Create Interactive Tour

Windows Analysis Report
Venom_RAT.bin.exe

Overview

General Information

Sample name:Venom_RAT.bin.exe
Analysis ID:1644624
MD5:4069d5435f4e98f349a862ca454bc30b
SHA1:c5a7d106631f95c7f9d5e84b1f6c6eec3e1dc31c
SHA256:35c4a830c22df437d6881b7115631646eaac6aac844ff3d3d055d0f528866857
Tags:exePEVenomRATuser-Blu3eye
Infos:

Detection

AsyncRAT, VenomRAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
Yara detected VenomRAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • Venom_RAT.bin.exe (PID: 5748 cmdline: "C:\Users\user\Desktop\Venom_RAT.bin.exe" MD5: 4069D5435F4E98F349A862CA454BC30B)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
{
  "Pastebin Link": "https://pastebin.com/raw/i3NzmwEg",
  "Version": "Venom RAT + HVNC + Stealer + Grabber  v6.0.3",
  "Install": "false",
  "Mutex": "dwjsrlleihmlidl",
  "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz",
  "Server Signature": "KRtbBX6+OhVpmFd/MgPxJrAuARtE/V+EmWvFc0HMsLvKFXqgb1UoUFSzeow7SDLOePjhcephhGw6HR1hi0sV1M0Jaj8rWGFRWTVftjDKGkAGjYBXfeaclRpOkyUlJay8e9cO7B5LmpzDUSbHW4GNGLTMTD+iX3aqvQgvCVoDRxM="
}
{
  "Version": "Venom RAT + HVNC + Stealer + Grabber  v6.0.3",
  "Mutex": "dwjsrlleihmlidl",
  "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz",
  "Server Signature": "KRtbBX6+OhVpmFd/MgPxJrAuARtE/V+EmWvFc0HMsLvKFXqgb1UoUFSzeow7SDLOePjhcephhGw6HR1hi0sV1M0Jaj8rWGFRWTVftjDKGkAGjYBXfeaclRpOkyUlJay8e9cO7B5LmpzDUSbHW4GNGLTMTD+iX3aqvQgvCVoDRxM=",
  "External_config_on_Pastebin": "https://pastebin.com/raw/i3NzmwEg"
}
SourceRuleDescriptionAuthorStrings
Venom_RAT.bin.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    Venom_RAT.bin.exerat_win_dcrat_qwqdanchunFind DcRAT samples (qwqdanchun) based on specific stringsSekoia.io
    • 0xf36a:$str03: Po_ng
    • 0xdf48:$str04: Pac_ket
    • 0xfb10:$str05: Perfor_mance
    • 0xfb54:$str06: Install_ed
    • 0xa4d7:$str07: get_IsConnected
    • 0xb7d5:$str08: get_ActivatePo_ng
    • 0xc8a4:$str09: isVM_by_wim_temper
    • 0xf386:$str10: save_Plugin
    • 0xf634:$str11: timeout 3 > NUL
    • 0xf6ca:$str12: ProcessHacker.exe
    • 0xf8bc:$str13: Select * from Win32_CacheMemory
    Venom_RAT.bin.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
    • 0xf8bc:$q1: Select * from Win32_CacheMemory
    • 0xf8fc:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
    • 0xf94a:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
    • 0xf998:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
    SourceRuleDescriptionAuthorStrings
    00000001.00000000.1205223690.00000000001F2000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      Process Memory Space: Venom_RAT.bin.exe PID: 5748JoeSecurity_VenomRATYara detected VenomRATJoe Security
        SourceRuleDescriptionAuthorStrings
        1.0.Venom_RAT.bin.exe.1f0000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          1.0.Venom_RAT.bin.exe.1f0000.0.unpackrat_win_dcrat_qwqdanchunFind DcRAT samples (qwqdanchun) based on specific stringsSekoia.io
          • 0xf36a:$str03: Po_ng
          • 0xdf48:$str04: Pac_ket
          • 0xfb10:$str05: Perfor_mance
          • 0xfb54:$str06: Install_ed
          • 0xa4d7:$str07: get_IsConnected
          • 0xb7d5:$str08: get_ActivatePo_ng
          • 0xc8a4:$str09: isVM_by_wim_temper
          • 0xf386:$str10: save_Plugin
          • 0xf634:$str11: timeout 3 > NUL
          • 0xf6ca:$str12: ProcessHacker.exe
          • 0xf8bc:$str13: Select * from Win32_CacheMemory
          1.0.Venom_RAT.bin.exe.1f0000.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
          • 0xf8bc:$q1: Select * from Win32_CacheMemory
          • 0xf8fc:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
          • 0xf94a:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
          • 0xf998:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
          No Sigma rule has matched
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-20T18:25:12.504509+010020522671Domain Observed Used for C2 Detected81.19.131.15350037192.168.2.649686TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-20T18:25:12.504509+010028424781Malware Command and Control Activity Detected81.19.131.15350037192.168.2.649686TCP

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: Venom_RAT.bin.exeAvira: detected
          Source: Venom_RAT.bin.exeMalware Configuration Extractor: VenomRAT {"Pastebin Link": "https://pastebin.com/raw/i3NzmwEg", "Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.3", "Install": "false", "Mutex": "dwjsrlleihmlidl", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "Server Signature": "KRtbBX6+OhVpmFd/MgPxJrAuARtE/V+EmWvFc0HMsLvKFXqgb1UoUFSzeow7SDLOePjhcephhGw6HR1hi0sV1M0Jaj8rWGFRWTVftjDKGkAGjYBXfeaclRpOkyUlJay8e9cO7B5LmpzDUSbHW4GNGLTMTD+iX3aqvQgvCVoDRxM="}
          Source: Venom_RAT.bin.exeMalware Configuration Extractor: AsyncRAT {"Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.3", "Mutex": "dwjsrlleihmlidl", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "Server Signature": "KRtbBX6+OhVpmFd/MgPxJrAuARtE/V+EmWvFc0HMsLvKFXqgb1UoUFSzeow7SDLOePjhcephhGw6HR1hi0sV1M0Jaj8rWGFRWTVftjDKGkAGjYBXfeaclRpOkyUlJay8e9cO7B5LmpzDUSbHW4GNGLTMTD+iX3aqvQgvCVoDRxM=", "External_config_on_Pastebin": "https://pastebin.com/raw/i3NzmwEg"}
          Source: Venom_RAT.bin.exeVirustotal: Detection: 73%Perma Link
          Source: Venom_RAT.bin.exeReversingLabs: Detection: 83%
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpackString decryptor: null
          Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpackString decryptor: null
          Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpackString decryptor: Venom RAT + HVNC + Stealer + Grabber v6.0.3
          Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpackString decryptor: false
          Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpackString decryptor: dwjsrlleihmlidl
          Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpackString decryptor: MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz
          Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpackString decryptor: KRtbBX6+OhVpmFd/MgPxJrAuARtE/V+EmWvFc0HMsLvKFXqgb1UoUFSzeow7SDLOePjhcephhGw6HR1hi0sV1M0Jaj8rWGFRWTVftjDKGkAGjYBXfeaclRpOkyUlJay8e9cO7B5LmpzDUSbHW4GNGLTMTD+iX3aqvQgvCVoDRxM=
          Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpackString decryptor: https://pastebin.com/raw/i3NzmwEg
          Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpackString decryptor: false
          Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpackString decryptor: FEB 27 LOGS
          Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpackString decryptor: false
          Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpackString decryptor: false
          Source: Venom_RAT.bin.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.6:49685 version: TLS 1.2
          Source: Venom_RAT.bin.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Networking

          barindex
          Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 81.19.131.153:50037 -> 192.168.2.6:49686
          Source: Network trafficSuricata IDS: 2052265 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (VenomRAT) : 81.19.131.153:50037 -> 192.168.2.6:49686
          Source: Network trafficSuricata IDS: 2052267 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (VenomRAT) : 81.19.131.153:50037 -> 192.168.2.6:49686
          Source: unknownDNS query: name: pastebin.com
          Source: global trafficTCP traffic: 192.168.2.6:49686 -> 81.19.131.153:50037
          Source: global trafficHTTP traffic detected: GET /raw/i3NzmwEg HTTP/1.1Host: pastebin.comConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
          Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
          Source: Joe Sandbox ViewASN Name: IVC-ASRU IVC-ASRU
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: unknownTCP traffic detected without corresponding DNS query: 81.19.131.153
          Source: global trafficHTTP traffic detected: GET /raw/i3NzmwEg HTTP/1.1Host: pastebin.comConnection: Keep-Alive
          Source: global trafficDNS traffic detected: DNS query: pastebin.com
          Source: Venom_RAT.bin.exe, 00000001.00000002.3654975697.0000000000759000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.1.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: Venom_RAT.bin.exe, 00000001.00000002.3655860981.00000000026CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
          Source: Venom_RAT.bin.exe, 00000001.00000002.3655860981.00000000024B1000.00000004.00000800.00020000.00000000.sdmp, Venom_RAT.bin.exe, 00000001.00000002.3655860981.0000000002659000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Venom_RAT.bin.exe, 00000001.00000002.3655860981.00000000026BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
          Source: Venom_RAT.bin.exe, 00000001.00000002.3655860981.0000000002718000.00000004.00000800.00020000.00000000.sdmp, Venom_RAT.bin.exe, 00000001.00000002.3655860981.00000000024B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/i3NzmwEg
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
          Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
          Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.6:49685 version: TLS 1.2

