asyncrat | cde9c5a301e15dd10db1a9747fc95004b793c538f2ff4f9c05e52955b666b564

Resubmissions

06-02-2025 14:12

250206-rh1kwaypdk 10

27-01-2025 23:39

250127-3ndh3szje1 10

27-01-2025 23:31

250127-3hqapayrby 10

27-01-2025 23:17

250127-29nqhayngz 10

Analysis

max time kernel
242s
max time network
251s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
27-01-2025 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Venom RAT + HVNC + Stealer + Grabber.exe
Size

14.2MB
MD5

3b3a304c6fc7a3a1d9390d7cbff56634
SHA1

e8bd5244e6362968f5017680da33f1e90ae63dd7
SHA256

7331368c01b2a16bda0f013f376a039e6aeb4cb2dd8b0c2afc7ca208fb544c58
SHA512

7f1beacb6449b3b3e108016c8264bb9a21ecba526c2778794f16a7f9c817c0bbd5d4cf0c208d706d25c54322a875da899ab047aab1e07684f6b7b6083981abe5
SSDEEP

196608:Nja6chUZX81lbFklbYJygrP7aIBhLkNPFCZZwiJl1NLIsPA8fxvuIMzd/95UhS14:qT+P+Zw6NLIsFfskh1BmXG04

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

127.0.0.1:4449

Mutex

ewbfdjhdsdfpjk

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x001a00000002acf2-70.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
660	Client.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "228"	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 56003100000000004759495e12004170704461746100400009000400efbe4759495e3b5a7abd2e000000345702000000010000000000000000000000000000001b5946004100700070004400610074006100000016000000	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 50003100000000003b5a85bd10004c6f63616c003c0009000400efbe4759495e3b5a85bd2e00000048570200000001000000000000000000000000000000c6c196004c006f00630061006c00000014000000	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 500031000000000047598e66100041646d696e003c0009000400efbe4759495e3b5a7abd2e0000002957020000000100000000000000000000000000000021582b01410064006d0069006e00000014000000	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e003100000000003b5a7abd100054656d7000003a0009000400efbe4759495e3b5a7abd2e000000495702000000010000000000000000000000000000007679c500540065006d007000000014000000	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\Registry\User\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\NotificationData	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000004759495e1100557365727300640009000400efbec5522d603b5a7abd2e0000006c0500000000010000000000000000003a0000000000f644520055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe110000000a343014af18db018b93ce0ab718db014ff6d00ab718db0114000000	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Venom RAT + HVNC + Stealer + Grabber.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Venom RAT + HVNC + Stealer + Grabber.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Venom RAT + HVNC + Stealer + Grabber.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe
660	Client.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2624	Venom RAT + HVNC + Stealer + Grabber.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2624	Venom RAT + HVNC + Stealer + Grabber.exe
Token: SeDebugPrivilege	660	Client.exe
Token: SeShutdownPrivilege	4316	shutdown.exe
Token: SeRemoteShutdownPrivilege	4316	shutdown.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
660	Client.exe
660	Client.exe
660	Client.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
2624	Venom RAT + HVNC + Stealer + Grabber.exe
660	Client.exe
2364	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 1340	660	Client.exe	86
PID 660 wrote to memory of 1340	660	Client.exe	86
PID 1340 wrote to memory of 4316	1340	cmd.exe	88
PID 1340 wrote to memory of 4316	1340	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
"C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2624

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2292

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 00
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\system32\shutdown.exe
    Shutdown /s /f /t 00
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4316

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a0b055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Server\Venom_RAT_+_HVNC_+_Steale_Url_hfvp5p1rhhwhiply0vdltrgybx1zwz4h\6.0.3.1\qacjfzar.newcfg

Filesize
2KB

MD5
fd7794c3066e5a39416a25ba93515187

SHA1
78bbd2f666c2944849ef25c5b2570a7e44fac5f8

SHA256
e7084c0eb6e88191879a75e75ca9cc96ae9b880b8b47729e0f52b73089fb68cd

SHA512
987293bc6417054acddd43d431ae4e0fe4afe45aeb7bb4342fea34b42100d2bb549517423ab0eb6ee4c88c0c9a00ce25fdd9228c237492a6a5e1d80aaf1f7b65

Download Submit
C:\Users\Admin\AppData\Local\Server\Venom_RAT_+_HVNC_+_Steale_Url_hfvp5p1rhhwhiply0vdltrgybx1zwz4h\6.0.3.1\user.config

Filesize
1KB

MD5
3fb8d2a2cd510948957ef43af5de1a6a

SHA1
165c56b69c45db04546436b8cfcd21bf543fe1e3

SHA256
095a2b7ce003847ea27f3eb98eca1c5bf9098c194c137c550bed549fe8d46306

SHA512
ddf025953f0487612cab831866ce03285aa810a406d0a92d4491a2d26c7eaba2c4108c230309732a7ab6184c1578419164afe2fdc8e0179d8584bfbc7e75f1c6

Download Submit
C:\Users\Admin\AppData\Local\Server\Venom_RAT_+_HVNC_+_Steale_Url_hfvp5p1rhhwhiply0vdltrgybx1zwz4h\6.0.3.1\user.config

Filesize
1KB

MD5
ec49b7f5618d420d4c61a527d52c2638

SHA1
4c627db09339ea9d8266671a866140c5c9377c89

SHA256
1e5fc255b1d6ff6b9fcb242f9aade5db7d5ce869a7bad4a216cf92c90f239def

SHA512
d33bbc0e55aa55a52b12a476d570bc2f2bb649313d416d94cd7bf73c0e76bdbf016b8cecf2eb3aaafb490e36238a8bec3e41e88201b65d032daaed757ddabd6c

