Overview
overview
10Static
static
10Venom-Rat-...0.html
windows7-x64
1Venom-Rat-...0.html
windows10-2004-x64
1Venom-Rat-...0.html
windows7-x64
1Venom-Rat-...0.html
windows10-2004-x64
1Venom-Rat-...il.dll
windows7-x64
1Venom-Rat-...il.dll
windows10-2004-x64
1Venom-Rat-...at.dll
windows7-x64
1Venom-Rat-...at.dll
windows10-2004-x64
1Venom-Rat-...me.dll
windows7-x64
1Venom-Rat-...me.dll
windows10-2004-x64
1Venom-Rat-...ed.exe
windows7-x64
8Venom-Rat-...ed.exe
windows10-2004-x64
8Majid Z Hacker.exe
windows7-x64
8Majid Z Hacker.exe
windows10-2004-x64
8Majid Z Hacker.exe
windows7-x64
10Majid Z Hacker.exe
windows10-2004-x64
10Windows Program.exe
windows7-x64
7Windows Program.exe
windows10-2004-x64
7script.vbs
windows7-x64
10script.vbs
windows10-2004-x64
10windows registry.exe
windows7-x64
10windows registry.exe
windows10-2004-x64
10firewall.exe
windows7-x64
8firewall.exe
windows10-2004-x64
Venom Cracked.exe
windows7-x64
1Venom Cracked.exe
windows10-2004-x64
1Venom-Rat-...er.exe
windows7-x64
1Venom-Rat-...er.exe
windows10-2004-x64
1Venom-Rat-...ed.exe
windows7-x64
10Venom-Rat-...ed.exe
windows10-2004-x64
10Majid Z Ha...te.exe
windows7-x64
10Majid Z Ha...te.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 12:30
Behavioral task
behavioral1
Sample
Venom-Rat-Cracked--main/Clients/Morpheus@DESKTOP-ALON1A1_367DDFD/Logs/10-31-2020.html
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Venom-Rat-Cracked--main/Clients/Morpheus@DESKTOP-ALON1A1_367DDFD/Logs/10-31-2020.html
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Venom-Rat-Cracked--main/Clients/Sam@DESKTOP-1HP3JNB_440CF1F/Logs/05-17-2020.html
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Venom-Rat-Cracked--main/Clients/Sam@DESKTOP-1HP3JNB_440CF1F/Logs/05-17-2020.html
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Venom-Rat-Cracked--main/Mono.Cecil.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Venom-Rat-Cracked--main/Mono.Cecil.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
Venom-Rat-Cracked--main/Mono.Nat.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Venom-Rat-Cracked--main/Mono.Nat.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
Venom-Rat-Cracked--main/VelyseTheme.dll
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
Venom-Rat-Cracked--main/VelyseTheme.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
Venom-Rat-Cracked--main/Venom Activated Cracked.exe
Resource
win7-20240215-en
Behavioral task
behavioral12
Sample
Venom-Rat-Cracked--main/Venom Activated Cracked.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Majid Z Hacker.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
Majid Z Hacker.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
Majid Z Hacker.exe
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
Majid Z Hacker.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
Windows Program.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
Windows Program.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
script.vbs
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
script.vbs
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
windows registry.exe
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
windows registry.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
firewall.exe
Resource
win7-20240419-en
Behavioral task
behavioral24
Sample
firewall.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral25
Sample
Venom Cracked.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
Venom Cracked.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral27
Sample
Venom-Rat-Cracked--main/Venom Binder.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
Venom-Rat-Cracked--main/Venom Binder.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
Venom-Rat-Cracked--main/Venom Software RAT Activated Cracked.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Venom-Rat-Cracked--main/Venom Software RAT Activated Cracked.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral31
Sample
Majid Z Hacker Website.exe
Resource
win7-20240508-en
Behavioral task
behavioral32
Sample
Majid Z Hacker Website.exe
Resource
win10v2004-20240508-en
General
-
Target
Windows Program.exe
-
Size
356KB
-
MD5
470c1aaa600dfd81af4cfb23bee7490c
-
SHA1
17cc0969b22f293b9bab656da3c9e4e4f6a3dbd0
-
SHA256
438c6c0291603bd92a66731abcf32e478dc19093c1c0f3c75ee5117192913809
-
SHA512
9a9927ce72abab495474fcc153dc65fcbe15f46cd08e03e892f05b1ad2025d80301b40cf922fee9bbfb4cc2aeffe867a772bc381c1694289e13cf1fde591fbee
-
SSDEEP
6144:nuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLT/yXiJxKM0Z:u6Wq4aaE6KwyF5L0Y2D1PqLB6Z
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
Windows Program.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DNLEWE.lnk Windows Program.exe -
Processes:
resource yara_rule behavioral18/memory/556-0-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral18/memory/556-15-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral18/memory/556-16-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral18/memory/556-17-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral18/memory/556-18-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral18/memory/556-19-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral18/memory/556-21-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral18/memory/556-22-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral18/memory/556-23-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral18/memory/556-24-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral18/memory/556-25-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral18/memory/556-26-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral18/memory/556-27-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral18/memory/556-28-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral18/memory/556-29-0x0000000000400000-0x00000000004CA000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Windows Program.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DNLEWE = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\Windows Program.exe\"" Windows Program.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ipapi.co 2 ipapi.co -
AutoIT Executable 14 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral18/memory/556-15-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral18/memory/556-16-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral18/memory/556-17-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral18/memory/556-18-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral18/memory/556-19-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral18/memory/556-21-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral18/memory/556-22-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral18/memory/556-23-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral18/memory/556-24-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral18/memory/556-25-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral18/memory/556-26-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral18/memory/556-27-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral18/memory/556-28-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral18/memory/556-29-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Windows Program.exepid process 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe 556 Windows Program.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Windows Program.exepid process 556 Windows Program.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Windows Program.exedescription pid process target process PID 556 wrote to memory of 2232 556 Windows Program.exe WSCript.exe PID 556 wrote to memory of 2232 556 Windows Program.exe WSCript.exe PID 556 wrote to memory of 2232 556 Windows Program.exe WSCript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Windows Program.exe"C:\Users\Admin\AppData\Local\Temp\Windows Program.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WSCript.exeWSCript C:\Users\Admin\AppData\Local\Temp\DNLEWE.vbs2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DNLEWE.vbsFilesize
850B
MD559ccb6ffd3155d4e1e16509c1d2b424b
SHA1c4b3aaa2e1f972aa6f1ae4a1543452d93bf1491c
SHA256ba844c991f9fc79f240573cf20e975ac60ae70adc4f45298059e53474df49d1c
SHA5128b1f99c486b756305dc3480182e2b6a37454e156050da9a3e2ff21ce131e7a34a3ebe740f7f07ed17e79e79a5ddf4213e509d009391d69c317b643b5f183b053
-
memory/556-22-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/556-23-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/556-16-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/556-17-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/556-18-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/556-19-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/556-15-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/556-0-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/556-21-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/556-24-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/556-25-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/556-26-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/556-27-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/556-28-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/556-29-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB