c6bbd593ae2a472a8fbb45c12e2697de64f2f161285f940e22ccd5b3471b7808b31a777413d99063a887e9bfcc90cf4950bcea84fc6a222487873adca4c7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5f039e611bdab5cd77cbd079ab14cad5a
SHA146a3368f7de131e6f5b73f3e15b2c814d650e84d
SHA256b4134af0135970afd36f00494e594d6c6b195c5f9a8781934f3908602ee8afa0
SHA512606fb33ba5b3c8a8e7f0d1d5e7afb02c70ddc9ca54cf4cec27cb07420abb15f87715d2b670dc906384abd3fa03b5a54eadf83ed77fa4962ae411a58daa5ad30e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD54b11be7e1f1f157805d9019c8bdf7493
SHA190445f579d0a65e0d31e40307830267de9e24e41
SHA25697677ffdcee4be99794053f925f39ed26ea9ff0dca3eb05f69727003e3c7c21e
SHA5129987924b48a7b9c72a6e651cc74a1b66fade0857c17707e5637f3a0063ac3a12e973f52ff7e9ce2b88f773ed265e4d5cbbfa5b7b2204d8572fe006aac0a68c25
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD536dc41c5023bd27510aac97a563769c9
SHA1adcdedb293c4bcef5a3a7d1718165beb639247ee
SHA2562e7fac47d7d8429172643a3e3ff1b23ce220f4682889d4410dd668db71a6f1c4
SHA5126fb8447d5fcd8d0b42763f49ee3ae96080aaa407820c860ff817ee484a5d73df7664ad9da5cdbe532f2d8a71edee3471ac4fd70fbc04daec343fc71092bff6a8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD551e5fb2e4beb98fa79a973b584e28e04
SHA193faa2544e8af1def8ecd9e9168e96f7dca0c0f0
SHA256fcac468a39d1dd157c491990876b1421160abd00b6ac55cd5a58ea4b01f11b23
SHA512ed20bacc397a64836754d06a58933f9d98039ab0d0a6757f5d2fbdd1dd485984c7f8a2f1ec35a2a6a5b1050ddc7c98c7dd8d467826a5d53a9d455e5c8c97fd14
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5f4eba250208aa1bd2e61cba730e2956e
SHA16c6e89f1da92b2e29ab837edf702f7062a82a282
SHA2569246542bf42eb06de043e9f5168478e80885b8c7fe3e8d45f2f047981bf9d2f5
SHA5122cd5679e74ed838de01c340b64d6ef59bf5482a5364bbdfb851c775b3dea55387f356eef3497d60d20f215f03fa1be6feaa4c5829b230f285624f72711974779
-
C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker Website.exeFilesize
127KB
MD5b4d0b69f3c391acca7128a66abd480f7
SHA18ccac1861f4c544c51a5c7d4a0fb32796ab30488
SHA256349b87c3ebd55cab9daa375c468b62be416063af859a16bed78cf4bd06fb5c07
SHA5129578df157aafc7740e12952d1abba08fa9e032fc73073e1787fffb7e24ce6963d98d7bdd4539297be0123626efdfccb63c7dea411d82ceef7bf6197ff2806ff1
-
C:\Users\Admin\AppData\Local\Temp\Venom Cracked.exeFilesize
12.1MB
MD5750015e08a9409c80cd3837daebb970a
SHA1bfd1122f8c459862717b0b7a50b7216fc2573880
SHA2563c413ee4b07c531c891ac1852d3d1b6a60bdc92e549e9cf4744d4fe85ebb5de2
SHA512f35938eac84d6084d9239977462c965bab95924895cd2b73e501a7d7c2ff400aaeaefbdc3302ac8f8c13cd49e22d19e95ef530cf1cc10f79f6ab62653021e5ac
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ctn0htp5.q5v.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\melt.txtFilesize
45B
MD5c65dda57254957c2ad83b548c55b42a5
SHA1d88daf5dd37726325a30a3078c254128f5579f85
SHA256adae127291a1d4f70e9ff1258044a01d95176fd9bb2c303ab94f3e62db429a44
SHA512d74c977dd16046f024a6b012322dcfd0380fcc58a5db5e96d350852723bc1404d49a67d6185210711a24b9aeb94974212f4e056590e0742937821a459ba628b6
-
C:\Users\Admin\AppData\Local\Temp\microsoft corporation.exeFilesize
33KB
MD523fb3146d1455b890afdbd9511b48351
SHA19e0118366167c76de2d88fb354606d5e58677eb7
SHA25658c8e3599d16762dfc51decf16c3d014cd8c8dd1aab59a0acff5372c5182bda7
SHA51292a816b16f854cb19a28a9bd186223dd3f7961800b6486b32be1f270b26a0240c0f68ebe0f6c555b72f0e3388f3aa1a061fad50c0b09aaec1af9de1185fc8cf4
-
C:\Users\Admin\AppData\Local\Temp\script.vbsFilesize
1KB
MD577a4da4863ffcaba51ce05d3c632158d
SHA1253f9a594a6ca3a7a23acb90f8dc81939215ba4b
SHA256ecd586281fc4655e40108fcf118beeae3411c1c1176951a763e47fb66d2e421f
SHA512ba215fa65a011f5841f5e92b4053895c13368e894817551a982ca3e821726b8bbb13616bca8781fed08f4c83528d0d3ac233fa1f3e14ad4253fdefd9a22253cf
-
