asyncrat | bb25e7f018e8369b7e9d15e5d2a384cb6768a05cb47f2029e1e80240e2d67fa7

Analysis

max time kernel
135s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VenomRAT v6.0.3_p_.rar
Size

96.2MB
MD5

095a7619dd15a4ae3ff91552089c4b5b
SHA1

73a2b56c2d1a558477f133981ea3c84675dccae6
SHA256

bb25e7f018e8369b7e9d15e5d2a384cb6768a05cb47f2029e1e80240e2d67fa7
SHA512

0d254a0cbb267700b7ea938f302719161af76177e94e6e08301b28fd1fa2e05b7187a4c7bdcc8229326209394314a79058f753a0205a55b83fd17f179a71034d
SSDEEP

1572864:CNO4d3H2na2C6+N0kgasoygQmsHhhcD0vMXz//1WEBHAusOvqPow7P2xOhyZGc9i:ED2C6sgatyDjHh5vluXqCmt

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

93.82.44.26:4040

Mutex

nheplizwdi

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0006000000019438-19.dat	family_asyncrat

Executes dropped EXE 10 IoCs

pid	Process
1536	Venom v6.0.3.exe
1888	sistrdzthu.exe
2660	Venomrat.exe
2600	Venom RAT + HVNC + Stealer + Grabber.exe
2128	Venom v6.0.3.exe
2252	sistrdzthu.exe
1052	Venomrat.exe
2440	Venom RAT + HVNC + Stealer + Grabber.exe
1968	Venom RAT_p_.exe
2608	Client.exe

