Edit tour

Windows Analysis Report
Venom_RAT.bin.exe

Overview

General Information

Sample name:	Venom_RAT.bin.exe
Analysis ID:	1644624
MD5:	4069d5435f4e98f349a862ca454bc30b
SHA1:	c5a7d106631f95c7f9d5e84b1f6c6eec3e1dc31c
SHA256:	35c4a830c22df437d6881b7115631646eaac6aac844ff3d3d055d0f528866857
Tags:	exePEVenomRATuser-Blu3eye
Infos:

Detection

AsyncRAT, VenomRAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AsyncRAT

Yara detected VenomRAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Connects to a pastebin service (likely for C&C)

Contains functionality to log keystrokes (.Net Source)

Joe Sandbox ML detected suspicious sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

Venom_RAT.bin.exe (PID: 5748 cmdline: "C:\Users\user\Desktop\Venom_RAT.bin.exe" MD5: 4069D5435F4E98F349A862CA454BC30B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: VenomRAT

{
  "Pastebin Link": "https://pastebin.com/raw/i3NzmwEg",
  "Version": "Venom RAT + HVNC + Stealer + Grabber  v6.0.3",
  "Install": "false",
  "Mutex": "dwjsrlleihmlidl",
  "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz",
  "Server Signature": "KRtbBX6+OhVpmFd/MgPxJrAuARtE/V+EmWvFc0HMsLvKFXqgb1UoUFSzeow7SDLOePjhcephhGw6HR1hi0sV1M0Jaj8rWGFRWTVftjDKGkAGjYBXfeaclRpOkyUlJay8e9cO7B5LmpzDUSbHW4GNGLTMTD+iX3aqvQgvCVoDRxM="
}

Threatname: AsyncRAT

{
  "Version": "Venom RAT + HVNC + Stealer + Grabber  v6.0.3",
  "Mutex": "dwjsrlleihmlidl",
  "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz",
  "Server Signature": "KRtbBX6+OhVpmFd/MgPxJrAuARtE/V+EmWvFc0HMsLvKFXqgb1UoUFSzeow7SDLOePjhcephhGw6HR1hi0sV1M0Jaj8rWGFRWTVftjDKGkAGjYBXfeaclRpOkyUlJay8e9cO7B5LmpzDUSbHW4GNGLTMTD+iX3aqvQgvCVoDRxM=",
  "External_config_on_Pastebin": "https://pastebin.com/raw/i3NzmwEg"
}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Venom_RAT.bin.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Venom_RAT.bin.exe	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0xf36a:$str03: Po_ng 0xdf48:$str04: Pac_ket 0xfb10:$str05: Perfor_mance 0xfb54:$str06: Install_ed 0xa4d7:$str07: get_IsConnected 0xb7d5:$str08: get_ActivatePo_ng 0xc8a4:$str09: isVM_by_wim_temper 0xf386:$str10: save_Plugin 0xf634:$str11: timeout 3 > NUL 0xf6ca:$str12: ProcessHacker.exe 0xf8bc:$str13: Select * from Win32_CacheMemory
Venom_RAT.bin.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf8bc:$q1: Select * from Win32_CacheMemory 0xf8fc:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf94a:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf998:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000000.1205223690.00000000001F2000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: Venom_RAT.bin.exe PID: 5748	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.Venom_RAT.bin.exe.1f0000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
1.0.Venom_RAT.bin.exe.1f0000.0.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0xf36a:$str03: Po_ng 0xdf48:$str04: Pac_ket 0xfb10:$str05: Perfor_mance 0xfb54:$str06: Install_ed 0xa4d7:$str07: get_IsConnected 0xb7d5:$str08: get_ActivatePo_ng 0xc8a4:$str09: isVM_by_wim_temper 0xf386:$str10: save_Plugin 0xf634:$str11: timeout 3 > NUL 0xf6ca:$str12: ProcessHacker.exe 0xf8bc:$str13: Select * from Win32_CacheMemory
1.0.Venom_RAT.bin.exe.1f0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf8bc:$q1: Select * from Win32_CacheMemory 0xf8fc:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf94a:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf998:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

