Overview
overview
10Static
static
10Venom-Rat-...0.html
windows7-x64
1Venom-Rat-...0.html
windows10-2004-x64
1Venom-Rat-...0.html
windows7-x64
1Venom-Rat-...0.html
windows10-2004-x64
1Venom-Rat-...il.dll
windows7-x64
1Venom-Rat-...il.dll
windows10-2004-x64
1Venom-Rat-...at.dll
windows7-x64
1Venom-Rat-...at.dll
windows10-2004-x64
1Venom-Rat-...me.dll
windows7-x64
1Venom-Rat-...me.dll
windows10-2004-x64
1Venom-Rat-...ed.exe
windows7-x64
8Venom-Rat-...ed.exe
windows10-2004-x64
8Majid Z Hacker.exe
windows7-x64
8Majid Z Hacker.exe
windows10-2004-x64
8Majid Z Hacker.exe
windows7-x64
10Majid Z Hacker.exe
windows10-2004-x64
10Windows Program.exe
windows7-x64
7Windows Program.exe
windows10-2004-x64
7script.vbs
windows7-x64
10script.vbs
windows10-2004-x64
10windows registry.exe
windows7-x64
10windows registry.exe
windows10-2004-x64
10firewall.exe
windows7-x64
8firewall.exe
windows10-2004-x64
Venom Cracked.exe
windows7-x64
1Venom Cracked.exe
windows10-2004-x64
1Venom-Rat-...er.exe
windows7-x64
1Venom-Rat-...er.exe
windows10-2004-x64
1Venom-Rat-...ed.exe
windows7-x64
10Venom-Rat-...ed.exe
windows10-2004-x64
10Majid Z Ha...te.exe
windows7-x64
10Majid Z Ha...te.exe
windows10-2004-x64
10Analysis
-
max time kernel
138s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 12:30
Behavioral task
behavioral1
Sample
Venom-Rat-Cracked--main/Clients/Morpheus@DESKTOP-ALON1A1_367DDFD/Logs/10-31-2020.html
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Venom-Rat-Cracked--main/Clients/Morpheus@DESKTOP-ALON1A1_367DDFD/Logs/10-31-2020.html
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Venom-Rat-Cracked--main/Clients/Sam@DESKTOP-1HP3JNB_440CF1F/Logs/05-17-2020.html
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Venom-Rat-Cracked--main/Clients/Sam@DESKTOP-1HP3JNB_440CF1F/Logs/05-17-2020.html
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Venom-Rat-Cracked--main/Mono.Cecil.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Venom-Rat-Cracked--main/Mono.Cecil.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
Venom-Rat-Cracked--main/Mono.Nat.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Venom-Rat-Cracked--main/Mono.Nat.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
Venom-Rat-Cracked--main/VelyseTheme.dll
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
Venom-Rat-Cracked--main/VelyseTheme.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
Venom-Rat-Cracked--main/Venom Activated Cracked.exe
Resource
win7-20240215-en
Behavioral task
behavioral12
Sample
Venom-Rat-Cracked--main/Venom Activated Cracked.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Majid Z Hacker.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
Majid Z Hacker.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
Majid Z Hacker.exe
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
Majid Z Hacker.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
Windows Program.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
Windows Program.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
script.vbs
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
script.vbs
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
windows registry.exe
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
windows registry.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
firewall.exe
Resource
win7-20240419-en
Behavioral task
behavioral24
Sample
firewall.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral25
Sample
Venom Cracked.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
Venom Cracked.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral27