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Source: Yara matchFile source: Venom_RAT.bin.exe, type: SAMPLE
          Source: Yara matchFile source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000000.1205223690.00000000001F2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Venom_RAT.bin.exe PID: 5748, type: MEMORYSTR
          Source: Venom_RAT.bin.exe, Keylogger.cs.Net Code: KeyboardLayout

          System Summary

          barindex
          Source: Venom_RAT.bin.exe, type: SAMPLEMatched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
          Source: Venom_RAT.bin.exe, type: SAMPLEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
          Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpack, type: UNPACKEDPEMatched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
          Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeCode function: 1_2_00A632C8 NtProtectVirtualMemory,1_2_00A632C8
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeCode function: 1_2_00A62E72 NtProtectVirtualMemory,1_2_00A62E72
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeCode function: 1_2_00A626F81_2_00A626F8
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeCode function: 1_2_00A626E71_2_00A626E7
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeCode function: 1_2_00A62E721_2_00A62E72
          Source: Venom_RAT.bin.exe, 00000001.00000002.3654665455.000000000068E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Venom_RAT.bin.exe
          Source: Venom_RAT.bin.exe, 00000001.00000002.3654486265.0000000000399000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Venom_RAT.bin.exe
          Source: Venom_RAT.bin.exe, 00000001.00000000.1205223690.00000000001F2000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilenameClientx86.exe" vs Venom_RAT.bin.exe
          Source: Venom_RAT.bin.exeBinary or memory string: OriginalFilenameClientx86.exe" vs Venom_RAT.bin.exe
          Source: Venom_RAT.bin.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: Venom_RAT.bin.exe, type: SAMPLEMatched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
          Source: Venom_RAT.bin.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
          Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
          Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
          Source: Venom_RAT.bin.exe, Settings.csBase64 encoded string: 'TYUFocV6D9YxoySj2TJRhf5S7a/t8t80aAI5OUYipZBEPwTuco0Zq58RoOPU5mLzbH6ZHj1o0kTgXZ1hca6J2g==', 'gHXViOdw3zxDRtCn1CwgepJ8AO5caWJqOCh/16dKkEMf4XDA/SjhrKt1eyNihG3RyTzMtsFF+ybOWhuHweKz4uim7n8jnPXQsmUXP5ggibr6+J0/m8OLuDmydzmoQ2pf', 'YkypWZDzbpWol9wgQKa0TEtDQiXsKLUg5tmWp6aSqj541bNaEOH4PodB+aQKVkoC0f7sUWwJeyfQgrpf7DA8+g==', 'uc5t+mZYCK0AgYIycrAAVHqksueSyBUMGSQqB6eP8SEMCmBXyAKHF3ICoHihmI0xd1UzIaH5MKsRx3vJ7JNPzbqKpn8Es/ol4mlhYw0jopNJRpUz2tdJbRfDun2gti9Q', 'GCXYHsoFjIrz3tdfBZercXHgMycxkr5ev+c27lLLiJCDXW45QozaNTi3aOH+LGbNlSYN/A3Bh0/hn3gfRH8pNg==', 'OFkhY+3LgoSHQ/9d63kvw86gF4BYNHCeMRKmANv4DS7WITVIki/P1UHundo91kgOUtnkxFsh776cz1XmP7xIGg=='
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/3@1/2
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeFile created: C:\Users\user\AppData\Roaming\MyDataJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeMutant created: NULL
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeMutant created: \Sessions\1\BaseNamedObjects\dwjsrlleihmlidl
          Source: Venom_RAT.bin.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: Venom_RAT.bin.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Venom_RAT.bin.exeVirustotal: Detection: 73%
          Source: Venom_RAT.bin.exeReversingLabs: Detection: 83%
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: cryptnet.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: devenum.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: devobj.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: msdmo.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: Venom_RAT.bin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Venom_RAT.bin.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Data Obfuscation

          barindex
          Source: Venom_RAT.bin.exe, ClientSocket.cs.Net Code: Invoke System.AppDomain.Load(byte[])

          Boot Survival

          barindex
          Source: Yara matchFile source: Venom_RAT.bin.exe, type: SAMPLE
          Source: Yara matchFile source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000000.1205223690.00000000001F2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Venom_RAT.bin.exe PID: 5748, type: MEMORYSTR
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Source: Yara matchFile source: Venom_RAT.bin.exe, type: SAMPLE
          Source: Yara matchFile source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000000.1205223690.00000000001F2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Venom_RAT.bin.exe PID: 5748, type: MEMORYSTR
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
          Source: Venom_RAT.bin.exeBinary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeMemory allocated: A60000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeMemory allocated: 24B0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeMemory allocated: 44B0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeWindow / User API: threadDelayed 3281Jump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeWindow / User API: threadDelayed 6570Jump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exe TID: 1144Thread sleep time: -21213755684765971s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exe TID: 6900Thread sleep count: 3281 > 30Jump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exe TID: 6900Thread sleep count: 6570 > 30Jump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: Venom_RAT.bin.exe, 00000001.00000002.3654906244.0000000000719000.00000004.00000020.00020000.00000000.sdmp, Venom_RAT.bin.exe, 00000001.00000002.3661513503.0000000004AEF000.00000004.00000020.00020000.00000000.sdmp, Venom_RAT.bin.exe, 00000001.00000002.3661513503.0000000004ADB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: Venom_RAT.bin.exe, Keylogger.csReference to suspicious API methods: MapVirtualKey(vkCode, 0u)
          Source: Venom_RAT.bin.exe, DInvokeCore.csReference to suspicious API methods: DynamicAPIInvoke("ntdll.dll", "NtProtectVirtualMemory", typeof(Delegates.NtProtectVirtualMemory), ref Parameters)
          Source: Venom_RAT.bin.exe, AntiProcess.csReference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
          Source: Venom_RAT.bin.exe, 00000001.00000002.3655860981.000000000258A000.00000004.00000800.00020000.00000000.sdmp, Venom_RAT.bin.exe, 00000001.00000002.3655860981.0000000002557000.00000004.00000800.00020000.00000000.sdmp, Venom_RAT.bin.exe, 00000001.00000002.3655860981.0000000002718000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: Venom_RAT.bin.exe, 00000001.00000002.3655860981.0000000002718000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager`,
          Source: Venom_RAT.bin.exe, 00000001.00000002.3655860981.000000000258A000.00000004.00000800.00020000.00000000.sdmp, Venom_RAT.bin.exe, 00000001.00000002.3655860981.0000000002557000.00000004.00000800.00020000.00000000.sdmp, Venom_RAT.bin.exe, 00000001.00000002.3655860981.0000000002530000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe
          Source: Venom_RAT.bin.exe, 00000001.00000002.3655860981.000000000258A000.00000004.00000800.00020000.00000000.sdmp, Venom_RAT.bin.exe, 00000001.00000002.3655860981.0000000002557000.00000004.00000800.00020000.00000000.sdmp, Venom_RAT.bin.exe, 00000001.00000002.3655860981.0000000002718000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeQueries volume information: C:\Users\user\Desktop\Venom_RAT.bin.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Source: Yara matchFile source: Venom_RAT.bin.exe, type: SAMPLE
          Source: Yara matchFile source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000000.1205223690.00000000001F2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Venom_RAT.bin.exe PID: 5748, type: MEMORYSTR
          Source: Venom_RAT.bin.exe, 00000001.00000000.1205223690.00000000001F2000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: MSASCui.exe
          Source: Venom_RAT.bin.exe, 00000001.00000000.1205223690.00000000001F2000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: procexp.exe
          Source: Venom_RAT.bin.exe, 00000001.00000002.3654906244.0000000000719000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: Venom_RAT.bin.exe, 00000001.00000000.1205223690.00000000001F2000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: MsMpEng.exe
          Source: C:\Users\user\Desktop\Venom_RAT.bin.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts131
          Windows Management Instrumentation
          2
          Scheduled Task/Job
          1
          Process Injection
          1
          Masquerading
          1
          Input Capture
          1
          Query Registry
          Remote Services1
          Input Capture
          1
          Web Service
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts2
          Scheduled Task/Job
          1
          DLL Side-Loading
          2
          Scheduled Task/Job
          1
          Disable or Modify Tools
          LSASS Memory241
          Security Software Discovery
          Remote Desktop Protocol1
          Archive Collected Data
          11
          Encrypted Channel
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          Native API
          Logon Script (Windows)1
          DLL Side-Loading
          151
          Virtualization/Sandbox Evasion
          Security Account Manager2
          Process Discovery
          SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Standard Port
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Process Injection
          NTDS151
          Virtualization/Sandbox Evasion
          Distributed Component Object ModelInput Capture1
          Ingress Tool Transfer
          Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
          Obfuscated Files or Information
          LSA Secrets1
          Application Window Discovery
          SSHKeylogging2
          Non-Application Layer Protocol
          Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Software Packing
          Cached Domain Credentials24
          System Information Discovery
          VNCGUI Input Capture3
          Application Layer Protocol
          Data Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          DLL Side-Loading
          DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1644624 Sample: Venom_RAT.bin.exe Startdate: 20/03/2025 Architecture: WINDOWS Score: 100 10 pastebin.com 2->10 12 edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 2->12 14 bg.microsoft.map.fastly.net 2->14 20 Suricata IDS alerts for network traffic 2->20 22 Found malware configuration 2->22 24 Malicious sample detected (through community Yara rule) 2->24 28 10 other signatures 2->28 6 Venom_RAT.bin.exe 16 4 2->6         started        signatures3 26 Connects to a pastebin service (likely for C&C) 10->26 process4 dnsIp5 16 81.19.131.153, 49686, 50037 IVC-ASRU Russian Federation 6->16 18 pastebin.com 104.20.3.235, 443, 49685 CLOUDFLARENETUS United States 6->18 30 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 6->30 signatures6

