Analysis
-
max time kernel
94s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 19:08
Behavioral task
behavioral1
Sample
Venom Client/Venom.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Venom Client/Venom.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Venom Client/freeglut.dll
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
Venom Client/freeglut.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Venom Client/venomsba.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Venom Client/venomsba.dll
Resource
win10v2004-20241007-en
General
-
Target
Venom Client/Venom.exe
-
Size
74KB
-
MD5
c745590f5b7590f217bb204d27e91a00
-
SHA1
9d60ffc369b1fbdae8549b859729f47477658ddd
-
SHA256
dfb98932671339fb633c74180dba3810d9382e56618d75b3f67ae2ba3206aa1d
-
SHA512
5c6082eb180abeceda71ac259f9fef4bd90b47e3d2adf05280f7e0a3e3b6bed1508a0e09d6f5bcbcc7bfa868b0fc2fd9ff00dab7121baa778e575eed32dddaf3
-
SSDEEP
1536:ZUNwcxbUTCrmPMVIEh3kLuaIsH1bTc6yOQzc2LVclN:ZUicxbgwmPMVffAH1bTVQPBY
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
wgzvrzpksxgiaglrvq
-
c2_url_file
https://paste.ee/r/Wp7LQ/0
-
delay
1
-
install
true
-
install_file
System.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
resource yara_rule behavioral2/memory/5004-1-0x0000000000EA0000-0x0000000000EB8000-memory.dmp VenomRAT behavioral2/files/0x000a000000023b8d-12.dat VenomRAT -
Venomrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x000a000000023b8d-12.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Venom.exe -
Executes dropped EXE 1 IoCs
pid Process 216 System.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 3708 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4384 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 5004 Venom.exe 5004 Venom.exe 5004 Venom.exe 5004 Venom.exe 5004 Venom.exe 5004 Venom.exe 5004 Venom.exe 5004 Venom.exe 5004 Venom.exe 5004 Venom.exe 5004 Venom.exe 5004 Venom.exe 5004 Venom.exe 5004 Venom.exe 5004 Venom.exe 5004 Venom.exe 5004 Venom.exe 5004 Venom.exe 5004 Venom.exe 5004 Venom.exe 5004 Venom.exe 5004 Venom.exe 5004 Venom.exe 216 System.exe 216 System.exe 216 System.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5004 Venom.exe Token: SeDebugPrivilege 216 System.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 216 System.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 5004 wrote to memory of 4896 5004 Venom.exe 83 PID 5004 wrote to memory of 4896 5004 Venom.exe 83 PID 5004 wrote to memory of 4872 5004 Venom.exe 84 PID 5004 wrote to memory of 4872 5004 Venom.exe 84 PID 4872 wrote to memory of 3708 4872 cmd.exe 88 PID 4872 wrote to memory of 3708 4872 cmd.exe 88 PID 4896 wrote to memory of 4384 4896 cmd.exe 87 PID 4896 wrote to memory of 4384 4896 cmd.exe 87 PID 4872 wrote to memory of 216 4872 cmd.exe 89 PID 4872 wrote to memory of 216 4872 cmd.exe 89 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Venom Client\Venom.exe"C:\Users\Admin\AppData\Local\Temp\Venom Client\Venom.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\Admin\AppData\Roaming\System.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\Admin\AppData\Roaming\System.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:4384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7F23.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3708
-
-
C:\Users\Admin\AppData\Roaming\System.exe"C:\Users\Admin\AppData\Roaming\System.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:216
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD564e029dd65d8aec5f73d6ad8ad37366e
SHA1397e209787763e34437d4115c41d5484d61a5fd2
SHA256895b46721a831474f16e14be65b5d9d98bfe3d13d035e67c59f49f3349fdd25a
SHA5124232baa02cff9d9b180648656cc1327389ed5b78ca7b0b37e5ef8e9708881bb5d7cc13790f332a4aa8d2d5b8b0d5640090485ec7ab12f822737f51b2c5f4b343
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
74KB
MD5c745590f5b7590f217bb204d27e91a00
SHA19d60ffc369b1fbdae8549b859729f47477658ddd
SHA256dfb98932671339fb633c74180dba3810d9382e56618d75b3f67ae2ba3206aa1d
SHA5125c6082eb180abeceda71ac259f9fef4bd90b47e3d2adf05280f7e0a3e3b6bed1508a0e09d6f5bcbcc7bfa868b0fc2fd9ff00dab7121baa778e575eed32dddaf3