Suricata Signatures

ET MALWARE Observed Malicious SSL Cert (VenomRAT)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-20T18:25:12.504509+0100	2052267	1	Domain Observed Used for C2 Detected	81.19.131.153	50037	192.168.2.6	49686	TCP

ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-20T18:25:12.504509+0100	2842478	1	Malware Command and Control Activity Detected	81.19.131.153	50037	192.168.2.6	49686	TCP

Base64 encoded string: 'TYUFocV6D9YxoySj2TJRhf5S7a/t8t80aAI5OUYipZBEPwTuco0Zq58RoOPU5mLzbH6ZHj1o0kTgXZ1hca6J2g==', 'gHXViOdw3zxDRtCn1CwgepJ8AO5caWJqOCh/16dKkEMf4XDA/SjhrKt1eyNihG3RyTzMtsFF+ybOWhuHweKz4uim7n8jnPXQsmUXP5ggibr6+J0/m8OLuDmydzmoQ2pf', 'YkypWZDzbpWol9wgQKa0TEtDQiXsKLUg5tmWp6aSqj541bNaEOH4PodB+aQKVkoC0f7sUWwJeyfQgrpf7DA8+g==', 'uc5t+mZYCK0AgYIycrAAVHqksueSyBUMGSQqB6eP8SEMCmBXyAKHF3ICoHihmI0xd1UzIaH5MKsRx3vJ7JNPzbqKpn8Es/ol4mlhYw0jopNJRpUz2tdJbRfDun2gti9Q', 'GCXYHsoFjIrz3tdfBZercXHgMycxkr5ev+c27lLLiJCDXW45QozaNTi3aOH+LGbNlSYN/A3Bh0/hn3gfRH8pNg==', 'OFkhY+3LgoSHQ/9d63kvw86gF4BYNHCeMRKmANv4DS7WITVIki/P1UHundo91kgOUtnkxFsh776cz1XmP7xIGg=='

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/3@1/2

Source: C:\Users\user\Desktop\Venom_RAT.bin.exe

File created: C:\Users\user\AppData\Roaming\MyData

Jump to behavior

Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Mutant created: \Sessions\1\BaseNamedObjects\dwjsrlleihmlidl

Source: Venom_RAT.bin.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Venom_RAT.bin.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Venom_RAT.bin.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor

Source: C:\Users\user\Desktop\Venom_RAT.bin.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Venom_RAT.bin.exe	Virustotal: Detection: 73%
Source: Venom_RAT.bin.exe	ReversingLabs: Detection: 83%

Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Section loaded: msvfw32.dll	Jump to behavior

Source: C:\Users\user\Desktop\Venom_RAT.bin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Venom_RAT.bin.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Venom_RAT.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: Venom_RAT.bin.exe, ClientSocket.cs

.Net Code: Invoke System.AppDomain.Load(byte[])

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: Venom_RAT.bin.exe, type: SAMPLE
Source: Yara match	File source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1205223690.00000000001F2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY

Yara detected VenomRAT

Source: Yara match

File source: Process Memory Space: Venom_RAT.bin.exe PID: 5748, type: MEMORYSTR

Source: C:\Users\user\Desktop\Venom_RAT.bin.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Jump to behavior

Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: Venom_RAT.bin.exe, type: SAMPLE
Source: Yara match	File source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1205223690.00000000001F2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY

Yara detected VenomRAT

Source: Yara match

File source: Process Memory Space: Venom_RAT.bin.exe PID: 5748, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Venom_RAT.bin.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Venom_RAT.bin.exe

Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Memory allocated: A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Memory allocated: 24B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Memory allocated: 44B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Venom_RAT.bin.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Window / User API: threadDelayed 3281			Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Window / User API: threadDelayed 6570			Jump to behavior

Source: C:\Users\user\Desktop\Venom_RAT.bin.exe TID: 1144	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe TID: 6900	Thread sleep count: 3281 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe TID: 6900	Thread sleep count: 6570 > 30	Jump to behavior

Source: C:\Users\user\Desktop\Venom_RAT.bin.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\Desktop\Venom_RAT.bin.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor

