Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10Randome.zip
windows11-21h2-x64
1GMAIL/Gmail.exe
windows11-21h2-x64
3Instagram VM.exe
windows11-21h2-x64
5LazyAIO/LazyAIO.exe
windows11-21h2-x64
7Minecraft/...ft.exe
windows11-21h2-x64
3Numify v3-...Or.exe
windows11-21h2-x64
3VenomRAT v...er.exe
windows11-21h2-x64
1VenomRAT v...nc.exe
windows11-21h2-x64
1VenomRAT v...ny.exe
windows11-21h2-x64
10VenomRAT v...p_.exe
windows11-21h2-x64
10VenomRAT v....3.exe
windows11-21h2-x64
10Analysis
-
max time kernel
147s -
max time network
159s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
27/09/2024, 20:17
Behavioral task
behavioral1
Sample
Randome.zip
Resource
win11-20240802-en
Behavioral task
behavioral2
Sample
GMAIL/Gmail.exe
Resource
win11-20240802-en
Behavioral task
behavioral3
Sample
Instagram VM.exe
Resource
win11-20240802-en
Behavioral task
behavioral4
Sample
LazyAIO/LazyAIO.exe
Resource
win11-20240802-en
Behavioral task
behavioral5
Sample
Minecraft/Minecraft.exe
Resource
win11-20240802-en
Behavioral task
behavioral6
Sample
Numify v3-Cracked by SpArtOr.exe
Resource
win11-20240802-en
Behavioral task
behavioral7
Sample
VenomRAT v6.0.3_p_/Keylogger.exe
Resource
win11-20240802-en
Behavioral task
behavioral8
Sample
VenomRAT v6.0.3_p_/Plugins/hvnc.exe
Resource
win11-20240802-en
Behavioral task
behavioral9
Sample
VenomRAT v6.0.3_p_/Stub/ClientAny.exe
Resource
win11-20240802-en
Behavioral task
behavioral10
Sample
VenomRAT v6.0.3_p_/Venom RAT_p_.exe
Resource
win11-20240802-en
General
-
Target
VenomRAT v6.0.3_p_/Venom v6.0.3.exe
-
Size
14.3MB
-
MD5
f847c6b988dcc932d1a31171160cf69e
-
SHA1
1b40d91ad3ef9b5e4174aec276f906fe9adda9ed
-
SHA256
d75d343cc6593b2cbcd2b64963d8ba7764b9517a12298baea07c0efc6252b0a8
-
SHA512
25dc413fa52556e7792eeea575a0654927204fb1d53b5110baee1da7f1ca67fa0c466970021ab4d173f231c41e8c321a991dd4124a0a1d6f9f8db990826087a9
-
SSDEEP
393216:RR4JtH5KnO38c9+kq/s03jHHTbO+hYxyPzF:4bH5Yc8c9g/j3jtlB
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
93.82.44.26:4040
nheplizwdi
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral11/files/0x000400000002a974-18.dat family_asyncrat -
Executes dropped EXE 3 IoCs
pid Process 1452 sistrdzthu.exe 3352 Venomrat.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Venom v6.0.3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sistrdzthu.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 3352 Venomrat.exe 3352 Venomrat.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe 3352 Venomrat.exe 3352 Venomrat.exe 3352 Venomrat.exe 3352 Venomrat.exe 3352 Venomrat.exe 3352 Venomrat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3352 Venomrat.exe Token: SeDebugPrivilege 2756 Venom RAT + HVNC + Stealer + Grabber.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3352 Venomrat.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe 2756 Venom RAT + HVNC + Stealer + Grabber.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3736 wrote to memory of 1452 3736 Venom v6.0.3.exe 78 PID 3736 wrote to memory of 1452 3736 Venom v6.0.3.exe 78 PID 3736 wrote to memory of 1452 3736 Venom v6.0.3.exe 78 PID 3736 wrote to memory of 3352 3736 Venom v6.0.3.exe 79 PID 3736 wrote to memory of 3352 3736 Venom v6.0.3.exe 79 PID 1452 wrote to memory of 2756 1452 sistrdzthu.exe 80 PID 1452 wrote to memory of 2756 1452 sistrdzthu.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3_p_\Venom v6.0.3.exe"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3_p_\Venom v6.0.3.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Users\Admin\AppData\Local\Temp\sistrdzthu.exe"C:\Users\Admin\AppData\Local\Temp\sistrdzthu.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3_p_\Venom RAT + HVNC + Stealer + Grabber.exe"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3_p_\Venom RAT + HVNC + Stealer + Grabber.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2756
-
-
-
C:\Users\Admin\AppData\Local\Temp\Venomrat.exe"C:\Users\Admin\AppData\Local\Temp\Venomrat.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3352
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.2MB
MD53b3a304c6fc7a3a1d9390d7cbff56634
SHA1e8bd5244e6362968f5017680da33f1e90ae63dd7
SHA2567331368c01b2a16bda0f013f376a039e6aeb4cb2dd8b0c2afc7ca208fb544c58
SHA5127f1beacb6449b3b3e108016c8264bb9a21ecba526c2778794f16a7f9c817c0bbd5d4cf0c208d706d25c54322a875da899ab047aab1e07684f6b7b6083981abe5
-
Filesize
74KB
MD5f6cd31be1b934e979780c63ee6dca10c
SHA17f802a7409345d03bef6d292b91e096a97c7f25a
SHA256c7d808cc2f536c8aef33b34415bffa55d32ecdfb23dd34ec95d76f934c40ea12
SHA512bef7835728afb40e05a322a331b6a7a7f99b37d0dea0d883b4c0afa0e697f0801847680202d19d99f934b29d3b934a6d41a0e623945c7af469fb842354a0c6f9
-
Filesize
14.2MB
MD57e8d3bcd4b3ee0a20deb79e5818f06a0
SHA173acfa8fbe3aa5ab8372cf8d11eba9242ba4592e
SHA256baa304c80cd2acc0df7968024a0754d560dfd2fafc14dfc6383783e3d2f8127e
SHA5122ca9b6ec0f22d586388caf3d4da20e25ba46aac0cee7d6e98f8ddeb3cddbc346d632a3717c6902b065e6fb5d8628ff08f8a306f1ca539f905fbfb1a06f7222c9