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          Venom_RAT.bin.exe74%VirustotalBrowse
          Venom_RAT.bin.exe83%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT
          Venom_RAT.bin.exe100%AviraHEUR/AGEN.1307453
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches

          Download Network PCAP: filteredfull

          NameIPActiveMaliciousAntivirus DetectionReputation
          bg.microsoft.map.fastly.net
          199.232.214.172
          truefalse
            high
            edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
            208.89.73.31
            truefalse
              high
              pastebin.com
              104.20.3.235
              truefalse
                high
                NameMaliciousAntivirus DetectionReputation
                https://pastebin.com/raw/i3NzmwEgfalse
                  high
                  NameSourceMaliciousAntivirus DetectionReputation
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameVenom_RAT.bin.exe, 00000001.00000002.3655860981.00000000024B1000.00000004.00000800.00020000.00000000.sdmp, Venom_RAT.bin.exe, 00000001.00000002.3655860981.0000000002659000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://pastebin.comVenom_RAT.bin.exe, 00000001.00000002.3655860981.00000000026CA000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      https://pastebin.comVenom_RAT.bin.exe, 00000001.00000002.3655860981.00000000026BF000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        104.20.3.235
                        pastebin.comUnited States
                        13335CLOUDFLARENETUSfalse
                        81.19.131.153
                        unknownRussian Federation
                        24658IVC-ASRUtrue
                        Joe Sandbox version:42.0.0 Malachite
                        Analysis ID:1644624
                        Start date and time:2025-03-20 18:24:13 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 7m 0s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:12
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:Venom_RAT.bin.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@1/3@1/2
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 11
                        • Number of non-executed functions: 1
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240000 for current running targets taking high CPU consumption
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 208.89.73.31, 184.31.69.3, 20.12.23.50
                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        TimeTypeDescription
                        13:25:12API Interceptor8741975x Sleep call for process: Venom_RAT.bin.exe modified
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        104.20.3.235cr_asm3.ps1Get hashmaliciousUnknownBrowse
                        • pastebin.com/raw/sA04Mwk2
                        gabe.ps1Get hashmaliciousUnknownBrowse
                        • pastebin.com/raw/sA04Mwk2
                        cr_asm.ps1Get hashmaliciousUnknownBrowse
                        • pastebin.com/raw/sA04Mwk2
                        cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                        • pastebin.com/raw/sA04Mwk2
                        vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                        • pastebin.com/raw/sA04Mwk2
                        OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                        • pastebin.com/raw/sA04Mwk2
                        5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                        • pastebin.com/raw/sA04Mwk2
                        Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                        • pastebin.com/raw/sA04Mwk2
                        BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                        • pastebin.com/raw/sA04Mwk2
                        sostener.vbsGet hashmaliciousNjratBrowse
                        • pastebin.com/raw/V9y5Q5vv
                        81.19.131.153Purchase Order Braiconf SA #U2013 26.09.2024.batGet hashmaliciousAsyncRAT, Batch Injector, VenomRATBrowse
                          Damage product 3.vbsGet hashmaliciousAsyncRAT, Batch Injector, VenomRATBrowse
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            pastebin.comnylaldktrhkjad.exeGet hashmaliciousXmrigBrowse
                            • 172.67.19.24
                            boypadkthjawd.exeGet hashmaliciousXmrigBrowse
                            • 172.67.19.24
                            Talksy (1).exeGet hashmaliciousMeduza Stealer, RHADAMANTHYSBrowse
                            • 104.20.4.235
                            FluxusV7.exeGet hashmaliciousUnknownBrowse
                            • 104.20.4.235
                            FluxusV7.exeGet hashmaliciousLummaC StealerBrowse
                            • 172.67.19.24
                            Setup.exeGet hashmaliciousLummaC Stealer, XmrigBrowse
                            • 172.67.19.24
                            Talksy.exeGet hashmaliciousUnknownBrowse
                            • 172.67.19.24
                            Talksy.exeGet hashmaliciousUnknownBrowse
                            • 104.20.3.235
                            main.exeGet hashmaliciousQuasarBrowse
                            • 104.20.3.235
                            svchost.exeGet hashmaliciousUnknownBrowse
                            • 104.20.3.235
                            edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comhttps://geminilogfine.webflow.io/Get hashmaliciousHTMLPhisherBrowse
                            • 208.89.73.27
                            https://gg.7865522.top/Get hashmaliciousUnknownBrowse
                            • 208.89.73.23
                            bpypadkyksfdjjjs.exeGet hashmaliciousQuasarBrowse
                            • 217.20.51.110
                            NWpNjnx.exeGet hashmaliciousVidarBrowse
                            • 84.201.210.39
                            https://flarenetdrops.comGet hashmaliciousUnknownBrowse
                            • 217.20.57.36
                            https://hwwgfsbxcy.pnsiayfas.net/Get hashmaliciousUnknownBrowse
                            • 217.20.57.36
                            https://mr8gz1a5.com/jpGet hashmaliciousUnknownBrowse
                            • 217.20.57.20
                            888.exeGet hashmaliciousGO BackdoorBrowse
                            • 217.20.57.20
                            DTG.pdfGet hashmaliciousUnknownBrowse
                            • 84.201.210.39
                            DarkStreamCloner.exeGet hashmaliciousUnknownBrowse
                            • 217.20.57.19
                            bg.microsoft.map.fastly.nett8f2gm11IC.pdfGet hashmaliciousHTMLPhisherBrowse
                            • 199.232.210.172
                            2oPgf2TxXo.exeGet hashmaliciousPureCrypter, AsyncRATBrowse
                            • 199.232.210.172
                            2oGi0ce7A9.exeGet hashmaliciousAsyncRATBrowse
                            • 199.232.210.172
                            https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=r3yI_dSxOEiPJ_sFtWv0u-et2ubyS_1IvjO44TlrG4RUNU4xQUtYREpWQVhXSzJWUVMxMkwySkhRUS4uGet hashmaliciousHTMLPhisherBrowse
                            • 199.232.210.172
                            http://camsapi.camsoline.comGet hashmaliciousUnknownBrowse
                            • 199.232.210.172
