Overview

overview

10

Static

static

10

Venom-Rat-...0.html

windows7-x64

1

Venom-Rat-...0.html

windows10-2004-x64

1

Venom-Rat-...0.html

windows7-x64

1

Venom-Rat-...0.html

windows10-2004-x64

1

Venom-Rat-...il.dll

windows7-x64

1

Venom-Rat-...il.dll

windows10-2004-x64

1

Venom-Rat-...at.dll

windows7-x64

1

Venom-Rat-...at.dll

windows10-2004-x64

1

Venom-Rat-...me.dll

windows7-x64

1

Venom-Rat-...me.dll

windows10-2004-x64

1

Venom-Rat-...ed.exe

windows7-x64

8

Venom-Rat-...ed.exe

windows10-2004-x64

8

Majid Z Hacker.exe

windows7-x64

8

Majid Z Hacker.exe

windows10-2004-x64

8

Majid Z Hacker.exe

windows7-x64

10

Majid Z Hacker.exe

windows10-2004-x64

10

Windows Program.exe

windows7-x64

7

Windows Program.exe

windows10-2004-x64

7

script.vbs

windows7-x64

10

script.vbs

windows10-2004-x64

10

windows registry.exe

windows7-x64

10

windows registry.exe

windows10-2004-x64

10

firewall.exe

windows7-x64

8

firewall.exe

windows10-2004-x64

Venom Cracked.exe

windows7-x64

1

Venom Cracked.exe

windows10-2004-x64

1

Venom-Rat-...er.exe

windows7-x64

1

Venom-Rat-...er.exe

windows10-2004-x64

1

Venom-Rat-...ed.exe

windows7-x64

10

Venom-Rat-...ed.exe

windows10-2004-x64

10

Majid Z Ha...te.exe

windows7-x64

10

Majid Z Ha...te.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 12:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Venom-Rat-Cracked--main/Venom Software RAT Activated Cracked.exe

  • Size

    9.8MB

  • MD5

    1947749a785b384a9bfe51d57c796ae9

  • SHA1

    db986cb4503589a2319e596b799c878ec4d4a990

  • SHA256

    6018e4099dca3d452ecc8fe34f5e6d00b2b43c5c21cdea1b4c53c7025376048a

  • SHA512

    3e82f60c595a5fc25043729366137ea35f2037bf23b78248cf8946a2edb39c6af4c9159c9c5b6c876148ef8b06468d975a4f6e413319b6ebc9712920f3c5829e

  • SSDEEP

    196608:w6+0f/ylacMb5mCbClb12UK4RDx5gRIAL1xXPm68DwOHRR+kc4N4FmDdgW7U:40f/KacMbR2J2UKEdiRIAL1xXPCwkEn3

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Drops startup file 4 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
    installer
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 61 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Venom-Rat-Cracked--main\Venom Software RAT Activated Cracked.exe
    "C:\Users\Admin\AppData\Local\Temp\Venom-Rat-Cracked--main\Venom Software RAT Activated Cracked.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Users\Admin\AppData\Local\Temp\Venom Cracked.exe
      "C:\Users\Admin\AppData\Local\Temp\Venom Cracked.exe"
      2⤵
      • Executes dropped EXE
      PID:2888
    • C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker Website.exe
      "C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker Website.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Users\Admin\AppData\Local\Temp\microsoft corporation.exe
        "C:\Users\Admin\AppData\Local\Temp\microsoft corporation.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2872
        • C:\ProgramData\microsoft corporation.exe
          "C:\ProgramData\microsoft corporation.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          PID:2988
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\ProgramData\microsoft corporation.exe" "microsoft corporation.exe" ENABLE
            5⤵
            • Modifies Windows Firewall
            PID:2516
      • C:\Users\Admin\AppData\Local\Temp\windows.exe
        "C:\Users\Admin\AppData\Local\Temp\windows.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:2576
        • C:\Users\Admin\AppData\Roaming\Adobe\Updates\windows.exe
          "C:\Users\Admin\AppData\Roaming\Adobe\Updates\windows.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops autorun.inf file
          • Checks processor information in registry
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:708
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2516
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\SysWOW64\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs" /elevate
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious use of WriteProcessMemory
          PID:2520
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2524
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1252
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2376
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2824
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2060
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1664
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:608
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1704
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2592
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2676
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2100

