Overview

overview

10

Static

static

10

Venom-Rat-...0.html

windows7-x64

1

Venom-Rat-...0.html

windows10-2004-x64

1

Venom-Rat-...0.html

windows7-x64

1

Venom-Rat-...0.html

windows10-2004-x64

1

Venom-Rat-...il.dll

windows7-x64

1

Venom-Rat-...il.dll

windows10-2004-x64

1

Venom-Rat-...at.dll

windows7-x64

1

Venom-Rat-...at.dll

windows10-2004-x64

1

Venom-Rat-...me.dll

windows7-x64

1

Venom-Rat-...me.dll

windows10-2004-x64

1

Venom-Rat-...ed.exe

windows7-x64

8

Venom-Rat-...ed.exe

windows10-2004-x64

8

Majid Z Hacker.exe

windows7-x64

8

Majid Z Hacker.exe

windows10-2004-x64

8

Majid Z Hacker.exe

windows7-x64

10

Majid Z Hacker.exe

windows10-2004-x64

10

Windows Program.exe

windows7-x64

7

Windows Program.exe

windows10-2004-x64

7

script.vbs

windows7-x64

10

script.vbs

windows10-2004-x64

10

windows registry.exe

windows7-x64

10

windows registry.exe

windows10-2004-x64

10

firewall.exe

windows7-x64

8

firewall.exe

windows10-2004-x64

Venom Cracked.exe

windows7-x64

1

Venom Cracked.exe

windows10-2004-x64

1

Venom-Rat-...er.exe

windows7-x64

1

Venom-Rat-...er.exe

windows10-2004-x64

1

Venom-Rat-...ed.exe

windows7-x64

10

Venom-Rat-...ed.exe

windows10-2004-x64

10

Majid Z Ha...te.exe

windows7-x64

10

Majid Z Ha...te.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    VenomRatCrackedmain.zip

  • Size

    33.8MB

  • Sample

    240531-pphmjahe83

  • MD5

    c8fba8be27bdfbe60de014aaecc83a68

  • SHA1

    8c9529de89bd53491e10c3e8c7b35c0d4400e6d1

  • SHA256

    f911a357abf083c321d7240e1070b470c9d2a64c1503700dbec45980c88c0aa4

  • SHA512

    dfab827a10867022a5833f1af71e5abb3915f792326956ed3859b57b9ef83f6d5cc1b87ffd34c827878289fe581968c75d5f279930ee023ea6496730a86d3c15

  • SSDEEP

    786432:Gm20c7pW2y9SIE9lzOG2WMJx+8PxQ4I+zFZx4vFqnb:FqKSIEztoJQ4nzFn4Fqnb

Score
10/10
njratquasarhackedevasionpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hackerguru.duckdns.org:6666

Mutex

8b3c87226fd3a4e8b8191141ea7a593c

Attributes
  • reg_key

    8b3c87226fd3a4e8b8191141ea7a593c

  • splitter

    |'|'|

Extracted

Family

quasar

Attributes
  • reconnect_delay

    5000

Targets

    • Target

      Venom-Rat-Cracked--main/Clients/Morpheus@DESKTOP-ALON1A1_367DDFD/Logs/10-31-2020.html

    • Size

      216B

    • MD5

      30b4a82882d5ca65e0acbc7f9d53de96

    • SHA1

      ebd101d932923595c5b4fc3b56d74f866c19a50a

    • SHA256

      dab5e41df2ffbe1ee3c137427047112bf47031a8805531cf8013f0b3bd28cc2e

    • SHA512

      8e4dd015b50b45fb891b6dd74d42df8702bf070291d7fbdde1459c11cec5594c0cf461b713b573ba59e158b8e486329a1dcc03b8dcf5afd0c4c7194d662c626a

    Score
    1/10
    behavioral1behavioral2

    • Target

      Venom-Rat-Cracked--main/Clients/Sam@DESKTOP-1HP3JNB_440CF1F/Logs/05-17-2020.html

    • Size

      265B

    • MD5

      9b89272b3c6a70ecffdb0da78e609110

    • SHA1

      ebf8310a853858f8082de7b63caba16d8313261d

    • SHA256

      6e9e5ff4b4d55e4d40b4e2a38cda9e82efd4f28b32d73e49d6ca49249a850a32

    • SHA512

      5bb1448b33550f004dae06cb5eba413f9cba8724d6603475c00c586c97869292b629f1c0d76ab30ccb2fd682a2389aa3db369a88172a6c0aee561188ad306f02