Loads dropped DLL 7 IoCs

pid	Process
1536	Venom v6.0.3.exe
1536	Venom v6.0.3.exe
1888	sistrdzthu.exe
2128	Venom v6.0.3.exe
2128	Venom v6.0.3.exe
2252	sistrdzthu.exe
2696	7zFM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Venom v6.0.3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sistrdzthu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Venom v6.0.3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sistrdzthu.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2696	7zFM.exe
2696	7zFM.exe
2660	Venomrat.exe
2660	Venomrat.exe
2696	7zFM.exe
2696	7zFM.exe
2696	7zFM.exe
2696	7zFM.exe
2696	7zFM.exe
2696	7zFM.exe
2696	7zFM.exe
2660	Venomrat.exe
2696	7zFM.exe
2660	Venomrat.exe
2660	Venomrat.exe
2660	Venomrat.exe
2660	Venomrat.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2696	7zFM.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeRestorePrivilege	2696	7zFM.exe
Token: 35	2696	7zFM.exe
Token: SeSecurityPrivilege	2696	7zFM.exe
Token: SeDebugPrivilege	2660	Venomrat.exe
Token: SeSecurityPrivilege	2696	7zFM.exe
Token: SeDebugPrivilege	1052	Venomrat.exe
Token: SeSecurityPrivilege	2696	7zFM.exe
Token: SeSecurityPrivilege	2696	7zFM.exe
Token: SeDebugPrivilege	2608	Client.exe
Token: 33	2928	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2928	AUDIODG.EXE
Token: 33	2928	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2928	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2696	7zFM.exe
2696	7zFM.exe
2696	7zFM.exe
2696	7zFM.exe
2696	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2660	Venomrat.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 1536	2696	7zFM.exe	30
PID 2696 wrote to memory of 1536	2696	7zFM.exe	30
PID 2696 wrote to memory of 1536	2696	7zFM.exe	30
PID 2696 wrote to memory of 1536	2696	7zFM.exe	30
PID 1536 wrote to memory of 1888	1536	Venom v6.0.3.exe	31
PID 1536 wrote to memory of 1888	1536	Venom v6.0.3.exe	31
PID 1536 wrote to memory of 1888	1536	Venom v6.0.3.exe	31
PID 1536 wrote to memory of 1888	1536	Venom v6.0.3.exe	31
PID 1536 wrote to memory of 2660	1536	Venom v6.0.3.exe	32
PID 1536 wrote to memory of 2660	1536	Venom v6.0.3.exe	32
PID 1536 wrote to memory of 2660	1536	Venom v6.0.3.exe	32
PID 1536 wrote to memory of 2660	1536	Venom v6.0.3.exe	32
PID 1888 wrote to memory of 2600	1888	sistrdzthu.exe	33
PID 1888 wrote to memory of 2600	1888	sistrdzthu.exe	33
PID 1888 wrote to memory of 2600	1888	sistrdzthu.exe	33
PID 1888 wrote to memory of 2600	1888	sistrdzthu.exe	33
PID 2600 wrote to memory of 340	2600	Venom RAT + HVNC + Stealer + Grabber.exe	34
PID 2600 wrote to memory of 340	2600	Venom RAT + HVNC + Stealer + Grabber.exe	34
PID 2600 wrote to memory of 340	2600	Venom RAT + HVNC + Stealer + Grabber.exe	34
PID 2696 wrote to memory of 2128	2696	7zFM.exe	35
PID 2696 wrote to memory of 2128	2696	7zFM.exe	35
PID 2696 wrote to memory of 2128	2696	7zFM.exe	35
PID 2696 wrote to memory of 2128	2696	7zFM.exe	35
PID 2128 wrote to memory of 2252	2128	Venom v6.0.3.exe	36
PID 2128 wrote to memory of 2252	2128	Venom v6.0.3.exe	36
PID 2128 wrote to memory of 2252	2128	Venom v6.0.3.exe	36
PID 2128 wrote to memory of 2252	2128	Venom v6.0.3.exe	36
PID 2128 wrote to memory of 1052	2128	Venom v6.0.3.exe	37
PID 2128 wrote to memory of 1052	2128	Venom v6.0.3.exe	37
PID 2128 wrote to memory of 1052	2128	Venom v6.0.3.exe	37
PID 2128 wrote to memory of 1052	2128	Venom v6.0.3.exe	37
PID 2252 wrote to memory of 2440	2252	sistrdzthu.exe	38
PID 2252 wrote to memory of 2440	2252	sistrdzthu.exe	38
PID 2252 wrote to memory of 2440	2252	sistrdzthu.exe	38
PID 2252 wrote to memory of 2440	2252	sistrdzthu.exe	38
PID 2440 wrote to memory of 632	2440	Venom RAT + HVNC + Stealer + Grabber.exe	39
PID 2440 wrote to memory of 632	2440	Venom RAT + HVNC + Stealer + Grabber.exe	39
PID 2440 wrote to memory of 632	2440	Venom RAT + HVNC + Stealer + Grabber.exe	39
PID 2696 wrote to memory of 1968	2696	7zFM.exe	40
PID 2696 wrote to memory of 1968	2696	7zFM.exe	40
PID 2696 wrote to memory of 1968	2696	7zFM.exe	40
PID 1968 wrote to memory of 2352	1968	Venom RAT_p_.exe	41
PID 1968 wrote to memory of 2352	1968	Venom RAT_p_.exe	41
PID 1968 wrote to memory of 2352	1968	Venom RAT_p_.exe	41
PID 2696 wrote to memory of 2608	2696	7zFM.exe	42
PID 2696 wrote to memory of 2608	2696	7zFM.exe	42
PID 2696 wrote to memory of 2608	2696	7zFM.exe	42

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3_p_.rar"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\7zO88A57267\Venom v6.0.3.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO88A57267\Venom v6.0.3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Users\Admin\AppData\Local\Temp\sistrdzthu.exe
    "C:\Users\Admin\AppData\Local\Temp\sistrdzthu.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Users\Admin\AppData\Local\Temp\7zO88A57267\Venom RAT + HVNC + Stealer + Grabber.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO88A57267\Venom RAT + HVNC + Stealer + Grabber.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2600 -s 528
        5⤵
        
        PID:340
- - C:\Users\Admin\AppData\Local\Temp\Venomrat.exe
    "C:\Users\Admin\AppData\Local\Temp\Venomrat.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2660
- C:\Users\Admin\AppData\Local\Temp\7zO88A58547\Venom v6.0.3.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO88A58547\Venom v6.0.3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Users\Admin\AppData\Local\Temp\sistrdzthu.exe
    "C:\Users\Admin\AppData\Local\Temp\sistrdzthu.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\7zO88A58547\Venom RAT + HVNC + Stealer + Grabber.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO88A58547\Venom RAT + HVNC + Stealer + Grabber.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2440
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2440 -s 528
        5⤵
        
        PID:632
- - C:\Users\Admin\AppData\Local\Temp\Venomrat.exe
    "C:\Users\Admin\AppData\Local\Temp\Venomrat.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1052
- C:\Users\Admin\AppData\Local\Temp\7zO88A32CB7\Venom RAT_p_.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO88A32CB7\Venom RAT_p_.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1968 -s 528
    3⤵
    PID:2352
- C:\Users\Admin\AppData\Local\Temp\7zO88A2DCD7\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO88A2DCD7\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2608

