Analysis
-
max time kernel
659s -
max time network
455s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
03-12-2024 12:27
Behavioral task
behavioral1
Sample
VenomRAT.7z
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
10 signatures
300 seconds
General
-
Target
VenomRAT.7z
-
Size
40.8MB
-
MD5
abb2579e0f83a603280f0b863b4650d8
-
SHA1
2612ff4a34315f0ead610966d6e0f299987bbf53
-
SHA256
2f9d75390cd901366aa5ae78d759cd42e1475e4cc9613b421967e4b32ff9cc6c
-
SHA512
764fbe6f2e1cc34ebdd3e455e1ff468c2d0a19414abe5665669d0529c320a3b71aac118d04f4ed13cde4fd14d74599d4968869ca062ac4e33194dcda9d482adf
-
SSDEEP
786432:RMTw8qqxhlpy2XedaVTZg/9DpMg8bRrLbOH4mL6QTd/B1m9CERhd0gfp:RCvx9ueypM7ZOH4/QvA9CEnWgB
Score
7/10
Malware Config
Signatures
-
.NET Reactor proctector 35 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/memory/3680-17-0x0000000007AB0000-0x0000000008A30000-memory.dmp net_reactor behavioral1/memory/3680-21-0x0000000008A30000-0x00000000099B0000-memory.dmp net_reactor behavioral1/memory/3680-23-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-28-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-27-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-25-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-30-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-32-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-34-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-36-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-38-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-42-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-40-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-44-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-48-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-50-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-46-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-56-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-54-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-63-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-66-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-68-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-64-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-60-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-58-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-52-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-70-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-72-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-82-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-84-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-86-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-80-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-79-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-76-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor behavioral1/memory/3680-74-0x0000000008A30000-0x00000000099A9000-memory.dmp net_reactor -
Executes dropped EXE 1 IoCs
pid Process 3680 Venom RAT + HVNC + Stealer + Grabber.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Venom RAT + HVNC + Stealer + Grabber.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2592 7zFM.exe 1504 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeRestorePrivilege 2592 7zFM.exe Token: 35 2592 7zFM.exe Token: SeSecurityPrivilege 2592 7zFM.exe Token: SeDebugPrivilege 3680 Venom RAT + HVNC + Stealer + Grabber.exe Token: SeDebugPrivilege 1504 taskmgr.exe Token: SeSystemProfilePrivilege 1504 taskmgr.exe Token: SeCreateGlobalPrivilege 1504 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2592 7zFM.exe 2592 7zFM.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe 1504 taskmgr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2592 wrote to memory of 3680 2592 7zFM.exe 87 PID 2592 wrote to memory of 3680 2592 7zFM.exe 87 PID 2592 wrote to memory of 3680 2592 7zFM.exe 87
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\VenomRAT.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\7zO02AFACF7\Venom RAT + HVNC + Stealer + Grabber.exe"C:\Users\Admin\AppData\Local\Temp\7zO02AFACF7\Venom RAT + HVNC + Stealer + Grabber.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3680
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1504
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.3MB
MD5ad0ad41bed640b3331c1bc13099b32ff
SHA15ebce59397c282b77ee8a2498095033ac68ddc04
SHA2562761f7bd15a3e4ce953dd3ceed0863751a0890fe99b58e0452fc0bd9b9fd24b0
SHA5129212304be53b5dc7d200fe7f84504f2f5e00550b5751369bb86fda034ea62fe917d23a8f61d2e2fce66a707e44b2d023dedcae46c92bb89417f5046e66005dc7