    Score
    1/10
    behavioral3behavioral4

    • Target

      Venom-Rat-Cracked--main/Mono.Cecil.dll

    • Size

      277KB

    • MD5

      8df4d6b5dc1629fcefcdc20210a88eac

    • SHA1

      16c661757ad90eb84228aa3487db11a2eac6fe64

    • SHA256

      3e4288b32006fe8499b43a7f605bb7337931847a0aa79a33217a1d6d1a6c397e

    • SHA512

      874b4987865588efb806a283b0e785fd24e8b1562026edd43050e150bce6c883134f3c8ad0f8c107b0fb1b26fce6ddcc7e344a5f55c3788dac35035b13d15174

    • SSDEEP

      6144:iYOMWAEq+PAEwGQ9Xivs0s4EtS1Fv8jnLKdFvkPo2:AG+PpjQSHv8jA

    Score
    1/10
    behavioral5behavioral6

    • Target

      Venom-Rat-Cracked--main/Mono.Nat.dll

    • Size

      40KB

    • MD5

      bf929442b12d4b5f9906b29834bf7db1

    • SHA1

      810a2b3c8e548d1df931538bc304cc1405f7a32b

    • SHA256

      b33435ac7cdefcf7c2adf96738c762a95414eb7a4967ef6b88dcda14d58bfee0

    • SHA512

      9fcfaf48bfe5455a466e666bafa59a7348a736368daa892333cefa0cac22bcef3255f9cee24a70ed96011b73abea8e5d3dbf24876cffa81e0b532df41dd81828

    • SSDEEP

      768:yoVesKx0V2LpibQJxoKUDHj560aSX3zlJAO:lVespQibC+H56k3fF

    Score
    1/10
    behavioral7behavioral8

    • Target

      Venom-Rat-Cracked--main/VelyseTheme.dll

    • Size

      51KB

    • MD5

      52bfce7e8dc04712cd2091c12f126f77

    • SHA1

      0b695c88d3abb7c69aefc9a6f5e82445e515ec43

    • SHA256

      b332daac3b130051e8d2a5fd325d6d094ca1c9a602b45667855341f4cb9100ae

    • SHA512

      0619e44efc0030d5fa18cff2bca8f89923a7caa2209ef63bfc3b48a6de00946ea676afb428bf26bac5f891901f42935222e2a64a959ff764fb4d84c746971db8

    • SSDEEP

      768:fRbo8VVXLD92auFWwnDvL9yQfRchDX3cpYXKxEaXOZ4jXBTGCe3Tj3WjR:Jb/nLkx8Qqcps8EaXO8GCe3Tyl

    Score
    1/10
    behavioral10behavioral9

    • Target

      Venom-Rat-Cracked--main/Venom Activated Cracked.exe

    • Size

      10.1MB

    • MD5

      4dabfeed4b250a3248714458ae370ca8

    • SHA1

      6e215b2a20039a4dbde18579a1419a4eb10946ac

    • SHA256

      eb23cbc820d2b8fdc0227b2e89274edf2671163cae40e0a9bb930b91c05ac3a9

    • SHA512

      7ea826cf27da942ce2e9db4a800b3c247670a8fc260af8686d14c48583f38f14b935d5af282a3774a9811f0957ca7318dc883307254554e907f7cfb5f6419a4c

    • SSDEEP

      196608:m6+0f/ylacMb5mCbClb12UK4RDx5gRIAL1xXPm68DwOHRR+kc4N4FmDdgW7NaREE:m0f/KacMbR2J2UKEdiRIAL1xXPCwkEn7

    Score
    8/10
    evasionpersistence

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral11behavioral12

    • Target

      Majid Z Hacker.exe

    • Size

      462KB

    • MD5

      a8a8d6f3b48466242959545235d1c9b6

    • SHA1

      0c2d670dc3b3b07a2498756e1d46fd1fee53a621

    • SHA256

      09d709640f6884d6b7e7501175cfdcc3724df07785c081c0e14b20cbcdf382ec

    • SHA512

      09f08dd6026b2e24a05e20505723055deceffaba3d351dd49cdc934d038ef0796a3d8d481fe7734b3ec3ba80f4800994983441204dbc3f12baf4f637534a4796

    • SSDEEP

      12288:6rs81bE0LfUk6XLbwxMY4R/3CDOpeYYhN7zjYC/M:6H5rh6XPbYuCDOpmPzjZM

    Score
    8/10
    evasionpersistence

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral13behavioral14

    • Target

      Majid Z Hacker.exe

    • Size

      413KB

    • MD5

      d546dc22ad3450598ab32de298a72a80

    • SHA1

      6c0b509488bdb86a679a4499e6ebf276ac9d8ea1

    • SHA256

      b29885d1b7a7710d0bb85861609520cc7bd53524ab5525cd9b9c47690f0103a2

    • SHA512

      79e5bca20e23b0cff3d7d98003ae6d69d8932a75eeff23f31ec4c0aae93a02d41593c60d3a6fcb8a06600e21bfa7190210e4842bcba3ba8e9a7d62f344b48980

