Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
Venom Rat 6.0.3.7z
-
Size
73.9MB
-
Sample
250206-rh1kwaypdk
-
MD5
521bfb8702853d807e0b7bffba132a97
-
SHA1
b3f39f1a22e2ebc5bdd4085c9f9a8f887ab9813e
-
SHA256
cde9c5a301e15dd10db1a9747fc95004b793c538f2ff4f9c05e52955b666b564
-
SHA512
23ce1c46f049c4c9d197f137c05fbc80466a4f34361cb60990708f6701dcc19971b1520e898646a85e6638830d5e8fcfedc63ea123fafcd029e3ad2be6a00fe6
-
SSDEEP
1572864:uVI5gzIBQ4OZRbwhtqmF8o4hdboY/y6/twvY17cI19ffUq:4IeIa4Atotq7hJoY/p/x17T9HUq
Malware Config
Extracted
asyncrat
1.0.7
Default
95.216.52.21:7575
xdnqiaxygefjfoolgo
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
127.0.0.1:4449
kxzibaebjubiqg
-
delay
1
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
Venom Rat 6.0.3.7z
-
Size
73.9MB
-
MD5
521bfb8702853d807e0b7bffba132a97
-
SHA1
b3f39f1a22e2ebc5bdd4085c9f9a8f887ab9813e
-
SHA256
cde9c5a301e15dd10db1a9747fc95004b793c538f2ff4f9c05e52955b666b564
-
SHA512
23ce1c46f049c4c9d197f137c05fbc80466a4f34361cb60990708f6701dcc19971b1520e898646a85e6638830d5e8fcfedc63ea123fafcd029e3ad2be6a00fe6
-
SSDEEP
1572864:uVI5gzIBQ4OZRbwhtqmF8o4hdboY/y6/twvY17cI19ffUq:4IeIa4Atotq7hJoY/p/x17T9HUq
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Async RAT payload
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Modifies Windows Firewall
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Network Service Discovery
Attempt to gather information on host's network.
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Service Discovery
1Peripheral Device Discovery
2Permission Groups Discovery
1Local Groups
1Process Discovery
1Query Registry
6System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Wi-Fi Discovery
1System Network Connections Discovery
1