668bf9ed54120899b86b21a8aa1df1075937b8c05cfca52817746b6e418e2006

Analysis

max time kernel
438s
max time network
551s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
10-12-2024 22:19

Target

VenomRAT_v6.0.3.rar
Size

92.3MB
MD5

7cbabf71dd915f44b67f1765e805e5ab
SHA1

bc44d2fd089fc818824a5eb8f3c4310636dc2b81
SHA256

668bf9ed54120899b86b21a8aa1df1075937b8c05cfca52817746b6e418e2006
SHA512

9a3171a9c0f813b2c228348d2d4a3b94457578a6d1d5f80d7780fffcc3d67731b49b2cfe38f6ba4498203f1551e7c1cbc7b60d2ccc4dd8412943bc634a870509
SSDEEP

1572864:Ox40amHGeCj7VmyotHgaspW71f6xJgOBWWqwGaoAaCAOEFHiWlMvbRje/L20J1XP:raCj7VJoBgaMW75KC1Wq0TUORWudA203

Score

7^/10

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x001c00000002aa89-3.dat	net_reactor
behavioral1/memory/1884-5-0x00000265CFD10000-0x00000265D055C000-memory.dmp	net_reactor

Executes dropped EXE 7 IoCs

pid	Process
1884	Venom RAT + HVNC + Stealer + Grabber.exe
3624	Venom RAT + HVNC + Stealer + Grabber.exe
952	Venom RAT + HVNC + Stealer + Grabber.exe
2244	Venom RAT + HVNC + Stealer + Grabber.exe
3612	Venom RAT + HVNC + Stealer + Grabber.exe
3868	Venom RAT + HVNC + Stealer + Grabber.exe
3412	Venom RAT + HVNC + Stealer + Grabber.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1496	7zFM.exe
1496	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1496	7zFM.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeRestorePrivilege	1496	7zFM.exe
Token: 35	1496	7zFM.exe
Token: SeSecurityPrivilege	1496	7zFM.exe
Token: SeDebugPrivilege	1884	Venom RAT + HVNC + Stealer + Grabber.exe
Token: SeSecurityPrivilege	1496	7zFM.exe
Token: SeDebugPrivilege	3624	Venom RAT + HVNC + Stealer + Grabber.exe
Token: SeDebugPrivilege	952	Venom RAT + HVNC + Stealer + Grabber.exe
Token: SeDebugPrivilege	2244	Venom RAT + HVNC + Stealer + Grabber.exe
Token: SeDebugPrivilege	3612	Venom RAT + HVNC + Stealer + Grabber.exe
Token: SeDebugPrivilege	3868	Venom RAT + HVNC + Stealer + Grabber.exe
Token: SeDebugPrivilege	3412	Venom RAT + HVNC + Stealer + Grabber.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 3624	1496	7zFM.exe	84
PID 1496 wrote to memory of 3624	1496	7zFM.exe	84

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4408

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\db37fd08-d5dd-4bff-a182-1e1af1dd0fad.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\Desktop\Venom RAT + HVNC + Stealer + Grabber.exe

Filesize
8.3MB

MD5
d3731f0b18e95da5c477cce1c13913ca

SHA1
10870da4f1880f7b48ce2530c929f4d5c8760cc1

SHA256
a0df1f45f393c5b249f77f57c2647fd80631de1aaa77dbc318ddd853abbdffe5

SHA512
3d273cd7bc73fa03d8c498c1ac3d423cac7e23fe266e3a1b32f93ab1e9c29c341e1ae8e1305d310486762998bca2ec8d711698a73428d2180f683ecbd2364865

Download Submit
memory/1884-4-0x00007FFE87FF3000-0x00007FFE87FF5000-memory.dmp

Filesize
8KB

Download
memory/1884-5-0x00000265CFD10000-0x00000265D055C000-memory.dmp

Filesize
8.3MB

Download
memory/1884-6-0x00007FFE87FF0000-0x00007FFE88AB2000-memory.dmp

Filesize
10.8MB

Download
memory/1884-7-0x00007FFE87FF0000-0x00007FFE88AB2000-memory.dmp

Filesize
10.8MB

Download