Source: C:\Users\user\Desktop\Venom_RAT.bin.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Venom_RAT.bin.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Venom_RAT.bin.exe, 00000001.00000002.3654906244.0000000000719000.00000004.00000020.00020000.00000000.sdmp, Venom_RAT.bin.exe, 00000001.00000002.3661513503.0000000004AEF000.00000004.00000020.00020000.00000000.sdmp, Venom_RAT.bin.exe, 00000001.00000002.3661513503.0000000004ADB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Venom_RAT.bin.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Venom_RAT.bin.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Venom_RAT.bin.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: Venom_RAT.bin.exe, Keylogger.cs	Reference to suspicious API methods: MapVirtualKey(vkCode, 0u)
Source: Venom_RAT.bin.exe, DInvokeCore.cs	Reference to suspicious API methods: DynamicAPIInvoke("ntdll.dll", "NtProtectVirtualMemory", typeof(Delegates.NtProtectVirtualMemory), ref Parameters)
Source: Venom_RAT.bin.exe, AntiProcess.cs	Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)

Source: Venom_RAT.bin.exe, 00000001.00000002.3655860981.000000000258A000.00000004.00000800.00020000.00000000.sdmp, Venom_RAT.bin.exe, 00000001.00000002.3655860981.0000000002557000.00000004.00000800.00020000.00000000.sdmp, Venom_RAT.bin.exe, 00000001.00000002.3655860981.0000000002718000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Venom_RAT.bin.exe, 00000001.00000002.3655860981.0000000002718000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager`,
Source: Venom_RAT.bin.exe, 00000001.00000002.3655860981.000000000258A000.00000004.00000800.00020000.00000000.sdmp, Venom_RAT.bin.exe, 00000001.00000002.3655860981.0000000002557000.00000004.00000800.00020000.00000000.sdmp, Venom_RAT.bin.exe, 00000001.00000002.3655860981.0000000002530000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe
Source: Venom_RAT.bin.exe, 00000001.00000002.3655860981.000000000258A000.00000004.00000800.00020000.00000000.sdmp, Venom_RAT.bin.exe, 00000001.00000002.3655860981.0000000002557000.00000004.00000800.00020000.00000000.sdmp, Venom_RAT.bin.exe, 00000001.00000002.3655860981.0000000002718000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\

Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Queries volume information: C:\Users\user\Desktop\Venom_RAT.bin.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Venom_RAT.bin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: Venom_RAT.bin.exe, type: SAMPLE
Source: Yara match	File source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1205223690.00000000001F2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY

Yara detected VenomRAT

Source: Yara match

File source: Process Memory Space: Venom_RAT.bin.exe PID: 5748, type: MEMORYSTR

Source: Venom_RAT.bin.exe, 00000001.00000000.1205223690.00000000001F2000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: MSASCui.exe
Source: Venom_RAT.bin.exe, 00000001.00000000.1205223690.00000000001F2000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: procexp.exe
Source: Venom_RAT.bin.exe, 00000001.00000002.3654906244.0000000000719000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Venom_RAT.bin.exe, 00000001.00000000.1205223690.00000000001F2000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\Venom_RAT.bin.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	2 Scheduled Task/Job	1 Process Injection	1 Masquerading	1 Input Capture	1 Query Registry	Remote Services	1 Input Capture	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Scheduled Task/Job	1 DLL Side-Loading	2 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	241 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	1 DLL Side-Loading	151 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	151 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	21 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	3 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Venom_RAT.bin.exe	74%	Virustotal		Browse
Venom_RAT.bin.exe	83%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRAT
Venom_RAT.bin.exe	100%	Avira	HEUR/AGEN.1307453