                            AWB_FEDEX_SHIPPING_DOCS-20-03-2025_98767890_KOREA.pdf.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                            • 199.232.210.172
                            dokument wysy#U00c5 kowy faktury nr 52-FK-25.jsGet hashmaliciousFormBookBrowse
                            • 199.232.210.172
                            PO-KSI89654325_PDF.jsGet hashmaliciousUnknownBrowse
                            • 199.232.214.172
                            AWB_FEDEX_SHIPPING_DOCS-20-03-2025_98767890_KOREA.pdf.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                            • 199.232.214.172
                            PvOhS0dkw2.exeGet hashmaliciousRusty StealerBrowse
                            • 199.232.214.172
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            CLOUDFLARENETUShttps://click.pstmrk.it/3s/click.pstmrk.it%2F3s%2Fclick.pstmrk.it%252F3s%252Fclick.pstmrk.it%25252F3s%25252FK9w.sddsvy.es%2525252FBxNQqiw%2525252F%25252F0WHq%25252F1RW8AQ%25252FAQ%25252F106cafa4-d18e-426c-9c6b-0f673158a485%25252F1%25252FQcQNxevtyr%252F0WHq%252F1hW8AQ%252FAQ%252Ff55af109-6f88-4167-9100-4e0e08b04dca%252F1%252F7xsS23xLL0%2F0WHq%2F1xW8AQ%2FAQ%2F226957d7-6fa4-4c2e-a225-8b6a515720c4%2F1%2F4AJYmbgWvp/0WHq/1xW8AQ/AQ/479046d5-0675-43ef-af75-bb8f5d046f39/1/59AZebyk9_#a2lkZC50YW1hcmFAYWlkYi5vcmc=Get hashmaliciousInvisible JS, Tycoon2FABrowse
                            • 172.67.223.82
                            http://url5681.planter.eco/ls/click?upn=u001.PX1-2BssefkOe686e7wTSUMqibxN-2FCUadbAKgpTv23cYOIQxMvH9FGLuwPON-2Ft4V08mI3EhMVAoZnU-2Br4hRroTgY6212B0nGnr8aV-2B5ZtDZ10DmDDkH6mdlmAzG8M-2BiNsGPGMX1iPzlrrdaY9R4kk4qHfVergkdfGzm-2BAmGL-2FwYqLpCth-2FU-2ByXRztop6mHKwMCk43gAzvI9DCKmBcEcJQKyQ-3D-3Da5U3_GwWzR5CPD3uhhoxi7nJtY0-2BQC5TKRtJEXtldUtgGNIU9EPMkwXhPBMhFexKYRqOhYUH1k-2FQVOT9D8S6mnbGzOTVeFZqZ2eiXdrD6GdHPzzO106h29UdS-2BIz4v5acd9FnatQanlGtMNJsbvRJRS5dF6-2BMeTnNy39wilhlMfgiqmmr792hlZiyIO30hIfNO7fmE4Qvw7CYEB9aPKMoYkpeVA-3D-3DGet hashmaliciousHTMLPhisherBrowse
                            • 104.21.83.47
                            Confirm PO 306, 307.exeGet hashmaliciousSnake KeyloggerBrowse
                            • 104.21.96.1
                            Over due Inv.msgGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                            • 172.67.70.233
                            https://sauravsadangi.com/projectGet hashmaliciousUnknownBrowse
                            • 104.19.230.21
                            https://u2587569.ct.sendgrid.net/ls/click?upn=u001.tNCzvDY7Bps68NDHX050sfuZjwcZnKCiceJckL-2B-2BdtgW4S9czNQzTHuxGTDYUy2rgldwS-2FXaSK9tb15A2WijtesF9nKvyaekU8V6epmALsKFNzS6qhT8Y0hQxsOJhohPcwmraeJIKZH9TyOwWHJmFuZBAHXDHHKqUVL-2FUGP0fxMK3MBdQxp6bY6Ha8NZBWkjR7mgJ5fMAAuHlcLpVUtqCKWF7-2BW-2FrkTigMom4or-2B8m-2FS4TyrdjqGrNF-2BS24W1HEc4Nny-2FQbpl5Jr7z80HD8ERxHFxRHxDPLk-2B4YAHJEAIhKPImdnrMMiJGr9A4uEtPP39M5paIcI5sxlMhNL6z-2BKgTbMjlWBJaVVTxeufFQoFkl5u4NmsI44p17fSNIf2kHaYMMtnw0u0ApwVb9wZ3tJmp8AGgV65F1zRvnrFTPWISLatDmHGN3CKd73qRTLKmto5ZSsX3-2BwDUXMaUslNCFnOeOBvQkBDvUajrHfQmlQGD0zklpJ9WRzeYfjf4q-2Bc4Qu1Nf91VjDSdu48kXA2Z83MvwnSyKbPC863DiAR29AdxPmi1nIgYKk06DgcAWMuq2ENVqbbCQtUVgtZaYHCTljloaWego9b111Sg-2Be7K5sjWZvL10Fd-2Fe8x58DkwbvBNZsy8kmn2mGi8qVqTeWx9-2Brhlr4k1qrS1CvUmSqedu0NrwPQeaJupno6T-2Bqo-2BzulaLbvdWFreaPwNJ5CTaPVCN9fpvhUAzUS-2FlWTTCA-2FnSuCPTscXiBnW-2B4ungzp4n8Lqpuk6XGZd1rraYdTpcYsjIFBAluxLUtcFe1RkWRujzmOwPcDxwpZgxVj9TsDAzb4JrMPmBN2Sin7qgSZpDFxIb3yOVqUu9FExdB-2Fwpe-2FOokwr4-3DpRyF_1bjvdYK7b1KHhROFVKAkBz1xmR7bHmMryF9p5esfystXB0-2BtfVwIucsXMvT-2Fqo-2BHIQjngxXgRwIKf-2FhYJ8sIjYpFFD5M-2Fukd02C7xZo3-2Fu2k7S-2BJnqXyppXMorAOmA1aNkDUxa8mfRrXT4dMKgaVVsS6wu4JG1S4PFFCZ8lK9Y3x3NGX804vyB0grWdIMmAgEHrTtlgpDYkN3TtTPYHUiXDCYLXMEhj0Lko1oh6wu7o-3DGet hashmaliciousUnknownBrowse
                            • 104.21.64.1
                            https://b3rz.5m54lq.ru/A9y-e3M/Get hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                            • 172.67.141.81
                            https://u2587569.ct.sendgrid.net/ls/click?upn=u001.tNCzvDY7Bps68NDHX050sfuZjwcZnKCiceJckL-2B-2BdtgW4S9czNQzTHuxGTDYUy2rgldwS-2FXaSK9tb15A2WijtesF9nKvyaekU8V6epmALsKFNzS6qhT8Y0hQxsOJhohPcwmraeJIKZH9TyOwWHJmFuZBAHXDHHKqUVL-2FUGP0fxMK3MBdQxp6bY6Ha8NZBWkjR7mgJ5fMAAuHlcLpVUtqCKWF7-2BW-2FrkTigMom4or-2B8m-2FS4TyrdjqGrNF-2BS24W1HEc4Nny-2FQbpl5Jr7z80HD8ERxHFxRHxDPLk-2B4YAHJEAIhKPImdnrMMiJGr9A4uEtPP39M5paIcI5sxlMhNL6z-2BKgTbMjlWBJaVVTxeufFQoFkl5u4NmsI44p17fSNIf2kHaYMMtnw0u0ApwVb9wZ3tJmp8AGgV65F1zRvnrFTPWISLatDmHGN3CKd73qRTLKmto5ZSsX3-2BwDUXMaUslNCFnOeOBvQkBDvUajrHfQmlQGD0zklpJ9WRzeYfjf4q-2Bc4Qu1Nf91VjDSdu48kXA2Z83MvwnSyKbPC863DiAR29AdxPmi1nIgYKk06DgcAWMuq2ENVqbbCQtUVgtZaYHCTljloaWego9b111Sg-2Be7K5sjWZvL10Fd-2Fe8x58DkwbvBNZsy8kmn2mGi8qVqTeWx9-2Brhlr4k1qrS1CvUmSqedu0NrwPQeaJupno6T-2Bqo-2BzulaLbvdWFreaPwNJ5CTaPVCN9fpvhUAzUS-2FlWTTCA-2FnSuCPTscXiBnW-2B4ungzp4n8Lqpuk6XGZd1rraYdTpcYsjIFBAluxLUtcFe1RkWRujzmOwPcDxwpZgxVj9TsDAzb4JrMPmBN2Sin7qgSZpDFxIb3yOVqUu9FExdB-2Fwpe-2FOokwr4-3D8A5E_-2FOI-2FxWKZBS0RBubCQDq4P71qBkOoJj9TQ-2FBNKjRykiT9mUix5aObCdsaE3X4Sh22h5PBW1VseZKNRSMsHcEXChaxx4fpyalr8S5mdNAGDIFE0BdGE6SFPQC1ze3qi3ZOs99VkecPMd3ju7N-2BWWYyJE6xPy-2FgXhUKDOj-2BkfDKJ8KqABvqtFGuxd5KhNBGU7VDh7BHPjKSbdGclNFQCojq4NR0NeZ6xwwI2wKPGRZHpHU-3DGet hashmaliciousUnknownBrowse
                            • 104.21.80.1
                            ZW01_20-03-25.batGet hashmaliciousRemcos, GuLoaderBrowse
                            • 104.21.50.221
                            http://smtp.legiteam.net/newsletters/lt.php?c=3595&m=3675&nl=1&s=ae2e0733c87747578f73487fef60fa9c&lid=128917&l=https://mardo.pk/veri?token=YnJpYW5AY2JmbG9vcnNpbmMuY29tGet hashmaliciousUnknownBrowse
                            • 104.21.38.162
                            IVC-ASRURozrahunok_rozpodil_operativnogo_skladu.doc.lnkGet hashmaliciousUnknownBrowse
                            • 81.19.131.86
                            raport_rozporyadzhenci.docx.lnkGet hashmaliciousUnknownBrowse
                            • 81.19.131.86
                            signal-2024-05-12-173435_001_1.jpg.lnkGet hashmaliciousUnknownBrowse
                            • 81.19.131.86
                            PBP_24godini.xls.lnkGet hashmaliciousUnknownBrowse
                            • 81.19.131.86
                            Nakaz_shchodo_perevyrky_gotovnosty_1mehbat_14.07.2024.docx.lnkGet hashmaliciousUnknownBrowse
                            • 81.19.131.86
                            signal-2024-09-06-152042_002_1.jpg.lnkGet hashmaliciousUnknownBrowse
                            • 81.19.131.86
                            Purchase Order Braiconf SA #U2013 26.09.2024.batGet hashmaliciousAsyncRAT, Batch Injector, VenomRATBrowse
                            • 81.19.131.153
                            Remittance Advice.htmGet hashmaliciousHTMLPhisherBrowse
                            • 81.19.140.235
                            SoftwareIdeasProffesionalSetup.msiGet hashmaliciousDanaBotBrowse
                            • 81.19.140.67
                            NetworkVoxControllerSetup.msiGet hashmaliciousDanaBotBrowse
                            • 81.19.140.67
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            3b5074b1b5d032e5620f69f9f700ff0ehttps://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exeGet hashmaliciousUnknownBrowse
                            • 104.20.3.235
                            ZW01_20-03-25.batGet hashmaliciousRemcos, GuLoaderBrowse
                            • 104.20.3.235
                            z37awb_dhl_docu.batGet hashmaliciousGuLoaderBrowse
                            • 104.20.3.235
