General
-
Target
VenomRAT v6.0.3.exe
-
Size
14.3MB
-
Sample
241223-y9dczszqcp
-
MD5
674fb9de862cbbb47a6ab5a7adb91d7e
-
SHA1
5895e99a1cb66771735bb93d6fc85110d064ac88
-
SHA256
dcb9b3bd02e4bca6dab8da73cfe8ff256cf70b2fef9aebd35f9c860b2e1df60e
-
SHA512
444d9c6519c1564520a93ca49edf1a7bb742043f53bcf3cb6fe7ae5561253515f39aa197cb39d10a140ac2fdf3b4986034d9f6f2264000965bd2eba94ec99602
-
SSDEEP
393216:vPv87RoDvSCG33lKqxsyEFfy1MpRt/RlY1V:vPv8727S/nweEFPRt5W1V
Static task
static1
Malware Config
Extracted
xworm
127.0.0.1:4444
heheyanel.ddns.net:4444
-
Install_directory
%ProgramData%
-
install_file
Activator.exe
-
telegram
https://api.telegram.org/bot7427144754:AAHRLM93AsaKo2dFejmZxunuQW0uH41yfn0/sendMessage?chat_id=7294780361
Targets
-
-
Target
VenomRAT v6.0.3.exe
-
Size
14.3MB
-
MD5
674fb9de862cbbb47a6ab5a7adb91d7e
-
SHA1
5895e99a1cb66771735bb93d6fc85110d064ac88
-
SHA256
dcb9b3bd02e4bca6dab8da73cfe8ff256cf70b2fef9aebd35f9c860b2e1df60e
-
SHA512
444d9c6519c1564520a93ca49edf1a7bb742043f53bcf3cb6fe7ae5561253515f39aa197cb39d10a140ac2fdf3b4986034d9f6f2264000965bd2eba94ec99602
-
SSDEEP
393216:vPv87RoDvSCG33lKqxsyEFfy1MpRt/RlY1V:vPv8727S/nweEFPRt5W1V
-
Asyncrat family
-
Detect Xworm Payload
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1