Download Submit
C:\Users\Admin\Desktop\Client.exe

Filesize
74KB

MD5
01aa901a3358036bdc2c4e81f358f08f

SHA1
56f005bf39a26ea6e7fc9723831ab74dd88e7f30

SHA256
9648ff5387313b77589afe1cac9e6671c1dd3f46429a9cccab9711131742acce

SHA512
93633214ad60d2a98a9c7a98d8c1ad9cfdca58ae1b984f403d43a8e159fa8e16cad6d3724e02b1c45b91033b1668b1d6a4169ed5f9c7bc3678517457315d46bb

Download Submit
memory/660-125-0x000000001C290000-0x000000001C2F6000-memory.dmp

Filesize
408KB

Download
memory/660-107-0x000000001C140000-0x000000001C18C000-memory.dmp

Filesize
304KB

Download
memory/660-104-0x000000001C440000-0x000000001C45E000-memory.dmp

Filesize
120KB

Download
memory/660-103-0x0000000002800000-0x000000000280E000-memory.dmp

Filesize
56KB

Download
memory/660-102-0x000000001C4C0000-0x000000001C536000-memory.dmp

Filesize
472KB

Download
memory/660-71-0x0000000000670000-0x0000000000688000-memory.dmp

Filesize
96KB

Download
memory/2624-10-0x000002CCB2F40000-0x000002CCB32DC000-memory.dmp

Filesize
3.6MB

Download
memory/2624-9-0x000002CCB3B20000-0x000002CCB41B2000-memory.dmp

Filesize
6.6MB

Download
memory/2624-12-0x000002CCAF7D0000-0x000002CCAF7F0000-memory.dmp

Filesize
128KB

Download
memory/2624-13-0x00007FFA87760000-0x00007FFA88222000-memory.dmp

Filesize
10.8MB

Download
memory/2624-14-0x000002CCB4AE0000-0x000002CCB4CF2000-memory.dmp

Filesize
2.1MB

Download
memory/2624-15-0x00007FFA87763000-0x00007FFA87765000-memory.dmp

Filesize
8KB

Download
memory/2624-16-0x00007FFA87760000-0x00007FFA88222000-memory.dmp

Filesize
10.8MB

Download
memory/2624-17-0x000002CCB44A0000-0x000002CCB454A000-memory.dmp

Filesize
680KB

Download
memory/2624-18-0x00007FFA87760000-0x00007FFA88222000-memory.dmp

Filesize
10.8MB

Download
memory/2624-21-0x00007FFA87760000-0x00007FFA88222000-memory.dmp

Filesize
10.8MB

Download
memory/2624-22-0x000002CCB0610000-0x000002CCB061A000-memory.dmp

Filesize
40KB

Download
memory/2624-23-0x00007FFA87760000-0x00007FFA88222000-memory.dmp

Filesize
10.8MB

Download
memory/2624-26-0x00007FFA87760000-0x00007FFA88222000-memory.dmp

Filesize
10.8MB

Download
memory/2624-27-0x00007FFA87760000-0x00007FFA88222000-memory.dmp

Filesize
10.8MB

Download
memory/2624-28-0x00007FFA87760000-0x00007FFA88222000-memory.dmp

Filesize
10.8MB

Download
memory/2624-29-0x000002CCB7720000-0x000002CCB7844000-memory.dmp

Filesize
1.1MB

Download
memory/2624-0-0x00007FFA87763000-0x00007FFA87765000-memory.dmp

Filesize
8KB

Download
memory/2624-11-0x000002CCB4650000-0x000002CCB4AD4000-memory.dmp

Filesize
4.5MB

Download
memory/2624-48-0x00007FFA87760000-0x00007FFA88222000-memory.dmp

Filesize
10.8MB

Download
memory/2624-8-0x000002CCB3360000-0x000002CCB3B1E000-memory.dmp

Filesize
7.7MB

Download
memory/2624-6-0x000002CCAFF80000-0x000002CCB0058000-memory.dmp

Filesize
864KB

Download
memory/2624-74-0x000002CCB7C30000-0x000002CCB7CE2000-memory.dmp

Filesize
712KB

Download
memory/2624-75-0x000002CCB7BA0000-0x000002CCB7BC2000-memory.dmp

Filesize
136KB

Download
memory/2624-7-0x000002CCAF500000-0x000002CCAF550000-memory.dmp

Filesize
320KB

Download
memory/2624-5-0x00007FFA87760000-0x00007FFA88222000-memory.dmp

Filesize
10.8MB

Download
memory/2624-4-0x000002CCAF570000-0x000002CCAF7C2000-memory.dmp

Filesize
2.3MB

Download
memory/2624-3-0x000002CCAF830000-0x000002CCAFD42000-memory.dmp

Filesize
5.1MB

Download
memory/2624-110-0x000002CCBAF00000-0x000002CCBAF4A000-memory.dmp

Filesize
296KB

Download
memory/2624-109-0x000002CCB8870000-0x000002CCB888A000-memory.dmp

Filesize
104KB

Download
memory/2624-108-0x000002CCBAEB0000-0x000002CCBAEF8000-memory.dmp

Filesize
288KB

Download
memory/2624-2-0x000002CCB0620000-0x000002CCB1A24000-memory.dmp

Filesize
20.0MB

Download
memory/2624-1-0x000002CC93F40000-0x000002CC94D74000-memory.dmp

Filesize
14.2MB

Download
memory/2624-126-0x00007FFA87760000-0x00007FFA88222000-memory.dmp

Filesize
10.8MB

Download