                            milkmaidproductsareveryniceforentiretimetogivemebest.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                            • 104.20.3.235
                            givingbestthingsalwaysfor.htaGet hashmaliciousCobalt Strike, AgentTeslaBrowse
                            • 104.20.3.235
                            132439.ps1Get hashmaliciousLummaC StealerBrowse
                            • 104.20.3.235
                            32wq2q.ps1Get hashmaliciousLummaC StealerBrowse
                            • 104.20.3.235
                            compited.ps1Get hashmaliciousUnknownBrowse
                            • 104.20.3.235
                            google.meet-join.us.ps1Get hashmaliciousNetSupport RATBrowse
                            • 104.20.3.235
                            SAHD7800989000.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            • 104.20.3.235
                            No context
                            Process:C:\Users\user\Desktop\Venom_RAT.bin.exe
                            File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 73305 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                            Category:dropped
                            Size (bytes):73305
                            Entropy (8bit):7.996028107841645
                            Encrypted:true
                            SSDEEP:1536:krha8mqJ7v3CeFMz/akys7nSTK7QMuK+C/Oh5:kAOFq+Mba9Ok7C/O/
                            MD5:83142242E97B8953C386F988AA694E4A
                            SHA1:833ED12FC15B356136DCDD27C61A50F59C5C7D50
                            SHA-256:D72761E1A334A754CE8250E3AF7EA4BF25301040929FD88CF9E50B4A9197D755
                            SHA-512:BB6DA177BD16D163F377D9B4C63F6D535804137887684C113CC2F643CEAB4F34338C06B5A29213C23D375E95D22EF417EAC928822DFB3688CE9E2DE9D5242D10
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview:MSCF....Y.......,...................I.................;Za. .authroot.stl.98.?.6..CK..<Tk......4..c... .Ec...U.d.d.E&I.DH*..M.KB."..rK.RQ*..}f..f...}..1....9...........$.8q..fa...7.o.1.0...bfsM4.........u..l..0..4.a.t....0.....6#....n. :... ....%.,CQ5uU..(.3.<7#.0..JN.$...=j|w..*.#.oU..Eq[..P..^..~.V...;..m...I|...l..@-W..=.QQ.._./.M.nZ..(.........`.$Z.9wW:W.]..8*E.......I.D{..n...K:.m..^.(.S.......c..s.y..<...2.%o.o.....H.B.R.....11.|!.(...........h.SZ........<...^....Z>.Pp?... .pT@p.#.&..........#VEV=.....p........y..."T=l.n..egf.w..X.Y..-G...........KQ.]...pM..[m..-6.wd:........T...:.P5Zs....c.oT`..F1#......EuD.......7....V ..-....!.N..%S...k...S. ...@.J..../..b!B.(=\../.l......`.\...q9..>4!b..8EH.....zdy.....#...X>%0w...i.,>c.z.g"p.S..2W.+mMs.....5Def.....#._D.4....>}...i...\.&`D.......z;..ZY.3.+t.`....z_.q'w.z.)..j3.+.co.s..:.........qK...{...E....uPO...#vs.XxH.B!..(t. 8k+.....G\..?..GF8....'..w.>.ms..\ve.nFN..W)....xi..u..5.f.l....
                            Process:C:\Users\user\Desktop\Venom_RAT.bin.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):330
                            Entropy (8bit):3.189712167018517
                            Encrypted:false
                            SSDEEP:6:kKWsYEGmcvSN+SkQlPlEGYRMY9z+4KlDA3RUeqpGVuys1:edEGmCkPlE99SNxAhUeq8S
                            MD5:834A6C33A9D6E72C16E5751CCE8DBBF0
                            SHA1:9BAA1119C5805097A90FC32C14BD06AB4A92C983
                            SHA-256:E86499A6CF30B994A562180ED37E01E9C4F443EF7C3827AC5CF58BD803A5B427
                            SHA-512:63C44F374031ACBFFBFA96D00D18FCA93E92881769D8980DA5EBBE1B8FC439899AC9A8C77837B5889547F765A1A5EEB27812FC3C13F11073001F76FE3A1F7BFF
                            Malicious:false
                            Reputation:low
                            Preview:p...... .........y.....(....................................................... ..................(...........Y...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".6.4.2.7.f.6.c.2.b.7.8.7.d.b.1.:.0."...
                            Process:C:\Users\user\Desktop\Venom_RAT.bin.exe
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):8
                            Entropy (8bit):2.75
                            Encrypted:false
                            SSDEEP:3:Rt:v
                            MD5:CF759E4C5F14FE3EEC41B87ED756CEA8
                            SHA1:C27C796BB3C2FAC929359563676F4BA1FFADA1F5
                            SHA-256:C9F9F193409217F73CC976AD078C6F8BF65D3AABCF5FAD3E5A47536D47AA6761
                            SHA-512:C7F832AEE13A5EB36D145F35D4464374A9E12FA2017F3C2257442D67483B35A55ECCAE7F7729243350125B37033E075EFBC2303839FD86B81B9B4DCA3626953B
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview:.5.False
                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):5.803696030455237
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            • Win32 Executable (generic) a (10002005/4) 49.75%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Windows Screen Saver (13104/52) 0.07%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            File name:Venom_RAT.bin.exe
                            File size:75'776 bytes
                            MD5:4069d5435f4e98f349a862ca454bc30b
                            SHA1:c5a7d106631f95c7f9d5e84b1f6c6eec3e1dc31c
                            SHA256:35c4a830c22df437d6881b7115631646eaac6aac844ff3d3d055d0f528866857
                            SHA512:44db701300e244ad7566c0edbc89cf6fa65ca75749c9d84ddd2881440e54ddf4d0f2dd080a5736e21f4fd618f7dabdfc0352a90e953a796eac715c5a283eb27f
                            SSDEEP:1536:IUk0cxVGlCBiPMVSI6eMILU1bv/T2SksK0Qzc67VclN:IURcxVMWiPMVndU1bvSSfHQLxY
                            TLSH:3473390237E88D29E3AE47B9ACF211070EF4D5576116DE5E3CC440CE5A67BC99A037EA
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c............................~4... ...@....@.. ....................................@................................
                            Icon Hash:90cececece8e8eb0
                            Entrypoint:0x41347e
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x63E41DD4 [Wed Feb 8 22:10:28 2023 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x134300x4b.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000xdf7.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x160000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x114840x116008716019aa1cbd92372f0a8d99f77326fFalse0.4828715152877698data5.830777450535218IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0x140000xdf70xe00af2b4fe7f2686637f8e50253cee78069False0.4037388392857143data5.1161120256832735IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x160000xc0x200e00605145d8e954818113d40af9e9488False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_VERSION0x140a00x2d4data0.44613259668508287
                            RT_MANIFEST0x143740xa83XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.40245261984392416
                            DLLImport
                            mscoree.dll_CorExeMain
                            DescriptionData
                            Translation0x0000 0x04b0
                            Comments
                            CompanyName
                            FileDescription
                            FileVersion6.0.1
                            InternalNameClientx86.exe
                            LegalCopyright
                            LegalTrademarks
                            OriginalFilenameClientx86.exe
                            ProductName
                            ProductVersion6.0.1
                            Assembly Version6.0.1.0