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	208.89.73.31	true	false	high
pastebin.com	104.20.3.235	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://pastebin.com/raw/i3NzmwEg	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Venom_RAT.bin.exe, 00000001.00000002.3655860981.00000000024B1000.00000004.00000800.00020000.00000000.sdmp, Venom_RAT.bin.exe, 00000001.00000002.3655860981.0000000002659000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pastebin.com	Venom_RAT.bin.exe, 00000001.00000002.3655860981.00000000026CA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://pastebin.com	Venom_RAT.bin.exe, 00000001.00000002.3655860981.00000000026BF000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.20.3.235	pastebin.com	United States		13335	CLOUDFLARENETUS	false
81.19.131.153	unknown	Russian Federation		24658	IVC-ASRU	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1644624
Start date and time:	2025-03-20 18:24:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Venom_RAT.bin.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/3@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 11 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 208.89.73.31, 184.31.69.3, 20.12.23.50
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:25:12	API Interceptor	8741975x Sleep call for process: Venom_RAT.bin.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.20.3.235	cr_asm3.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	gabe.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_atCAD.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	vF20HtY4a4.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	OSLdZanXNc.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	5UIy3bo46y.dll	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	Lm9IJ4r9oO.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	BeginSync lnk.lnk	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	sostener.vbs	Get hash	malicious	Njrat	Browse	pastebin.com/raw/V9y5Q5vv
81.19.131.153	Purchase Order Braiconf SA #U2013 26.09.2024.bat	Get hash	malicious	AsyncRAT, Batch Injector, VenomRAT	Browse
81.19.131.153	Damage product 3.vbs	Get hash	malicious	AsyncRAT, Batch Injector, VenomRAT	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pastebin.com	nylaldktrhkjad.exe	Get hash	malicious	Xmrig	Browse	172.67.19.24
	boypadkthjawd.exe	Get hash	malicious	Xmrig	Browse	172.67.19.24
	Talksy (1).exe	Get hash	malicious	Meduza Stealer, RHADAMANTHYS	Browse	104.20.4.235
	FluxusV7.exe	Get hash	malicious	Unknown	Browse	104.20.4.235
	FluxusV7.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.19.24
	Setup.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	172.67.19.24
	Talksy.exe	Get hash	malicious	Unknown	Browse	172.67.19.24
	Talksy.exe	Get hash	malicious	Unknown	Browse	104.20.3.235
	main.exe	Get hash	malicious	Quasar	Browse	104.20.3.235
	svchost.exe	Get hash	malicious	Unknown	Browse	104.20.3.235
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	https://geminilogfine.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	208.89.73.27
	https://gg.7865522.top/	Get hash	malicious	Unknown	Browse	208.89.73.23
	bpypadkyksfdjjjs.exe	Get hash	malicious	Quasar	Browse	217.20.51.110
	NWpNjnx.exe	Get hash	malicious	Vidar	Browse	84.201.210.39
	https://flarenetdrops.com	Get hash	malicious	Unknown	Browse	217.20.57.36