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1760

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x174
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO88A32CB7\Venom RAT_p_.exe

Filesize
14.2MB

MD5
fb902fb0843e4f12d068b3bcd08b2e77

SHA1
96038a62a3ea6da4f11981f80ce4961ff50fbe4d

SHA256
2743f6791b5a525252a3e138d05ecda170d0fa758e1616cf96335648c572f068

SHA512
2c188572aadc906c6971ec13f0ae7b9f79c6a88a2fd34add00ee1b2d74f14cf895a86d2ba47036a1b1e7c8e00cd5adb0387baaea7fd5e5f93feaed98bb1dc6f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO88A57267\Venom RAT + HVNC + Stealer + Grabber.exe

Filesize
14.2MB

MD5
3b3a304c6fc7a3a1d9390d7cbff56634

SHA1
e8bd5244e6362968f5017680da33f1e90ae63dd7

SHA256
7331368c01b2a16bda0f013f376a039e6aeb4cb2dd8b0c2afc7ca208fb544c58

SHA512
7f1beacb6449b3b3e108016c8264bb9a21ecba526c2778794f16a7f9c817c0bbd5d4cf0c208d706d25c54322a875da899ab047aab1e07684f6b7b6083981abe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO88A57267\Venom v6.0.3.exe

Filesize
14.3MB

MD5
f847c6b988dcc932d1a31171160cf69e

SHA1
1b40d91ad3ef9b5e4174aec276f906fe9adda9ed

SHA256
d75d343cc6593b2cbcd2b64963d8ba7764b9517a12298baea07c0efc6252b0a8

SHA512
25dc413fa52556e7792eeea575a0654927204fb1d53b5110baee1da7f1ca67fa0c466970021ab4d173f231c41e8c321a991dd4124a0a1d6f9f8db990826087a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sistrdzthu.exe

Filesize
14.2MB

MD5
7e8d3bcd4b3ee0a20deb79e5818f06a0

SHA1
73acfa8fbe3aa5ab8372cf8d11eba9242ba4592e

SHA256
baa304c80cd2acc0df7968024a0754d560dfd2fafc14dfc6383783e3d2f8127e

SHA512
2ca9b6ec0f22d586388caf3d4da20e25ba46aac0cee7d6e98f8ddeb3cddbc346d632a3717c6902b065e6fb5d8628ff08f8a306f1ca539f905fbfb1a06f7222c9

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
\Users\Admin\AppData\Local\Temp\7zO88A2DCD7\Client.exe

Filesize
73KB

MD5
5d6802a39c1bea84e1bd3e6ba23b7bbb

SHA1
17b6040dcd0dc6c0cf794b6d95ed4da0f07ef0b9

SHA256
d1fd56cb9943f5b185c8ee52a34f7ea4d34c5091f77ea18138f1d13a8951dd5e

SHA512
55df1ab721022d363b6d454ab496b7cc542702edda0525037cc8f0c33a1d93bc50ed62be8d4b95ba1248d7fee5b806d599ddce5e3ff6a9d4464e3047a0ee799d

Download Submit
\Users\Admin\AppData\Local\Temp\Venomrat.exe

Filesize
74KB

MD5
f6cd31be1b934e979780c63ee6dca10c

SHA1
7f802a7409345d03bef6d292b91e096a97c7f25a

SHA256
c7d808cc2f536c8aef33b34415bffa55d32ecdfb23dd34ec95d76f934c40ea12

SHA512
bef7835728afb40e05a322a331b6a7a7f99b37d0dea0d883b4c0afa0e697f0801847680202d19d99f934b29d3b934a6d41a0e623945c7af469fb842354a0c6f9

Download Submit
memory/1968-70-0x0000000000810000-0x0000000001644000-memory.dmp

Filesize
14.2MB

Download
memory/2440-57-0x0000000001A00000-0x0000000002834000-memory.dmp

Filesize
14.2MB

Download
memory/2600-29-0x0000000000860000-0x0000000001694000-memory.dmp

Filesize
14.2MB

Download
memory/2608-79-0x0000000001140000-0x0000000001156000-memory.dmp

Filesize
88KB

Download
memory/2660-28-0x0000000000990000-0x00000000009A8000-memory.dmp

Filesize
96KB

Download