                            Download Network PCAP: filteredfull

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2025-03-20T18:25:12.504509+01002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)181.19.131.15350037192.168.2.649686TCP
                            2025-03-20T18:25:12.504509+01002052265ET MALWARE Observed Malicious SSL Cert (VenomRAT)181.19.131.15350037192.168.2.649686TCP
                            2025-03-20T18:25:12.504509+01002052267ET MALWARE Observed Malicious SSL Cert (VenomRAT)181.19.131.15350037192.168.2.649686TCP
                            • Total Packets: 128
                            • 50037 undefined
                            • 443 (HTTPS)
                            • 53 (DNS)
                            TimestampSource PortDest PortSource IPDest IP
                            Mar 20, 2025 18:25:10.969135046 CET49685443192.168.2.6104.20.3.235
                            Mar 20, 2025 18:25:10.969173908 CET44349685104.20.3.235192.168.2.6
                            Mar 20, 2025 18:25:10.969299078 CET49685443192.168.2.6104.20.3.235
                            Mar 20, 2025 18:25:10.976161003 CET49685443192.168.2.6104.20.3.235
                            Mar 20, 2025 18:25:10.976181030 CET44349685104.20.3.235192.168.2.6
                            Mar 20, 2025 18:25:11.210067034 CET44349685104.20.3.235192.168.2.6
                            Mar 20, 2025 18:25:11.210417986 CET49685443192.168.2.6104.20.3.235
                            Mar 20, 2025 18:25:11.214793921 CET49685443192.168.2.6104.20.3.235
                            Mar 20, 2025 18:25:11.214808941 CET44349685104.20.3.235192.168.2.6
                            Mar 20, 2025 18:25:11.215106964 CET44349685104.20.3.235192.168.2.6
                            Mar 20, 2025 18:25:11.255409002 CET49685443192.168.2.6104.20.3.235
                            Mar 20, 2025 18:25:11.260663033 CET49685443192.168.2.6104.20.3.235
                            Mar 20, 2025 18:25:11.304322958 CET44349685104.20.3.235192.168.2.6
                            Mar 20, 2025 18:25:11.937634945 CET44349685104.20.3.235192.168.2.6
                            Mar 20, 2025 18:25:11.937736988 CET44349685104.20.3.235192.168.2.6
                            Mar 20, 2025 18:25:11.937813997 CET49685443192.168.2.6104.20.3.235
                            Mar 20, 2025 18:25:11.940861940 CET49685443192.168.2.6104.20.3.235
                            Mar 20, 2025 18:25:11.941725969 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:25:12.120614052 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:25:12.120748043 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:25:12.121656895 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:25:12.304805040 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:25:12.311259031 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:25:12.504508972 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:25:12.552001953 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:25:14.013498068 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:25:14.013564110 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:25:14.193253040 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:25:27.947319031 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:25:28.177145958 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:25:28.177278042 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:25:28.363490105 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:25:28.411549091 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:25:28.592545986 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:25:28.605031013 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:25:28.832273006 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:25:28.832386017 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:25:29.071192026 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:25:41.881067991 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:25:42.112756968 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:25:42.112869978 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:25:42.293539047 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:25:42.348957062 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:25:42.908866882 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:25:42.910986900 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:25:43.141491890 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:25:43.141675949 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:25:43.362767935 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:25:55.842597008 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:25:56.069185019 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:25:56.069264889 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:25:56.395901918 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:25:56.631263971 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:25:56.651115894 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:25:56.879920006 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:25:56.879987955 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:25:57.095623970 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:09.771476984 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:10.006618977 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:10.006725073 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:10.188086987 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:10.239687920 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:10.415879011 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:10.418080091 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:10.643940926 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:10.644141912 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:10.859498024 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:22.302535057 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:22.538096905 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:22.538155079 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:22.723093987 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:22.770814896 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:22.950424910 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:22.956517935 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:23.175173044 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:23.175230980 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:23.395999908 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:36.240122080 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:36.472918034 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:36.472971916 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:36.656169891 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:36.708340883 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:36.888700008 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:36.890965939 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:37.130835056 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:37.130909920 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:37.365360975 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:45.912167072 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:46.162883997 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:46.162971020 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:46.352845907 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:46.395848036 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:46.578497887 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:46.580486059 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:46.817251921 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:46.817523956 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:47.061835051 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:48.866143942 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:49.096712112 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:49.097587109 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:49.278151035 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:49.335434914 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:50.163192987 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:50.165380001 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:50.395615101 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:50.395663977 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:50.632644892 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:55.068120956 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:55.300659895 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:55.300761938 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:55.481936932 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:55.539465904 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:55.717394114 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:55.724853039 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:55.956393003 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:26:55.956444025 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:26:56.189754009 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:03.349294901 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:03.582129002 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:03.582179070 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:03.764106035 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:03.817724943 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:03.998183012 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:04.000004053 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:04.222198009 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:04.222263098 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:04.441185951 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:17.287075043 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:17.520441055 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:17.520519972 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:17.703486919 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:17.755300999 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:17.935327053 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:17.937596083 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:18.177778006 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:18.177894115 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:18.409737110 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:31.224730015 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:31.472337008 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:31.472398043 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:31.652416945 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:31.708384991 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:31.887350082 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:31.891514063 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:32.113881111 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:32.113962889 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:32.346968889 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:40.349471092 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:40.603988886 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:40.604058981 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:40.808697939 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:40.849052906 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:41.029958963 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:41.032358885 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:41.254889965 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:41.254952908 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:41.485409021 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:53.193494081 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:53.440855026 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:53.440937996 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:53.622277975 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:53.677223921 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:53.854223967 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:53.855751038 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:54.081367970 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:54.081423998 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:54.300364017 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:56.818577051 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:57.048976898 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:57.049072981 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:57.236558914 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:57.286652088 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:57.472599983 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:57.477555037 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:57.709147930 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:27:57.709240913 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:27:57.942925930 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:28:10.755740881 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:28:10.987387896 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:28:10.987643003 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:28:11.165363073 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:28:11.208496094 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:28:11.385848999 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:28:11.387927055 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:28:11.611160994 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:28:11.611303091 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:28:11.831183910 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:28:24.704592943 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:28:25.005330086 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:28:25.189152002 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:28:25.239691973 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:28:25.420392990 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:28:25.422533035 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:28:25.642640114 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:28:25.642692089 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:28:25.863764048 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:28:38.647582054 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:28:38.876245975 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:28:38.876297951 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:28:39.057419062 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:28:39.099140882 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:28:39.279295921 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:28:39.282361031 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:28:39.509650946 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:28:39.509865046 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:28:39.743643045 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:28:42.912916899 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:28:43.143769979 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:28:43.144203901 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:28:43.324831009 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:28:43.380433083 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:28:43.557915926 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:28:43.562614918 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:28:43.788074017 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:28:43.788203955 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:28:44.025413990 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:28:56.849570990 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:28:57.081937075 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:28:57.082010984 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:28:57.262042046 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:28:57.302242994 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:28:57.481581926 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:28:57.483140945 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:28:57.707835913 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:28:57.707902908 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:28:57.941905975 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:29:10.794295073 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:29:11.017815113 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:29:11.017874002 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:29:11.205595970 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:29:11.255378962 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:29:11.440926075 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:29:11.443197012 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:29:11.676271915 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:29:11.676362038 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:29:11.905774117 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:29:13.833818913 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:29:14.070224047 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:29:14.070281982 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:29:14.251260042 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:29:14.302241087 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:29:14.482305050 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:29:14.483025074 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:29:14.706134081 CET500374968681.19.131.153192.168.2.6
                            Mar 20, 2025 18:29:14.706254959 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:29:15.021089077 CET4968650037192.168.2.681.19.131.153
                            Mar 20, 2025 18:29:15.201967001 CET500374968681.19.131.153192.168.2.6
                            TimestampSource PortDest PortSource IPDest IP
                            Mar 20, 2025 18:25:10.851638079 CET4932653192.168.2.61.1.1.1
                            Mar 20, 2025 18:25:10.963058949 CET53493261.1.1.1192.168.2.6
                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Mar 20, 2025 18:25:10.851638079 CET192.168.2.61.1.1.10x9019Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Mar 20, 2025 18:25:10.963058949 CET1.1.1.1192.168.2.60x9019No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                            Mar 20, 2025 18:25:10.963058949 CET1.1.1.1192.168.2.60x9019No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                            Mar 20, 2025 18:25:10.963058949 CET1.1.1.1192.168.2.60x9019No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                            Mar 20, 2025 18:25:13.138247967 CET1.1.1.1192.168.2.60x7aafNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.31A (IP address)IN (0x0001)false
                            Mar 20, 2025 18:25:13.138247967 CET1.1.1.1192.168.2.60x7aafNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.29A (IP address)IN (0x0001)false
                            Mar 20, 2025 18:25:13.138247967 CET1.1.1.1192.168.2.60x7aafNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.27A (IP address)IN (0x0001)false
                            Mar 20, 2025 18:25:13.138247967 CET1.1.1.1192.168.2.60x7aafNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.19A (IP address)IN (0x0001)false
                            Mar 20, 2025 18:25:13.138247967 CET1.1.1.1192.168.2.60x7aafNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.17A (IP address)IN (0x0001)false
                            Mar 20, 2025 18:25:13.138247967 CET1.1.1.1192.168.2.60x7aafNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.23A (IP address)IN (0x0001)false
                            Mar 20, 2025 18:25:13.138247967 CET1.1.1.1192.168.2.60x7aafNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.25A (IP address)IN (0x0001)false
                            Mar 20, 2025 18:25:13.138247967 CET1.1.1.1192.168.2.60x7aafNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.21A (IP address)IN (0x0001)false
                            Mar 20, 2025 18:25:24.026901960 CET1.1.1.1192.168.2.60x6e8fNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                            Mar 20, 2025 18:25:24.026901960 CET1.1.1.1192.168.2.60x6e8fNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                            • pastebin.com
                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.649685104.20.3.2354435748C:\Users\user\Desktop\Venom_RAT.bin.exe
                            TimestampBytes transferredDirectionData
                            2025-03-20 17:25:11 UTC74OUTGET /raw/i3NzmwEg HTTP/1.1
                            Host: pastebin.com
                            Connection: Keep-Alive
                            2025-03-20 17:25:11 UTC388INHTTP/1.1 200 OK
                            Date: Thu, 20 Mar 2025 17:25:11 GMT
                            Content-Type: text/plain; charset=utf-8
                            Transfer-Encoding: chunked
                            Connection: close
                            x-frame-options: DENY
                            x-content-type-options: nosniff
                            x-xss-protection: 1;mode=block
                            cache-control: public, max-age=1801
                            CF-Cache-Status: MISS
                            Last-Modified: Thu, 20 Mar 2025 17:25:11 GMT
                            Server: cloudflare
                            CF-RAY: 9236e84a4b088c45-EWR
                            2025-03-20 17:25:11 UTC25INData Raw: 31 33 0d 0a 38 31 2e 31 39 2e 31 33 31 2e 31 35 33 3a 35 30 30 33 37 0d 0a
                            Data Ascii: 1381.19.131.153:50037
                            2025-03-20 17:25:11 UTC5INData Raw: 30 0d 0a 0d 0a
                            Data Ascii: 0


                            050100150200s020406080100

                            Click to jump to process

                            050100150200s0.00102030MB

                            Click to jump to process

                            • File
                            • Registry
                            • Network

                            Click to dive into process behavior distribution

                            Target ID:1
                            Start time:13:25:06
                            Start date:20/03/2025
                            Path:C:\Users\user\Desktop\Venom_RAT.bin.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\Venom_RAT.bin.exe"
                            Imagebase:0x1f0000
                            File size:75'776 bytes
                            MD5 hash:4069D5435F4E98F349A862CA454BC30B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000001.00000000.1205223690.00000000001F2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:false
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                            Execution Graph