    • SSDEEP

      12288:6+81qE0efXk6XLUwx7YfR43JDOpedYhN7zf+:6o5yU6XIGYqJDOpJPzf+

    Score
    10/10
    njrathackedevasionpersistencetrojanupx

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral15behavioral16

    • Target

      Windows Program.exe

    • Size

      356KB

    • MD5

      470c1aaa600dfd81af4cfb23bee7490c

    • SHA1

      17cc0969b22f293b9bab656da3c9e4e4f6a3dbd0

    • SHA256

      438c6c0291603bd92a66731abcf32e478dc19093c1c0f3c75ee5117192913809

    • SHA512

      9a9927ce72abab495474fcc153dc65fcbe15f46cd08e03e892f05b1ad2025d80301b40cf922fee9bbfb4cc2aeffe867a772bc381c1694289e13cf1fde591fbee

    • SSDEEP

      6144:nuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLT/yXiJxKM0Z:u6Wq4aaE6KwyF5L0Y2D1PqLB6Z

    Score
    7/10
    persistenceupx

    • Drops startup file

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral17behavioral18

    • Target

      script.vbs

    • Size

      1KB

    • MD5

      77a4da4863ffcaba51ce05d3c632158d

    • SHA1

      253f9a594a6ca3a7a23acb90f8dc81939215ba4b

    • SHA256

      ecd586281fc4655e40108fcf118beeae3411c1c1176951a763e47fb66d2e421f

    • SHA512

      ba215fa65a011f5841f5e92b4053895c13368e894817551a982ca3e821726b8bbb13616bca8781fed08f4c83528d0d3ac233fa1f3e14ad4253fdefd9a22253cf

    Score
    10/10
    evasiontrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral19behavioral20

    • Target

      windows registry.exe

    • Size

      23KB

    • MD5

      0e61e56cab42baa9ac421252c13809ed

    • SHA1

      f058e2efd1181d5285eef36fa2bae9658ccc20f9

    • SHA256

      6f788d9f8b51ba8321f1837e02d10c5d94efc74c7be26f734c34a4d602b8d1bc

    • SHA512

      e5cd90240468d86f5230d1c9f7c355c32cdbf3b5a0c041914d009c8145d260f469f75cf28e2b307964c64b6c6255a6fc6e258b5bb6525b50824365227c38e624

    • SSDEEP

      384:3oWSkWHa55BgDVRGipkItzY6vZg36Eh7FpmRvR6JZlbw8hqIusZzZPZ:QJuk9pHRpcnuS

    Score
    10/10
    njratevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral21behavioral22

    • Target

      firewall.exe

    • Size

      40KB

    • MD5

      085242fc50844dc41d1966e620d3e121

    • SHA1

      5e9a343256313938468d5d4fb92e39c5ef6f8c91

    • SHA256

      180b8e0169f2c89d3b4f34d3ee5b26f5578211068be74cf9c2fd194d8cda9b3d

    • SHA512

      3341c74802aa98ce2bd7b15d2921d3082110c62ee6d82df784cb610c1594d905c82c6ae79cf43d76f98db7a8a4951686898ba1dddeb9615fca6480ac6bb7887b

    • SSDEEP

      768:6LY4BORYOvIqY4EoURZW/CtjZ7wPda7+WoSKD4+:6qIfoU/W/Ctt7w1mo

    Score
    8/10
    evasionpersistence

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral23behavioral24

    • Target

      Venom Cracked.exe

    • Size

      12.1MB

    • MD5

      750015e08a9409c80cd3837daebb970a

    • SHA1

      bfd1122f8c459862717b0b7a50b7216fc2573880

    • SHA256

      3c413ee4b07c531c891ac1852d3d1b6a60bdc92e549e9cf4744d4fe85ebb5de2

    • SHA512

      f35938eac84d6084d9239977462c965bab95924895cd2b73e501a7d7c2ff400aaeaefbdc3302ac8f8c13cd49e22d19e95ef530cf1cc10f79f6ab62653021e5ac