C:\Users\Admin\AppData\Local\Temp\windows.exeFilesize
145KB
MD5aa4ba7df205e6f0dc8d847ab3c3681c2
SHA1bb8c96c2f736f1d5f1923fc3b20f53b890b98e46
SHA25659a0bd599e306457164b08b7fe23bbf4fe92b202beaad836d6faa28da61073ca
SHA5120f8f57de1251e3102d1db2c72ed7c3f7cc1d12c3ce561a275d4d280944f77952970464c553da3ce6ce88e9462033818ed186e83eba1b8853d16d28bcc7140450
-
memory/248-306-0x00007FFF244F3000-0x00007FFF244F5000-memory.dmpFilesize
8KB
-
memory/248-20-0x00000000001D0000-0x0000000000DEA000-memory.dmpFilesize
12.1MB
-
memory/248-17-0x00007FFF244F3000-0x00007FFF244F5000-memory.dmpFilesize
8KB
-
memory/412-51-0x0000000005570000-0x0000000005B9A000-memory.dmpFilesize
6.2MB
-
memory/412-223-0x0000000072460000-0x00000000724AC000-memory.dmpFilesize
304KB
-
memory/1108-270-0x0000000072460000-0x00000000724AC000-memory.dmpFilesize
304KB
-
memory/1172-214-0x0000000072460000-0x00000000724AC000-memory.dmpFilesize
304KB
-
memory/1172-50-0x0000000004840000-0x0000000004876000-memory.dmpFilesize
216KB
-
memory/1372-39-0x0000000001A30000-0x0000000001A40000-memory.dmpFilesize
64KB
-
memory/2008-241-0x0000000072460000-0x00000000724AC000-memory.dmpFilesize
304KB
-
memory/2300-191-0x0000000072460000-0x00000000724AC000-memory.dmpFilesize
304KB
-
memory/2368-66-0x0000000006320000-0x0000000006386000-memory.dmpFilesize
408KB
-
memory/2368-65-0x0000000006280000-0x00000000062A2000-memory.dmpFilesize
136KB
-
memory/2368-67-0x0000000006400000-0x0000000006466000-memory.dmpFilesize
408KB
-
memory/2368-180-0x0000000072460000-0x00000000724AC000-memory.dmpFilesize
304KB
-
memory/2368-72-0x0000000006530000-0x0000000006887000-memory.dmpFilesize
3.3MB
-
memory/2404-321-0x000000001D910000-0x000000001D972000-memory.dmpFilesize
392KB
-
memory/2808-71-0x000000001DBE0000-0x000000001DEF0000-memory.dmpFilesize
3.1MB
-
memory/2808-49-0x000000001C050000-0x000000001C09C000-memory.dmpFilesize
304KB
-
memory/2808-48-0x0000000000D90000-0x0000000000D98000-memory.dmpFilesize
32KB
-
memory/2808-47-0x000000001BEF0000-0x000000001BF8C000-memory.dmpFilesize
624KB
-
memory/2808-46-0x000000001B970000-0x000000001BE3E000-memory.dmpFilesize
4.8MB
-
memory/2808-45-0x000000001B3F0000-0x000000001B496000-memory.dmpFilesize
664KB
-
memory/3228-204-0x0000000072460000-0x00000000724AC000-memory.dmpFilesize
304KB
-
memory/3556-250-0x0000000072460000-0x00000000724AC000-memory.dmpFilesize
304KB
-
memory/4292-179-0x0000000007B20000-0x000000000819A000-memory.dmpFilesize
6.5MB
-
memory/4292-190-0x0000000007560000-0x000000000756A000-memory.dmpFilesize
40KB
-
memory/4292-158-0x0000000006190000-0x00000000061AE000-memory.dmpFilesize
120KB
-
memory/4292-159-0x00000000064E0000-0x000000000652C000-memory.dmpFilesize
304KB
-
memory/4292-260-0x0000000007730000-0x0000000007745000-memory.dmpFilesize
84KB
-
memory/4292-279-0x0000000007830000-0x000000000784A000-memory.dmpFilesize
104KB
-
memory/4292-280-0x0000000007820000-0x0000000007828000-memory.dmpFilesize
32KB
-
memory/4292-213-0x00000000076F0000-0x0000000007701000-memory.dmpFilesize
68KB
-
memory/4292-203-0x0000000007770000-0x0000000007806000-memory.dmpFilesize
600KB
-
memory/4292-259-0x0000000007720000-0x000000000772E000-memory.dmpFilesize
56KB
-
memory/4292-167-0x0000000006760000-0x0000000006794000-memory.dmpFilesize
208KB
-
memory/4292-189-0x00000000074E0000-0x00000000074FA000-memory.dmpFilesize
104KB
-
memory/4292-177-0x0000000007160000-0x000000000717E000-memory.dmpFilesize
120KB
-
memory/4292-178-0x0000000007380000-0x0000000007424000-memory.dmpFilesize
656KB
-
memory/4292-168-0x0000000072460000-0x00000000724AC000-memory.dmpFilesize
304KB
-
memory/4328-261-0x0000000072460000-0x00000000724AC000-memory.dmpFilesize
304KB
-
memory/4468-232-0x0000000072460000-0x00000000724AC000-memory.dmpFilesize
304KB