                            Execution Coverage

                            Dynamic/Packed Code Coverage

                            Signature Coverage

                            Execution Coverage:12.7%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:10.3%
                            Total number of Nodes:29
                            Total number of Limit Nodes:2
                            Show Legend
                            Hide Nodes/Edges
                            execution_graph 13838 a69a00 13839 a69a46 GetCurrentProcess 13838->13839 13841 a69a91 13839->13841 13842 a69a98 GetCurrentThread 13839->13842 13841->13842 13843 a69ad5 GetCurrentProcess 13842->13843 13844 a69ace 13842->13844 13845 a69b0b 13843->13845 13844->13843 13846 a69b33 GetCurrentThreadId 13845->13846 13847 a69b64 13846->13847 13848 a632c8 13849 a63316 NtProtectVirtualMemory 13848->13849 13851 a63360 13849->13851 13852 a60c48 13853 a60c68 13852->13853 13856 a63ff1 13853->13856 13854 a60e29 13857 a64030 13856->13857 13861 a647a0 13857->13861 13865 a64790 13857->13865 13858 a64092 13858->13854 13862 a647bf 13861->13862 13869 a63c2c 13862->13869 13866 a647bf 13865->13866 13867 a63c2c SetWindowsHookExW 13866->13867 13868 a647e5 13867->13868 13872 a648f0 SetWindowsHookExW 13869->13872 13871 a647e5 13872->13871 13873 a69c48 DuplicateHandle 13874 a69cde 13873->13874

                            Executed Functions

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 45 a62e72-a62eb4 46 a62eb6-a62eb8 45->46 47 a62ec0-a62ec3 45->47 48 a6322e-a6325d 46->48 49 a62ebe 46->49 47->48 50 a62ec9-a62eec 47->50 65 a63264-a63268 48->65 49->50 53 a62eee-a62ef0 50->53 54 a62ef8-a62efb 50->54 53->48 57 a62ef6 53->57 54->48 55 a62f01-a62f27 54->55 60 a62f35-a62f39 55->60 61 a62f29-a62f2d 55->61 57->55 60->48 64 a62f3f-a62f4d 60->64 61->48 63 a62f33 61->63 63->64 69 a62f4f-a62f5a 64->69 70 a62f5c-a62f64 64->70 67 a63275-a6335e NtProtectVirtualMemory 65->67 68 a6326a-a63274 65->68 97 a63367-a6338c 67->97 98 a63360-a63366 67->98 71 a62f67-a62f69 69->71 70->71 73 a62f75-a62f78 71->73 74 a62f6b-a62f6d 71->74 73->48 76 a62f7e-a62fa1 73->76 74->48 75 a62f73 74->75 75->76 79 a62fa3-a62fa5 76->79 80 a62fad-a62fb0 76->80 79->48 82 a62fab 79->82 80->48 83 a62fb6-a62fda 80->83 82->83 86 a62fe6-a62fe9 83->86 87 a62fdc-a62fde 83->87 86->48 90 a62fef-a63010 86->90 87->48 89 a62fe4 87->89 89->90 94 a63012-a63014 90->94 95 a6301c-a6301f 90->95 94->48 99 a6301a 94->99 95->48 96 a63025-a63049 95->96 103 a63055-a63058 96->103 104 a6304b-a6304d 96->104 98->97 99->96 103->48 106 a6305e-a63082 103->106 104->48 105 a63053 104->105 105->106 110 a63084-a63086 106->110 111 a6308e-a63091 106->111 110->48 112 a6308c 110->112 111->48 113 a63097-a630bb 111->113 112->113 115 a630c7-a630ca 113->115 116 a630bd-a630bf 113->116 115->48 118 a630d0-a630e3 115->118 116->48 117 a630c5 116->117 117->118 118->65 120 a630e9-a63118 118->120 121 a63124-a63127 120->121 122 a6311a-a6311c 120->122 121->48 124 a6312d-a63145 121->124 122->48 123 a63122 122->123 123->124 126 a63147-a63149 124->126 127 a63151-a63154 124->127 126->48 129 a6314f 126->129 127->48 128 a6315a-a63171 127->128 132 a63177-a6319a 128->132 133 a6321d-a63226 128->133 129->128 134 a631a6-a631a9 132->134 135 a6319c-a6319e 132->135 133->120 136 a6322c 133->136 134->48 138 a631af-a631df 134->138 135->48 137 a631a4 135->137 136->65 137->138 140 a631e7-a631ea 138->140 141 a631e1-a631e3 138->141 140->48 143 a631ec-a63209 140->143 141->48 142 a631e5 141->142 142->143 145 a63211-a63214 143->145 146 a6320b-a6320d 143->146 145->48 148 a63216-a6321b 145->148 146->48 147 a6320f 146->147 147->148 148->65
                            APIs
                            • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 00A63351
                            Memory Dump Source
                            • Source File: 00000001.00000002.3655587505.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_a60000_Venom_RAT.jbxd
                            Similarity
                            • API ID: MemoryProtectVirtual
                            • String ID:
                            • API String ID: 2706961497-0
                            • Opcode ID: b4cbec297b0e737b3b619da6d52fff37cef387ebbe0e19293c2b004762efc0ad
                            • Instruction ID: 0bba3ae446205ae0961c25d06040155322ac1255544995d75aff7940791c286f
                            • Opcode Fuzzy Hash: b4cbec297b0e737b3b619da6d52fff37cef387ebbe0e19293c2b004762efc0ad
                            • Instruction Fuzzy Hash: C5E1A276F002054BDF14CABD9CA03EE76F3AFD4324F688229DA55DB784DA349E02A741

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 405 a632c8-a6335e NtProtectVirtualMemory 408 a63367-a6338c 405->408 409 a63360-a63366 405->409 409->408
                            APIs
                            • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 00A63351
                            Memory Dump Source
                            • Source File: 00000001.00000002.3655587505.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_a60000_Venom_RAT.jbxd
                            Similarity
                            • API ID: MemoryProtectVirtual
                            • String ID:
                            • API String ID: 2706961497-0
                            • Opcode ID: 8e3faf016bc1cff1530f96bbaf03e777c0cdb16af2c31d72be01f26b574af87d
                            • Instruction ID: b81cade5482dbdd63b98f7968edc558c6802d0642318be3fb6a96f99255481ab
                            • Opcode Fuzzy Hash: 8e3faf016bc1cff1530f96bbaf03e777c0cdb16af2c31d72be01f26b574af87d
                            • Instruction Fuzzy Hash: 8121F2B1D012099FCB10DFAAD984A9EFBF5FF48310F64842AE919A7310C7759901CBA0

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 585 a626f8-a6272c 586 a6272e-a62730 585->586 587 a62738-a6273b 585->587 588 a62aa6-a62ad5 586->588 590 a62736 586->590 587->588 589 a62741-a62764 587->589 605 a62adc-a62ae0 588->605 593 a62766-a62768 589->593 594 a62770-a62773 589->594 590->589 593->588 597 a6276e 593->597 594->588 596 a62779-a6279f 594->596 600 a627a1-a627a5 596->600 601 a627ad-a627b1 596->601 597->596 600->588 602 a627ab 600->602 601->588 604 a627b7-a627c5 601->604 602->604 609 a627c7-a627d2 604->609 610 a627d4-a627dc 604->610 607 a62ae2-a62aec 605->607 608 a62aed-a62c14 605->608 722 a62c1a call a626e7 608->722 723 a62c1a call a62b31 608->723 724 a62c1a call a626f8 608->724 725 a62c1a call a62c88 608->725 612 a627df-a627e1 609->612 610->612 613 a627e3-a627e5 612->613 614 a627ed-a627f0 612->614 613->588 617 a627eb 613->617 614->588 616 a627f6-a62819 614->616 620 a62825-a62828 616->620 621 a6281b-a6281d 616->621 617->616 620->588 623 a6282e-a62852 620->623 621->588 624 a62823 621->624 627 a62854-a62856 623->627 628 a6285e-a62861 623->628 624->623 627->588 630 a6285c 627->630 628->588 629 a62867-a62888 628->629 634 a62894-a62897 629->634 635 a6288a-a6288c 629->635 630->629 634->588 637 a6289d-a628c1 634->637 635->588 638 a62892 635->638 641 a628c3-a628c5 637->641 642 a628cd-a628d0 637->642 638->637 641->588 645 a628cb 641->645 642->588 644 a628d6-a628fa 642->644 648 a62906-a62909 644->648 649 a628fc-a628fe 644->649 645->644 648->588 650 a6290f-a62933 648->650 649->588 651 a62904 649->651 655 a62935-a62937 650->655 656 a6293f-a62942 650->656 651->650 655->588 658 a6293d 655->658 656->588 657 a62948-a6295b 656->657 657->605 662 a62961-a62990 657->662 658->657 664 a62992-a62994 662->664 665 a6299c-a6299f 662->665 664->588 667 a6299a 664->667 665->588 666 a629a5-a629bd 665->666 670 a629bf-a629c1 666->670 671 a629c9-a629cc 666->671 667->666 670->588 674 a629c7 670->674 671->588 673 a629d2-a629e9 671->673 672 a62c20-a62c28 675 a62c36-a62c3a 672->675 676 a62c2a-a62c2c 672->676 686 a62a95-a62a9e 673->686 687 a629ef-a62a12 673->687 674->673 677 a62c46-a62c4d 675->677 678 a62c3c-a62c43 675->678 676->675 680 a62c4f-a62c58 677->680 681 a62c7b-a62c9b 677->681 682 a62c66-a62c78 680->682 683 a62c5a-a62c5c 680->683 726 a62c9c call a626e7 681->726 727 a62c9c call a62b31 681->727 728 a62c9c call a626f8 681->728 729 a62c9c call a62c88 681->729 683->682 686->662 689 a62aa4 686->689 690 a62a14-a62a16 687->690 691 a62a1e-a62a21 687->691 688 a62ca2-a62ca4 692 a62ca6-a62cb9 688->692 693 a62cc5-a62d1b call a62d62 688->693 689->605 690->588 695 a62a1c 690->695 691->588 694 a62a27-a62a57 691->694 701 a62cbf-a62cc2 692->701 713 a62d1d-a62d1f 693->713 714 a62d2b-a62d60 693->714 699 a62a5f-a62a62 694->699 700 a62a59-a62a5b 694->700 695->694 699->588 703 a62a64-a62a81 699->703 700->588 704 a62a5d 700->704 707 a62a83-a62a85 703->707 708 a62a89-a62a8c 703->708 704->703 707->588 711 a62a87 707->711 708->588 710 a62a8e-a62a93 708->710 710->605 711->710 715 a62d27-a62d2a 713->715 722->672 723->672 724->672 725->672 726->688 727->688 728->688 729->688
                            Memory Dump Source
                            • Source File: 00000001.00000002.3655587505.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_a60000_Venom_RAT.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cb8e4f167dd0d9caab6dfb83f07d5cf74e5cd4936de82b7b460df5fd30f203fe
                            • Instruction ID: 8e333f40e4fd3410cb8fd86baa3c6c31e11015c144120740183a9464a2a39bd9
                            • Opcode Fuzzy Hash: cb8e4f167dd0d9caab6dfb83f07d5cf74e5cd4936de82b7b460df5fd30f203fe
                            • Instruction Fuzzy Hash: C602B031B006068BDB14DBBC8C907AE76B3AFD8360F69823AD655DB3C5EA74DD029741

