Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 19:00
Behavioral task
behavioral1
Sample
c35c9895b90a75a0d8dd13c38c9fe565e693887f96334ea3ae762a160027ef8c.exe
Resource
win7-20240704-en
5 signatures
150 seconds
General
-
Target
c35c9895b90a75a0d8dd13c38c9fe565e693887f96334ea3ae762a160027ef8c.exe
-
Size
74KB
-
MD5
5bf4e6ee7c17815fa84e47b8e70cc562
-
SHA1
445024fe41a4e64db7dfcfa3ddb4e991f1420e94
-
SHA256
c35c9895b90a75a0d8dd13c38c9fe565e693887f96334ea3ae762a160027ef8c
-
SHA512
4ad41ab0a5180dcc96f8cc512ea1e284ef08593c27be1c022709f2003f0d7509d6b1382873807631781f248e7d722187d016dfdd6e778a2f0366fc0a4595299d
-
SSDEEP
1536:vUFAcxehvCw2PMVDe9VdQuDI6H1bf/RyZNpHpEQzceLVclN:vU6cxe1/2PMVDe9VdQsH1bf5yZzHpEQS
Malware Config
Extracted
Family
asyncrat
Version
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Botnet
Default
C2
86.208.62.200:4449
Mutex
eobsjccgfymzffybs
Attributes
-
delay
1
-
install
false
-
install_file
mama
-
install_folder
%AppData%
aes.plain
Signatures
-
resource yara_rule behavioral2/memory/2152-1-0x0000000000C30000-0x0000000000C48000-memory.dmp VenomRAT -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2152 c35c9895b90a75a0d8dd13c38c9fe565e693887f96334ea3ae762a160027ef8c.exe 2152 c35c9895b90a75a0d8dd13c38c9fe565e693887f96334ea3ae762a160027ef8c.exe 2152 c35c9895b90a75a0d8dd13c38c9fe565e693887f96334ea3ae762a160027ef8c.exe 2152 c35c9895b90a75a0d8dd13c38c9fe565e693887f96334ea3ae762a160027ef8c.exe 2152 c35c9895b90a75a0d8dd13c38c9fe565e693887f96334ea3ae762a160027ef8c.exe 2152 c35c9895b90a75a0d8dd13c38c9fe565e693887f96334ea3ae762a160027ef8c.exe 2152 c35c9895b90a75a0d8dd13c38c9fe565e693887f96334ea3ae762a160027ef8c.exe 2152 c35c9895b90a75a0d8dd13c38c9fe565e693887f96334ea3ae762a160027ef8c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2152 c35c9895b90a75a0d8dd13c38c9fe565e693887f96334ea3ae762a160027ef8c.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2152 c35c9895b90a75a0d8dd13c38c9fe565e693887f96334ea3ae762a160027ef8c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c35c9895b90a75a0d8dd13c38c9fe565e693887f96334ea3ae762a160027ef8c.exe"C:\Users\Admin\AppData\Local\Temp\c35c9895b90a75a0d8dd13c38c9fe565e693887f96334ea3ae762a160027ef8c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2152