Overview

overview

10

Static

static

3

VenomRATv6.0.3.exe

windows7-x64

10

VenomRATv6.0.3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    23-12-2024 20:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VenomRATv6.0.3.exe

  • Size

    14.3MB

  • MD5

    674fb9de862cbbb47a6ab5a7adb91d7e

  • SHA1

    5895e99a1cb66771735bb93d6fc85110d064ac88

  • SHA256

    dcb9b3bd02e4bca6dab8da73cfe8ff256cf70b2fef9aebd35f9c860b2e1df60e

  • SHA512

    444d9c6519c1564520a93ca49edf1a7bb742043f53bcf3cb6fe7ae5561253515f39aa197cb39d10a140ac2fdf3b4986034d9f6f2264000965bd2eba94ec99602

  • SSDEEP

    393216:vPv87RoDvSCG33lKqxsyEFfy1MpRt/RlY1V:vPv8727S/nweEFPRt5W1V

Score
10/10
asyncratvenomratxwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:4444

heheyanel.ddns.net:4444
Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Activator.exe

  • telegram

    https://api.telegram.org/bot7427144754:AAHRLM93AsaKo2dFejmZxunuQW0uH41yfn0/sendMessage?chat_id=7294780361

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Detect Xworm Payload 4 IoCs
  • VenomRAT 2 IoCs

    Detects VenomRAT.

    rat
  • Venomrat family
    venomrat
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\VenomRATv6.0.3.exe
    "C:\Users\Admin\AppData\Local\Temp\VenomRATv6.0.3.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exe
      "C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1724 -s 528
        3⤵
          PID:836
      • C:\Users\Admin\AppData\Roaming\venom.exe
        "C:\Users\Admin\AppData\Roaming\venom.exe"
        2⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2280
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\venom.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2872
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'venom.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2524
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2500
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2956
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost"
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2744
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {D062D8EC-1716-411D-9AFC-EC10BBE39E0C} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\ProgramData\svchost
        C:\ProgramData\svchost
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2076
      • C:\ProgramData\svchost
        C:\ProgramData\svchost
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:880

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      e97c4121c61ddd84f7e51a3a745a37ce

      SHA1

      d4e16a22fe1f61bf4ffebed4952f7575046e40ea

      SHA256

      9090b3e3beb11edaabf4e8b4e049c4041399e9b20b5d256fb35e66af93c72d75

      SHA512

      77826f4741b33bb5b1f9f854d5ae4d680e3909b3db8db5f42667a69b2e9401ec321debfd8d50c27c0f3ce1eed32fb4db49f0e6455ca1f08763a7abba9fce0565

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exe
      Filesize

      14.2MB

      MD5

      3b3a304c6fc7a3a1d9390d7cbff56634

      SHA1

      e8bd5244e6362968f5017680da33f1e90ae63dd7

      SHA256

      7331368c01b2a16bda0f013f376a039e6aeb4cb2dd8b0c2afc7ca208fb544c58

      SHA512

      7f1beacb6449b3b3e108016c8264bb9a21ecba526c2778794f16a7f9c817c0bbd5d4cf0c208d706d25c54322a875da899ab047aab1e07684f6b7b6083981abe5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\venom.exe
      Filesize

      81KB

      MD5

      ac5c47b2a86a3042f02e26a338e99466

      SHA1

      98e8c13d41179575145cdc800e603b467c2b18f1

      SHA256

      837d509ad49a587036361ee7fc30f5b18238bb98a310418298b5a6c1d350cb96

      SHA512

      8468268c03c0e286fdd767f961e90ade962ee46b8e12eddbb3204e77aa26475add2a8d8e61e6c8dd08952a0571942915b926192b34029155489813221d7135b3

      Download Submit

    • memory/880-48-0x0000000000330000-0x000000000034A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1724-14-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1724-15-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1724-9-0x0000000000480000-0x00000000012B4000-memory.dmp

      Filesize

      14.2MB

      Download

    • memory/2076-45-0x00000000010D0000-0x00000000010EA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2280-13-0x00000000008D0000-0x00000000008EA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2296-0-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2296-1-0x00000000009F0000-0x000000000183E000-memory.dmp

      Filesize

      14.3MB

      Download

    • memory/2524-27-0x000000001B650000-0x000000001B932000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2524-28-0x0000000002860000-0x0000000002868000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2872-20-0x000000001B700000-0x000000001B9E2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2872-21-0x0000000001E20000-0x0000000001E28000-memory.dmp

      Filesize

      32KB

      Download