	https://hwwgfsbxcy.pnsiayfas.net/	Get hash	malicious	Unknown	Browse	217.20.57.36
	https://mr8gz1a5.com/jp	Get hash	malicious	Unknown	Browse	217.20.57.20
	888.exe	Get hash	malicious	GO Backdoor	Browse	217.20.57.20
	DTG.pdf	Get hash	malicious	Unknown	Browse	84.201.210.39
	DarkStreamCloner.exe	Get hash	malicious	Unknown	Browse	217.20.57.19
bg.microsoft.map.fastly.net	t8f2gm11IC.pdf	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	2oPgf2TxXo.exe	Get hash	malicious	PureCrypter, AsyncRAT	Browse	199.232.210.172
	2oGi0ce7A9.exe	Get hash	malicious	AsyncRAT	Browse	199.232.210.172
	https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=r3yI_dSxOEiPJ_sFtWv0u-et2ubyS_1IvjO44TlrG4RUNU4xQUtYREpWQVhXSzJWUVMxMkwySkhRUS4u	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	http://camsapi.camsoline.com	Get hash	malicious	Unknown	Browse	199.232.210.172
	AWB_FEDEX_SHIPPING_DOCS-20-03-2025_98767890_KOREA.pdf.vbs	Get hash	malicious	FormBook, GuLoader	Browse	199.232.210.172
	dokument wysy#U00c5 kowy faktury nr 52-FK-25.js	Get hash	malicious	FormBook	Browse	199.232.210.172
	PO-KSI89654325_PDF.js	Get hash	malicious	Unknown	Browse	199.232.214.172
	AWB_FEDEX_SHIPPING_DOCS-20-03-2025_98767890_KOREA.pdf.vbs	Get hash	malicious	FormBook, GuLoader	Browse	199.232.214.172
	PvOhS0dkw2.exe	Get hash	malicious	Rusty Stealer	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://click.pstmrk.it/3s/click.pstmrk.it%2F3s%2Fclick.pstmrk.it%252F3s%252Fclick.pstmrk.it%25252F3s%25252FK9w.sddsvy.es%2525252FBxNQqiw%2525252F%25252F0WHq%25252F1RW8AQ%25252FAQ%25252F106cafa4-d18e-426c-9c6b-0f673158a485%25252F1%25252FQcQNxevtyr%252F0WHq%252F1hW8AQ%252FAQ%252Ff55af109-6f88-4167-9100-4e0e08b04dca%252F1%252F7xsS23xLL0%2F0WHq%2F1xW8AQ%2FAQ%2F226957d7-6fa4-4c2e-a225-8b6a515720c4%2F1%2F4AJYmbgWvp/0WHq/1xW8AQ/AQ/479046d5-0675-43ef-af75-bb8f5d046f39/1/59AZebyk9_#a2lkZC50YW1hcmFAYWlkYi5vcmc=	Get hash	malicious	Invisible JS, Tycoon2FA	Browse	172.67.223.82
	http://url5681.planter.eco/ls/click?upn=u001.PX1-2BssefkOe686e7wTSUMqibxN-2FCUadbAKgpTv23cYOIQxMvH9FGLuwPON-2Ft4V08mI3EhMVAoZnU-2Br4hRroTgY6212B0nGnr8aV-2B5ZtDZ10DmDDkH6mdlmAzG8M-2BiNsGPGMX1iPzlrrdaY9R4kk4qHfVergkdfGzm-2BAmGL-2FwYqLpCth-2FU-2ByXRztop6mHKwMCk43gAzvI9DCKmBcEcJQKyQ-3D-3Da5U3_GwWzR5CPD3uhhoxi7nJtY0-2BQC5TKRtJEXtldUtgGNIU9EPMkwXhPBMhFexKYRqOhYUH1k-2FQVOT9D8S6mnbGzOTVeFZqZ2eiXdrD6GdHPzzO106h29UdS-2BIz4v5acd9FnatQanlGtMNJsbvRJRS5dF6-2BMeTnNy39wilhlMfgiqmmr792hlZiyIO30hIfNO7fmE4Qvw7CYEB9aPKMoYkpeVA-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.21.83.47
	Confirm PO 306, 307.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	Over due Inv.msg	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	172.67.70.233
	https://sauravsadangi.com/project	Get hash	malicious	Unknown	Browse	104.19.230.21
	https://u2587569.ct.sendgrid.net/ls/click?upn=u001.tNCzvDY7Bps68NDHX050sfuZjwcZnKCiceJckL-2B-2BdtgW4S9czNQzTHuxGTDYUy2rgldwS-2FXaSK9tb15A2WijtesF9nKvyaekU8V6epmALsKFNzS6qhT8Y0hQxsOJhohPcwmraeJIKZH9TyOwWHJmFuZBAHXDHHKqUVL-2FUGP0fxMK3MBdQxp6bY6Ha8NZBWkjR7mgJ5fMAAuHlcLpVUtqCKWF7-2BW-2FrkTigMom4or-2B8m-2FS4TyrdjqGrNF-2BS24W1HEc4Nny-2FQbpl5Jr7z80HD8ERxHFxRHxDPLk-2B4YAHJEAIhKPImdnrMMiJGr9A4uEtPP39M5paIcI5sxlMhNL6z-2BKgTbMjlWBJaVVTxeufFQoFkl5u4NmsI44p17fSNIf2kHaYMMtnw0u0ApwVb9wZ3tJmp8AGgV65F1zRvnrFTPWISLatDmHGN3CKd73qRTLKmto5ZSsX3-2BwDUXMaUslNCFnOeOBvQkBDvUajrHfQmlQGD0zklpJ9WRzeYfjf4q-2Bc4Qu1Nf91VjDSdu48kXA2Z83MvwnSyKbPC863DiAR29AdxPmi1nIgYKk06DgcAWMuq2ENVqbbCQtUVgtZaYHCTljloaWego9b111Sg-2Be7K5sjWZvL10Fd-2Fe8x58DkwbvBNZsy8kmn2mGi8qVqTeWx9-2Brhlr4k1qrS1CvUmSqedu0NrwPQeaJupno6T-2Bqo-2BzulaLbvdWFreaPwNJ5CTaPVCN9fpvhUAzUS-2FlWTTCA-2FnSuCPTscXiBnW-2B4ungzp4n8Lqpuk6XGZd1rraYdTpcYsjIFBAluxLUtcFe1RkWRujzmOwPcDxwpZgxVj9TsDAzb4JrMPmBN2Sin7qgSZpDFxIb3yOVqUu9FExdB-2Fwpe-2FOokwr4-3DpRyF_1bjvdYK7b1KHhROFVKAkBz1xmR7bHmMryF9p5esfystXB0-2BtfVwIucsXMvT-2Fqo-2BHIQjngxXgRwIKf-2FhYJ8sIjYpFFD5M-2Fukd02C7xZo3-2Fu2k7S-2BJnqXyppXMorAOmA1aNkDUxa8mfRrXT4dMKgaVVsS6wu4JG1S4PFFCZ8lK9Y3x3NGX804vyB0grWdIMmAgEHrTtlgpDYkN3TtTPYHUiXDCYLXMEhj0Lko1oh6wu7o-3D	Get hash	malicious	Unknown	Browse	104.21.64.1
	https://b3rz.5m54lq.ru/A9y-e3M/	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	172.67.141.81
	https://u2587569.ct.sendgrid.net/ls/click?upn=u001.tNCzvDY7Bps68NDHX050sfuZjwcZnKCiceJckL-2B-2BdtgW4S9czNQzTHuxGTDYUy2rgldwS-2FXaSK9tb15A2WijtesF9nKvyaekU8V6epmALsKFNzS6qhT8Y0hQxsOJhohPcwmraeJIKZH9TyOwWHJmFuZBAHXDHHKqUVL-2FUGP0fxMK3MBdQxp6bY6Ha8NZBWkjR7mgJ5fMAAuHlcLpVUtqCKWF7-2BW-2FrkTigMom4or-2B8m-2FS4TyrdjqGrNF-2BS24W1HEc4Nny-2FQbpl5Jr7z80HD8ERxHFxRHxDPLk-2B4YAHJEAIhKPImdnrMMiJGr9A4uEtPP39M5paIcI5sxlMhNL6z-2BKgTbMjlWBJaVVTxeufFQoFkl5u4NmsI44p17fSNIf2kHaYMMtnw0u0ApwVb9wZ3tJmp8AGgV65F1zRvnrFTPWISLatDmHGN3CKd73qRTLKmto5ZSsX3-2BwDUXMaUslNCFnOeOBvQkBDvUajrHfQmlQGD0zklpJ9WRzeYfjf4q-2Bc4Qu1Nf91VjDSdu48kXA2Z83MvwnSyKbPC863DiAR29AdxPmi1nIgYKk06DgcAWMuq2ENVqbbCQtUVgtZaYHCTljloaWego9b111Sg-2Be7K5sjWZvL10Fd-2Fe8x58DkwbvBNZsy8kmn2mGi8qVqTeWx9-2Brhlr4k1qrS1CvUmSqedu0NrwPQeaJupno6T-2Bqo-2BzulaLbvdWFreaPwNJ5CTaPVCN9fpvhUAzUS-2FlWTTCA-2FnSuCPTscXiBnW-2B4ungzp4n8Lqpuk6XGZd1rraYdTpcYsjIFBAluxLUtcFe1RkWRujzmOwPcDxwpZgxVj9TsDAzb4JrMPmBN2Sin7qgSZpDFxIb3yOVqUu9FExdB-2Fwpe-2FOokwr4-3D8A5E_-2FOI-2FxWKZBS0RBubCQDq4P71qBkOoJj9TQ-2FBNKjRykiT9mUix5aObCdsaE3X4Sh22h5PBW1VseZKNRSMsHcEXChaxx4fpyalr8S5mdNAGDIFE0BdGE6SFPQC1ze3qi3ZOs99VkecPMd3ju7N-2BWWYyJE6xPy-2FgXhUKDOj-2BkfDKJ8KqABvqtFGuxd5KhNBGU7VDh7BHPjKSbdGclNFQCojq4NR0NeZ6xwwI2wKPGRZHpHU-3D	Get hash	malicious	Unknown	Browse	104.21.80.1
	ZW01_20-03-25.bat	Get hash	malicious	Remcos, GuLoader	Browse	104.21.50.221
	http://smtp.legiteam.net/newsletters/lt.php?c=3595&m=3675&nl=1&s=ae2e0733c87747578f73487fef60fa9c&lid=128917&l=https://mardo.pk/veri?token=YnJpYW5AY2JmbG9vcnNpbmMuY29t	Get hash	malicious	Unknown	Browse	104.21.38.162
IVC-ASRU	Rozrahunok_rozpodil_operativnogo_skladu.doc.lnk	Get hash	malicious	Unknown	Browse	81.19.131.86
	raport_rozporyadzhenci.docx.lnk	Get hash	malicious	Unknown	Browse	81.19.131.86
	signal-2024-05-12-173435_001_1.jpg.lnk	Get hash	malicious	Unknown	Browse	81.19.131.86
	PBP_24godini.xls.lnk	Get hash	malicious	Unknown	Browse	81.19.131.86
	Nakaz_shchodo_perevyrky_gotovnosty_1mehbat_14.07.2024.docx.lnk	Get hash	malicious	Unknown	Browse	81.19.131.86
	signal-2024-09-06-152042_002_1.jpg.lnk	Get hash	malicious	Unknown	Browse	81.19.131.86
	Purchase Order Braiconf SA #U2013 26.09.2024.bat	Get hash	malicious	AsyncRAT, Batch Injector, VenomRAT	Browse	81.19.131.153
	Remittance Advice.htm	Get hash	malicious	HTMLPhisher	Browse	81.19.140.235
	SoftwareIdeasProffesionalSetup.msi	Get hash	malicious	DanaBot	Browse	81.19.140.67
	NetworkVoxControllerSetup.msi	Get hash	malicious	DanaBot	Browse	81.19.140.67

