Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 23:37
Behavioral task
behavioral1
Sample
Venom 2.8 CRACKED - FINAL/VenomRemote_Cracked.exe
Resource
win7-20240903-en
General
-
Target
Venom 2.8 CRACKED - FINAL/VenomRemote_Cracked.exe
-
Size
38.5MB
-
MD5
83626a159e3399dc2bec680220ba8969
-
SHA1
c8fb91953976291310ddc645e2b9275277c57ec2
-
SHA256
0e59d8a36fc73b40178732c2e9dec9143ceb3dfd590547221dbce65983042141
-
SHA512
6640d88a9aff7507d8372317e34422aa7a493d00194c945c2292d20445e0e0b6a0004ef90e8c263fe683b352292d89b28bdcb5fa4135be4333d4ef7076119f09
-
SSDEEP
393216:OFdlmXJTD1jJTDQMvfOjmM27kv1Bx0bQox/UlGkNCoIZZJTD2Mm1Zg6YH3mH1gfB:GLxMvDUjCbQa/O11t1Zg6kmH1gEEE
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2384 VenomRemote_Cracked.exe -
Obfuscated with Agile.Net obfuscator 38 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/2384-1-0x0000000000A20000-0x00000000030B0000-memory.dmp agile_net behavioral1/memory/2384-7-0x0000000008710000-0x000000000876A000-memory.dmp agile_net behavioral1/memory/2384-14-0x000000000A850000-0x000000000A8BE000-memory.dmp agile_net behavioral1/memory/2384-15-0x0000000006A20000-0x0000000006A2E000-memory.dmp agile_net behavioral1/memory/2384-17-0x000000000C480000-0x000000000C574000-memory.dmp agile_net behavioral1/memory/2384-25-0x0000000011360000-0x0000000011548000-memory.dmp agile_net behavioral1/memory/2384-34-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-87-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-35-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-95-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-93-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-91-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-89-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-85-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-83-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-81-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-79-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-77-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-75-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-73-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-71-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-69-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-67-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-65-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-63-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-61-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-59-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-57-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-55-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-53-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-51-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-49-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-47-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-45-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-43-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-41-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-39-0x0000000011360000-0x0000000011544000-memory.dmp agile_net behavioral1/memory/2384-37-0x0000000011360000-0x0000000011544000-memory.dmp agile_net -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VenomRemote_Cracked.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe 2384 VenomRemote_Cracked.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2384 VenomRemote_Cracked.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2384 VenomRemote_Cracked.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2384 VenomRemote_Cracked.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2384 VenomRemote_Cracked.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Venom 2.8 CRACKED - FINAL\VenomRemote_Cracked.exe"C:\Users\Admin\AppData\Local\Temp\Venom 2.8 CRACKED - FINAL\VenomRemote_Cracked.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2384
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD59af5eb006bb0bab7f226272d82c896c7
SHA1c2a5bb42a5f08f4dc821be374b700652262308f0
SHA25677dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA5127badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a
-
Filesize
475B
MD5d09aa30a9db577b6ef7a4ac13dc8a5be
SHA12c437a903c46dfde529edf0c5c5fa60c92654c4e
SHA25647982a9078391d08d3a6abd2315049aa9a2ed3927333f5305e654e6f87a70035
SHA51249eb85f805df47fafaffaad7a97808b8904b09ca24dfa5a6fd03c4ebc47e4641b86bff281907e4dca76678febde3557ace8dcb25b9ba5bf99cc024f9c83feac8
-
C:\Users\Admin\AppData\Local\VenomS\VenomRemote_Cracked.exe_Url_blfedaw4wjnv4jfq1mpvnvpgb3sjck12\2.8.0.1\user.config
Filesize842B
MD51f6c9231a439fbdb5984c0bdb718c68a
SHA114648ed2b2a4c87aed66eba043fe717dbe232301
SHA256a7f68f213d60aaa778af526aec53511e9f7d7108500e6cdf7bfb3c9831995746
SHA5124084f6d23af625952f3fb1806e3ea2c5a3ef0214991699f54f8134b41d35297ac1093feb9681cb6859551dc3c91b5385a1a5e0fd518cc1fac203315f5ff414b9