                            Control-flow Graph

                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 00A69A7E
                            • GetCurrentThread.KERNEL32 ref: 00A69ABB
                            • GetCurrentProcess.KERNEL32 ref: 00A69AF8
                            • GetCurrentThreadId.KERNEL32 ref: 00A69B51
                            Memory Dump Source
                            • Source File: 00000001.00000002.3655587505.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_a60000_Venom_RAT.jbxd
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: ed1a427613d95e19b54d9d457a78ae2e1ce218384f24e40ee3318659af76a0ff
                            • Instruction ID: 08928563a5a0cd791c48b9a1a14bc30bc8ebb194f43849e587aa572eda14e233
                            • Opcode Fuzzy Hash: ed1a427613d95e19b54d9d457a78ae2e1ce218384f24e40ee3318659af76a0ff
                            • Instruction Fuzzy Hash: 775197B1900209CFDB14CFA9D548BAEBBF5EF88304F248459E119B7360D778A944CF65

                            Control-flow Graph

                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 00A69A7E
                            • GetCurrentThread.KERNEL32 ref: 00A69ABB
                            • GetCurrentProcess.KERNEL32 ref: 00A69AF8
                            • GetCurrentThreadId.KERNEL32 ref: 00A69B51
                            Memory Dump Source
                            • Source File: 00000001.00000002.3655587505.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_a60000_Venom_RAT.jbxd
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: 0bccda986e64ec52ff10643e7bcb721beed1270ce061dcb1344358ca5dcdac77
                            • Instruction ID: f677cfe9e0d2a3975e3b54065af05b11a8e113b3786ab9e51641615edc5d212e
                            • Opcode Fuzzy Hash: 0bccda986e64ec52ff10643e7bcb721beed1270ce061dcb1344358ca5dcdac77
                            • Instruction Fuzzy Hash: E35196B1900209CFDB14CFA9C548BAEBBF5EF88304F248059E019B73A0D778A944CF66

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 414 a69c40-a69cdc DuplicateHandle 415 a69ce5-a69d02 414->415 416 a69cde-a69ce4 414->416 416->415
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A69CCF
                            Memory Dump Source
                            • Source File: 00000001.00000002.3655587505.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_a60000_Venom_RAT.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: b4d617eca0e0a10adebfabe7da2349454ce965369adedd08bb2b86b76b3dafa8
                            • Instruction ID: 73c2801f8df3331f646ab585378224af16cee74807495b9c2f64f2f7989e665d
                            • Opcode Fuzzy Hash: b4d617eca0e0a10adebfabe7da2349454ce965369adedd08bb2b86b76b3dafa8
                            • Instruction Fuzzy Hash: 3721E3B5D00249DFDB10CFA9D584ADEBBF4EB48310F14841AE918A7351D378A954CF61

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 419 a69c48-a69cdc DuplicateHandle 420 a69ce5-a69d02 419->420 421 a69cde-a69ce4 419->421 421->420
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A69CCF
                            Memory Dump Source
                            • Source File: 00000001.00000002.3655587505.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_a60000_Venom_RAT.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 206df4f6c38935a37bcb66905f0b49e0717bfbc3f35b967bff84f53d23dcdad2
                            • Instruction ID: e7bbe91dcdda67f27ba4d9dec43c8eccbcbc677a54788d7b0b43e9eae45b50b8
                            • Opcode Fuzzy Hash: 206df4f6c38935a37bcb66905f0b49e0717bfbc3f35b967bff84f53d23dcdad2
                            • Instruction Fuzzy Hash: 6921C2B59002499FDB10CFAAD984ADEBFF8FB48310F14841AE918B3351D378A954CFA5

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 424 a63c2c-a6493a 427 a64946-a64978 SetWindowsHookExW 424->427 428 a6493c 424->428 429 a64981-a649a6 427->429 430 a6497a-a64980 427->430 431 a64944 428->431 430->429 431->427
                            APIs
                            • SetWindowsHookExW.USER32(00A045D0,00000000,?,?), ref: 00A6496B
                            Memory Dump Source
                            • Source File: 00000001.00000002.3655587505.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_a60000_Venom_RAT.jbxd
                            Similarity
                            • API ID: HookWindows
                            • String ID:
                            • API String ID: 2559412058-0
                            • Opcode ID: 5c3ae4023d32493cb02153664e8c5e5328024a41b6642cd637f88134bdc832c8
                            • Instruction ID: d2cc59a0b2e5e5103168cbb8ff0cf2a4b9f02de015836754de94ad4bbf43e254
                            • Opcode Fuzzy Hash: 5c3ae4023d32493cb02153664e8c5e5328024a41b6642cd637f88134bdc832c8
                            • Instruction Fuzzy Hash: 2E21F575D002099FDB14DFA9D844BAFBBF5EB88310F248429E459A7250C774A945CFA1

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 435 a648e8-a6493a 437 a64946-a64978 SetWindowsHookExW 435->437 438 a6493c 435->438 439 a64981-a649a6 437->439 440 a6497a-a64980 437->440 441 a64944 438->441 440->439 441->437
                            APIs
                            • SetWindowsHookExW.USER32(00A045D0,00000000,?,?), ref: 00A6496B
                            Memory Dump Source
                            • Source File: 00000001.00000002.3655587505.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_a60000_Venom_RAT.jbxd
                            Similarity
                            • API ID: HookWindows
                            • String ID:
                            • API String ID: 2559412058-0
                            • Opcode ID: 484e0a9305ed1a6a1ad9952102206a1a0c9d70e03150e586bbd8989c80cf6704
                            • Instruction ID: f64f289e7085df0ba87a7a5047b48f5070fe84345105543719939a0fe4c68897
                            • Opcode Fuzzy Hash: 484e0a9305ed1a6a1ad9952102206a1a0c9d70e03150e586bbd8989c80cf6704
                            • Instruction Fuzzy Hash: D521F5759002098FDB14DFA9C944BDEBBF5EB88320F148429E469A7251C7789945CFA1
                            Memory Dump Source
                            • Source File: 00000001.00000002.3655428254.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_a0d000_Venom_RAT.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a6d130c3ae8750d89a7dff02db34c37e032742f04ab7f8d927ca0541eb80a95e
                            • Instruction ID: 9658decbd6f85560ae3a26277b236f0993c309c965404c9a4a8e1112a2da5b4f
                            • Opcode Fuzzy Hash: a6d130c3ae8750d89a7dff02db34c37e032742f04ab7f8d927ca0541eb80a95e
                            • Instruction Fuzzy Hash: FD210776504208DFDB05DF54E9C0B26BBA5FB88324F24C66DD8094B296C73BD856CA61
                            Memory Dump Source
                            • Source File: 00000001.00000002.3655428254.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_a0d000_Venom_RAT.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e0f503f778aeac3a07bb6588130c9135d0a53f708ec3930929eee3262ecda282
                            • Instruction ID: ca7f3279a57df208e3f4b243e6885561bac63c6d8e716bb3e608766753b867ce
                            • Opcode Fuzzy Hash: e0f503f778aeac3a07bb6588130c9135d0a53f708ec3930929eee3262ecda282
                            • Instruction Fuzzy Hash: D711D076504244CFDB06CF54E9C4B15FBB1FB44314F28C6A9D8094B296C33AD85ACB51

                            Non-executed Functions

                            Memory Dump Source
                            • Source File: 00000001.00000002.3655587505.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_a60000_Venom_RAT.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c749c9ad136e716352ffd1d44299842b74fe7945bece4443f443f4229b06cea4
                            • Instruction ID: 50a73490379988ae8540bd2345c816dcc3f7d90051b0099aa3e3cb7fa9af9883
                            • Opcode Fuzzy Hash: c749c9ad136e716352ffd1d44299842b74fe7945bece4443f443f4229b06cea4
                            • Instruction Fuzzy Hash: A691AB32F0071647DB18CAED8D903AE61B3AFE4314F9D81399A42CB785EEB8DD026741