Sample
Venom-Rat-Cracked--main/Venom Binder.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
Venom-Rat-Cracked--main/Venom Binder.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
Venom-Rat-Cracked--main/Venom Software RAT Activated Cracked.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Venom-Rat-Cracked--main/Venom Software RAT Activated Cracked.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral31
Sample
Majid Z Hacker Website.exe
Resource
win7-20240508-en
Behavioral task
behavioral32
Sample
Majid Z Hacker Website.exe
Resource
win10v2004-20240508-en
General
-
Target
script.vbs
-
Size
1KB
-
MD5
77a4da4863ffcaba51ce05d3c632158d
-
SHA1
253f9a594a6ca3a7a23acb90f8dc81939215ba4b
-
SHA256
ecd586281fc4655e40108fcf118beeae3411c1c1176951a763e47fb66d2e421f
-
SHA512
ba215fa65a011f5841f5e92b4053895c13368e894817551a982ca3e821726b8bbb13616bca8781fed08f4c83528d0d3ac233fa1f3e14ad4253fdefd9a22253cf
Malware Config
Signatures
-
Processes:
WScript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" WScript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3972 powershell.exe 4596 powershell.exe 3060 powershell.exe 2392 powershell.exe 4992 powershell.exe 2980 powershell.exe 2980 powershell.exe 4940 powershell.exe 4940 powershell.exe 2892 powershell.exe 2892 powershell.exe 664 powershell.exe 664 powershell.exe 2100 powershell.exe 2100 powershell.exe 4012 powershell.exe 4012 powershell.exe 2100 powershell.exe 4596 powershell.exe 3972 powershell.exe 3972 powershell.exe 4596 powershell.exe 4992 powershell.exe 4992 powershell.exe 3060 powershell.exe 3060 powershell.exe 2392 powershell.exe 2392 powershell.exe 2892 powershell.exe 2980 powershell.exe 4940 powershell.exe 664 powershell.exe 4012 powershell.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3972 powershell.exe Token: SeDebugPrivilege 4596 powershell.exe Token: SeDebugPrivilege 4992 powershell.exe Token: SeDebugPrivilege 3060 powershell.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeDebugPrivilege 2980 powershell.exe Token: SeDebugPrivilege 4940 powershell.exe Token: SeDebugPrivilege 2892 powershell.exe Token: SeDebugPrivilege 664 powershell.exe Token: SeDebugPrivilege 2100 powershell.exe Token: SeDebugPrivilege 4012 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
WScript.exeWScript.exedescription pid process target process PID 2232 wrote to memory of 2908 2232 WScript.exe WScript.exe PID 2232 wrote to memory of 2908 2232 WScript.exe WScript.exe PID 2908 wrote to memory of 4992 2908 WScript.exe powershell.exe PID 2908 wrote to memory of 4992 2908 WScript.exe powershell.exe PID 2908 wrote to memory of 3972 2908 WScript.exe powershell.exe PID 2908 wrote to memory of 3972 2908 WScript.exe powershell.exe PID 2908 wrote to memory of 4596 2908 WScript.exe powershell.exe PID 2908 wrote to memory of 4596 2908 WScript.exe powershell.exe PID 2908 wrote to memory of 3060 2908 WScript.exe powershell.exe PID 2908 wrote to memory of 3060 2908 WScript.exe powershell.exe PID 2908 wrote to memory of 2392 2908 WScript.exe powershell.exe PID 2908 wrote to memory of 2392 2908 WScript.exe powershell.exe PID 2908 wrote to memory of 2980 2908 WScript.exe powershell.exe PID 2908 wrote to memory of 2980 2908 WScript.exe powershell.exe PID 2908 wrote to memory of 4940 2908 WScript.exe powershell.exe PID 2908 wrote to memory of 4940 2908 WScript.exe powershell.exe PID 2908 wrote to memory of 664 2908 WScript.exe powershell.exe PID 2908 wrote to memory of 664 2908 WScript.exe powershell.exe PID 2908 wrote to memory of 2892 2908 WScript.exe powershell.exe PID 2908 wrote to memory of 2892 2908 WScript.exe powershell.exe PID 2908 wrote to memory of 4012 2908 WScript.exe powershell.exe PID 2908 wrote to memory of 4012 2908 WScript.exe powershell.exe PID 2908 wrote to memory of 2100 2908 WScript.exe powershell.exe PID 2908 wrote to memory of 2100 2908 WScript.