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Disable or Modify System Firewall

1
T1562.004

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\melt.txt
    Filesize

    45B

    MD5

    c65dda57254957c2ad83b548c55b42a5

    SHA1

    d88daf5dd37726325a30a3078c254128f5579f85

    SHA256

    adae127291a1d4f70e9ff1258044a01d95176fd9bb2c303ab94f3e62db429a44

    SHA512

    d74c977dd16046f024a6b012322dcfd0380fcc58a5db5e96d350852723bc1404d49a67d6185210711a24b9aeb94974212f4e056590e0742937821a459ba628b6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\script.vbs
    Filesize

    1KB

    MD5

    77a4da4863ffcaba51ce05d3c632158d

    SHA1

    253f9a594a6ca3a7a23acb90f8dc81939215ba4b

    SHA256

    ecd586281fc4655e40108fcf118beeae3411c1c1176951a763e47fb66d2e421f

    SHA512

    ba215fa65a011f5841f5e92b4053895c13368e894817551a982ca3e821726b8bbb13616bca8781fed08f4c83528d0d3ac233fa1f3e14ad4253fdefd9a22253cf

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\windows.exe
    Filesize

    145KB

    MD5

    aa4ba7df205e6f0dc8d847ab3c3681c2

    SHA1

    bb8c96c2f736f1d5f1923fc3b20f53b890b98e46

    SHA256

    59a0bd599e306457164b08b7fe23bbf4fe92b202beaad836d6faa28da61073ca

    SHA512

    0f8f57de1251e3102d1db2c72ed7c3f7cc1d12c3ce561a275d4d280944f77952970464c553da3ce6ce88e9462033818ed186e83eba1b8853d16d28bcc7140450

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    255463964525cc5e2c7d41ab139fc947

    SHA1

    6c18353134eeefab22ba1875edca3465b937ecab

    SHA256

    ffd2d2a910e8c0e979fbaa1c24d46a573c67c902a4651b3c24160e53addf7d83

    SHA512

    c99d30d3769dfdfecbe7cd6d74e41859734aaafe3582d30630c40cd60f7fb87e8cd4fe32921a2b70f6eab5d25767143b83b6e62470c524917d38a36c663e446d

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Majid Z Hacker Website.exe
    Filesize

    127KB

    MD5

    b4d0b69f3c391acca7128a66abd480f7

    SHA1

    8ccac1861f4c544c51a5c7d4a0fb32796ab30488

    SHA256

    349b87c3ebd55cab9daa375c468b62be416063af859a16bed78cf4bd06fb5c07

    SHA512

    9578df157aafc7740e12952d1abba08fa9e032fc73073e1787fffb7e24ce6963d98d7bdd4539297be0123626efdfccb63c7dea411d82ceef7bf6197ff2806ff1

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Venom Cracked.exe
    Filesize

    12.1MB

    MD5

    750015e08a9409c80cd3837daebb970a

    SHA1

    bfd1122f8c459862717b0b7a50b7216fc2573880

    SHA256

    3c413ee4b07c531c891ac1852d3d1b6a60bdc92e549e9cf4744d4fe85ebb5de2

    SHA512

    f35938eac84d6084d9239977462c965bab95924895cd2b73e501a7d7c2ff400aaeaefbdc3302ac8f8c13cd49e22d19e95ef530cf1cc10f79f6ab62653021e5ac

    Download Submit
  • \Users\Admin\AppData\Local\Temp\microsoft corporation.exe
    Filesize

    33KB

    MD5

    23fb3146d1455b890afdbd9511b48351

    SHA1

    9e0118366167c76de2d88fb354606d5e58677eb7

    SHA256

    58c8e3599d16762dfc51decf16c3d014cd8c8dd1aab59a0acff5372c5182bda7

    SHA512

    92a816b16f854cb19a28a9bd186223dd3f7961800b6486b32be1f270b26a0240c0f68ebe0f6c555b72f0e3388f3aa1a061fad50c0b09aaec1af9de1185fc8cf4

    Download Submit
  • memory/2888-16-0x000007FEF5753000-0x000007FEF5754000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2888-31-0x0000000000880000-0x000000000149A000-memory.dmp
    Filesize

    12.1MB

    Download
  • memory/2888-101-0x000007FEF5753000-0x000007FEF5754000-memory.dmp
    Filesize

    4KB

    Download