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://github.com/Ox47100/Remcos-RAT-v3.8.0/raw/refs/heads/main/Remcos-RAT-3.8.0.exe	Get hash	malicious	Unknown	Browse	104.20.3.235
	ZW01_20-03-25.bat	Get hash	malicious	Remcos, GuLoader	Browse	104.20.3.235
	z37awb_dhl_docu.bat	Get hash	malicious	GuLoader	Browse	104.20.3.235
	milkmaidproductsareveryniceforentiretimetogivemebest.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.20.3.235
	givingbestthingsalwaysfor.hta	Get hash	malicious	Cobalt Strike, AgentTesla	Browse	104.20.3.235
	132439.ps1	Get hash	malicious	LummaC Stealer	Browse	104.20.3.235
	32wq2q.ps1	Get hash	malicious	LummaC Stealer	Browse	104.20.3.235
	compited.ps1	Get hash	malicious	Unknown	Browse	104.20.3.235
	google.meet-join.us.ps1	Get hash	malicious	NetSupport RAT	Browse	104.20.3.235
	SAHD7800989000.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.20.3.235

Process:	C:\Users\user\Desktop\Venom_RAT.bin.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 73305 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	73305
Entropy (8bit):	7.996028107841645
Encrypted:	true
SSDEEP:	1536:krha8mqJ7v3CeFMz/akys7nSTK7QMuK+C/Oh5:kAOFq+Mba9Ok7C/O/
MD5:	83142242E97B8953C386F988AA694E4A
SHA1:	833ED12FC15B356136DCDD27C61A50F59C5C7D50
SHA-256:	D72761E1A334A754CE8250E3AF7EA4BF25301040929FD88CF9E50B4A9197D755
SHA-512:	BB6DA177BD16D163F377D9B4C63F6D535804137887684C113CC2F643CEAB4F34338C06B5A29213C23D375E95D22EF417EAC928822DFB3688CE9E2DE9D5242D10
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF....Y.......,...................I.................;Za. .authroot.stl.98.?.6..CK..<Tk......4..c... .Ec...U.d.d.E&I.DH..M.KB."..rK.RQ..}f..f...}..1....9...........$.8q..fa...7.o.1.0...bfsM4.........u..l..0..4.a.t....0.....6#....n. :... ....%.,CQ5uU..(.3.<7#.0..JN.$...=j\|w...#.oU..Eq[..P..^..~.V...;..m...I\|...l..@-W..=.QQ.._./.M.nZ..(.........`.$Z.9wW:W.]..8E.......I.D{..n...K:.m..^.(.S.......c..s.y..<...2.%o.o.....H.B.R.....11.\|!.(...........h.SZ........<...^....Z>.Pp?... .pT@p.#.&..........#VEV=.....p........y..."T=l.n..egf.w..X.Y..-G...........KQ.]...pM..[m..-6.wd:........T...:.P5Zs....c.oT`..F1#......EuD.......7....V ..-....!.N..%S...k...S. ...@.J..../..b!B.(=\../.l......`.\...q9..>4!b..8EH.....zdy.....#...X>%0w...i.,>c.z.g"p.S..2W.+mMs.....5Def.....#._D.4....>}...i...\.&`D.......z;..ZY.3.+t.`....z_.q'w.z.)..j3.+.co.s..:.........qK...{...E....uPO...#vs.XxH.B!..(t. 8k+.....G\..?..GF8....'..w.>.ms..\ve.nFN..W)....xi..u..5.f.l....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\Venom_RAT.bin.exe
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	3.189712167018517
Encrypted:	false
SSDEEP:	6:kKWsYEGmcvSN+SkQlPlEGYRMY9z+4KlDA3RUeqpGVuys1:edEGmCkPlE99SNxAhUeq8S
MD5:	834A6C33A9D6E72C16E5751CCE8DBBF0
SHA1:	9BAA1119C5805097A90FC32C14BD06AB4A92C983
SHA-256:	E86499A6CF30B994A562180ED37E01E9C4F443EF7C3827AC5CF58BD803A5B427
SHA-512:	63C44F374031ACBFFBFA96D00D18FCA93E92881769D8980DA5EBBE1B8FC439899AC9A8C77837B5889547F765A1A5EEB27812FC3C13F11073001F76FE3A1F7BFF
Malicious:	false
Reputation:	low
Preview:	p...... .........y.....(....................................................... ..................(...........Y...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".6.4.2.7.f.6.c.2.b.7.8.7.d.b.1.:.0."...