    • SSDEEP

      196608:vThKmURVoq/uR12RVoq/uR1bnhmdmARsDymuPP3m:PCd/i14d/i1bn0oAWdG3m

    Score
    1/10
    behavioral25behavioral26

    • Target

      Venom-Rat-Cracked--main/Venom Binder.exe

    • Size

      3.5MB

    • MD5

      d4fd9db0eb77efac83278a095c28e6aa

    • SHA1

      f10c82e115ad196f9cac23a201f72b9a5256d0e1

    • SHA256

      94dbdb36d17f7b5dc5d34763eefb877756bbeaedeb7d41bc35de9e6c03ba983c

    • SHA512

      2666ab45d0d7a7a933f7f91a5e3e88894d637704e20b165a41d662425f9baddf5e442e1d75a4abd541e695f83c2315752b54064e146650e87db17f777ad27cac

    • SSDEEP

      98304:g31LR0+MzOMmbeZVv6PGpctX70MAt3gJwBXQnU:gU+lMmbgTclqlgA

    Score
    1/10
    behavioral27behavioral28

    • Target

      Venom-Rat-Cracked--main/Venom Software RAT Activated Cracked.exe

    • Size

      9.8MB

    • MD5

      1947749a785b384a9bfe51d57c796ae9

    • SHA1

      db986cb4503589a2319e596b799c878ec4d4a990

    • SHA256

      6018e4099dca3d452ecc8fe34f5e6d00b2b43c5c21cdea1b4c53c7025376048a

    • SHA512

      3e82f60c595a5fc25043729366137ea35f2037bf23b78248cf8946a2edb39c6af4c9159c9c5b6c876148ef8b06468d975a4f6e413319b6ebc9712920f3c5829e

    • SSDEEP

      196608:w6+0f/ylacMb5mCbClb12UK4RDx5gRIAL1xXPm68DwOHRR+kc4N4FmDdgW7U:40f/KacMbR2J2UKEdiRIAL1xXPCwkEn3

    Score
    10/10
    evasionpersistencespywarestealertrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral29behavioral30

    • Target

      Majid Z Hacker Website.exe

    • Size

      127KB

    • MD5

      b4d0b69f3c391acca7128a66abd480f7

    • SHA1

      8ccac1861f4c544c51a5c7d4a0fb32796ab30488

    • SHA256

      349b87c3ebd55cab9daa375c468b62be416063af859a16bed78cf4bd06fb5c07

    • SHA512

      9578df157aafc7740e12952d1abba08fa9e032fc73073e1787fffb7e24ce6963d98d7bdd4539297be0123626efdfccb63c7dea411d82ceef7bf6197ff2806ff1

    • SSDEEP

      3072:iqRaMrUwmuvDWLcg0CmHmFXfy57jQtMrpGIXFb177dWVqu:inx1FWmxf87UIXpl7dWVR

    Score
    10/10
    evasionpersistencespywarestealertrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral31behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

5
T1091

Execution

Persistence

Create or Modify System Process

11
T1543

Windows Service

11
T1543.003

Boot or Logon Autostart Execution

8
T1547

Registry Run Keys / Startup Folder

8
T1547.001

Privilege Escalation

Create or Modify System Process

11
T1543

Windows Service

11
T1543.003

Boot or Logon Autostart Execution

8
T1547

Registry Run Keys / Startup Folder

8
T1547.001

Defense Evasion

Modify Registry

16
T1112

Impair Defenses

11
T1562

Disable or Modify Tools

4
T1562.001

Disable or Modify System Firewall

7
T1562.004

Subvert Trust Controls

2
T1553

Install Root Certificate

2
T1553.004

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Query Registry

9
T1012

System Information Discovery

16
T1082

Lateral Movement

Replication Through Removable Media

5
T1091

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

upxhackednjratquasar
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

evasionpersistence
Score
8/10

behavioral12

evasion
Score
8/10

behavioral13

evasionpersistence
Score
8/10

behavioral14

evasion
Score
8/10

behavioral15

njrathackedevasionpersistencetrojanupx
Score
10/10

behavioral16

njratevasionpersistencetrojanupx
Score
10/10

behavioral17

persistenceupx
Score
7/10

behavioral18

persistenceupx
Score
7/10

behavioral19

evasiontrojan
Score
10/10

behavioral20

evasiontrojan
Score
10/10

behavioral21

njratevasionpersistencetrojan
Score
10/10

behavioral22

njratevasionpersistencetrojan
Score
10/10

behavioral23

evasionpersistence
Score
8/10

behavioral24

evasionpersistence
Score
8/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

evasionpersistencespywarestealertrojan
Score
10/10

behavioral30

evasionpersistencespywarestealertrojan
Score
10/10

behavioral31

evasionpersistencespywarestealertrojan
Score
10/10

behavioral32

evasionpersistencespywarestealertrojan
Score
10/10