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs" /elevate2⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 03⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 63⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 63⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 63⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5440cb38dbee06645cc8b74d51f6e5f71
SHA1d7e61da91dc4502e9ae83281b88c1e48584edb7c
SHA2568ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe
SHA5123aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
948B
MD522747fd6c87011eae0f96fae5f3f865e
SHA1c17ab31d07c83f4c6d7479021a06664e56c64f50
SHA256cdbbe31fb09c9082c5c46ab3b47e1c8d1d726457e449397451a8a990ac5307ac
SHA51235fb7aae3117073c1defad32e47f78ebfacad13bea6cc96b78649e1c299fb6bc8867e7b2e54d39785b254b5c8fe23e007cdb7aba2577223fa2e5843885aa8f17
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
948B
MD5a9500d211a9d97701ff1a306ea727f19
SHA14b9ebc421ab5c9b1cdbac9c06a43cee049a83568
SHA256c6728bd8e3ba6480b9f05a8c8cc235702fab5a5c5bc984bb0cb102a252dd2b83
SHA51247b48a3a068e60cc0e8b66e6c0058798e43591ff936cf28ca697da56e750197173e4fd4a9bc649698542c26ffcb65fca949187b77f0edb4cb584c6e2b4d4a428
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
948B
MD5a5ace5b1e1392854c698257bee4f3e7a
SHA147aed60a3a2fc5157dd62b0849a411f616fb3072
SHA256c99619b5acdc7217bbd262106129ea1661b531c2890476300771b706477d9734
SHA512ed15a10ff08892d8a49b04c3b208016be3f416813ed233e30c2d41ceb0720b5c987101fa4dee8d5adafcfb823784c40011f1c1aba141110f3a7a5a276e14144e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
948B
MD5ca885ce2b7a4be34acd565a65ea19984
SHA18c5d9a4507aab2ef743cd08cee8d0dff7a43bb99
SHA256c22434ffab6b0df6d60e3f56e0f87e550abd72566622de3d7458ba027ed7378c
SHA5121cba207f47a009cbc0fdf2a6cf13ef8215e7b28c7d0912006238db9c91dc23c0528e3ba87e02bddc6c7588b346954d4f9bbf426d80159d163318a8b63cc5cebe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
948B
MD5393b0dd912015db6b9f455c13c931b61
SHA1423466b784b87d0924a441df0b201be898972d5f
SHA256a36a9813bf3b96ead474179b0a07fd96e13abc1920eb0a4828eca5fc34a27d12
SHA512b96f994b5a40b1e618886813cb5e2486ec0237de7d892ca10dbf7f441733b5161b30343de96e5b6df783373e02f14e41db5a5e63bed0aaaf907d1fb115041e0f
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xvzjgamk.002.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/664-127-0x00000148DDEF0000-0x00000148DE10C000-memory.dmpFilesize
2.1MB
-
memory/2100-106-0x0000023CF5FF0000-0x0000023CF620C000-memory.dmpFilesize
2.1MB
-
memory/2392-116-0x00000220D9B90000-0x00000220D9DAC000-memory.dmpFilesize
2.1MB
-
memory/2892-113-0x0000026824DC0000-0x0000026824FDC000-memory.dmpFilesize
2.1MB
-
memory/2980-128-0x000001BE987C0000-0x000001BE989DC000-memory.dmpFilesize
2.1MB
-
memory/3060-119-0x000001DEC7A30000-0x000001DEC7C4C000-memory.dmpFilesize
2.1MB
-
memory/3972-9-0x00000207C5E30000-0x00000207C5E52000-memory.dmpFilesize
136KB
-
memory/3972-105-0x00000207C5AE0000-0x00000207C5CFC000-memory.dmpFilesize
2.1MB
-
memory/4012-131-0x0000021B2AA90000-0x0000021B2ACAC000-memory.dmpFilesize
2.1MB
-
memory/4596-109-0x0000029072310000-0x000002907252C000-memory.dmpFilesize
2.1MB
-
memory/4940-122-0x0000020C1F8F0000-0x0000020C1FB0C000-memory.dmpFilesize
2.1MB
-
memory/4992-110-0x00000226A2930000-0x00000226A2B4C000-memory.dmpFilesize
2.1MB