Analysis Overview
SHA256
46c17ffefbfcaa044cbbcbb33d6219da84538c22a51e53bff647c87da33a0bd9
Threat Level: Known bad
The file VenomRAT.v6.0.3.+SOURCE.7z was found to be: Known bad.
Malicious Activity Summary
StormKitty payload
Stormkitty family
AsyncRat
Async RAT payload
Asyncrat family
Program crash
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-07-01 22:49
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Asyncrat family
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral5
Detonation Overview
Submitted
2024-07-01 22:47
Reported
2024-07-01 22:52
Platform
win11-20240611-en
Max time kernel
145s
Max time network
156s
Command Line
Signatures
AsyncRat
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| NL | 52.111.243.30:443 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/3892-0-0x00007FFF81873000-0x00007FFF81875000-memory.dmp
memory/3892-1-0x0000016126F70000-0x0000016127DA4000-memory.dmp
memory/3892-2-0x0000016143760000-0x0000016144B64000-memory.dmp
memory/3892-3-0x0000016142870000-0x0000016142D82000-memory.dmp
memory/3892-4-0x00000161425B0000-0x0000016142802000-memory.dmp
memory/3892-6-0x0000016142530000-0x0000016142580000-memory.dmp
memory/3892-5-0x0000016142FC0000-0x0000016143098000-memory.dmp
memory/3892-7-0x00007FFF81870000-0x00007FFF82332000-memory.dmp
memory/3892-8-0x0000016146590000-0x0000016146D4E000-memory.dmp
memory/3892-9-0x00000161473F0000-0x0000016147A82000-memory.dmp
memory/3892-10-0x0000016146D50000-0x00000161470EC000-memory.dmp
memory/3892-11-0x0000016147A90000-0x0000016147F14000-memory.dmp
memory/3892-12-0x0000016142810000-0x0000016142830000-memory.dmp
memory/3892-13-0x00007FFF81870000-0x00007FFF82332000-memory.dmp
memory/3892-14-0x0000016147F20000-0x0000016148132000-memory.dmp
memory/3892-15-0x00000161430A0000-0x0000016143253000-memory.dmp
memory/3892-17-0x00007FFF81870000-0x00007FFF82332000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-01 22:47
Reported
2024-07-01 22:50
Platform
win11-20240611-en
Max time kernel
24s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Plugins\hvnc.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Plugins\hvnc.exe"
Network
Files
memory/1208-0-0x00007FFF60233000-0x00007FFF60235000-memory.dmp
memory/1208-1-0x0000000000F70000-0x0000000000F80000-memory.dmp
memory/1208-3-0x00007FFF60230000-0x00007FFF60CF2000-memory.dmp
memory/1208-4-0x00007FFF60230000-0x00007FFF60CF2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-01 22:47
Reported
2024-07-01 22:50
Platform
win11-20240611-en
Max time kernel
0s
Command Line
Signatures
AsyncRat
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\ClientAny.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\ClientAny.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\ClientAny.exe"
Network
Files
memory/1336-0-0x00007FFB1E9F3000-0x00007FFB1E9F5000-memory.dmp
memory/1336-1-0x00000000000B0000-0x00000000000C8000-memory.dmp
memory/1336-3-0x00007FFB1E9F0000-0x00007FFB1F4B2000-memory.dmp
memory/1336-4-0x00007FFB1E9F0000-0x00007FFB1F4B2000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-01 22:47
Reported
2024-07-01 22:54
Platform
win11-20240508-en
Max time kernel
203s
Max time network
220s
Command Line
Signatures
AsyncRat
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\Clientx64.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\Clientx64.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\Clientx64.exe"
Network
Files
memory/1040-1-0x00000000000A0000-0x00000000000B8000-memory.dmp
memory/1040-0-0x00007FFF96EB3000-0x00007FFF96EB5000-memory.dmp
memory/1040-3-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
memory/1040-4-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-01 22:47
Reported
2024-07-01 22:52
Platform
win11-20240508-en
Max time kernel
86s
Max time network
106s
Command Line
Signatures
AsyncRat
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\Clientx86.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\Clientx86.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\Clientx86.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\Clientx86.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3812 -ip 3812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 1044
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/3812-0-0x0000000074EDE000-0x0000000074EDF000-memory.dmp
memory/3812-1-0x0000000000CD0000-0x0000000000CE8000-memory.dmp
memory/3812-2-0x0000000005C40000-0x00000000061E6000-memory.dmp
memory/3812-4-0x0000000074ED0000-0x0000000075681000-memory.dmp
memory/3812-5-0x0000000074ED0000-0x0000000075681000-memory.dmp