C:\Users\user\AppData\Roaming\MyData\DataLogs.conf

Download File

Process:	C:\Users\user\Desktop\Venom_RAT.bin.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:Rt:v
MD5:	CF759E4C5F14FE3EEC41B87ED756CEA8
SHA1:	C27C796BB3C2FAC929359563676F4BA1FFADA1F5
SHA-256:	C9F9F193409217F73CC976AD078C6F8BF65D3AABCF5FAD3E5A47536D47AA6761
SHA-512:	C7F832AEE13A5EB36D145F35D4464374A9E12FA2017F3C2257442D67483B35A55ECCAE7F7729243350125B37033E075EFBC2303839FD86B81B9B4DCA3626953B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.5.False

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.803696030455237
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Venom_RAT.bin.exe
File size:	75'776 bytes
MD5:	4069d5435f4e98f349a862ca454bc30b
SHA1:	c5a7d106631f95c7f9d5e84b1f6c6eec3e1dc31c
SHA256:	35c4a830c22df437d6881b7115631646eaac6aac844ff3d3d055d0f528866857
SHA512:	44db701300e244ad7566c0edbc89cf6fa65ca75749c9d84ddd2881440e54ddf4d0f2dd080a5736e21f4fd618f7dabdfc0352a90e953a796eac715c5a283eb27f
SSDEEP:	1536:IUk0cxVGlCBiPMVSI6eMILU1bv/T2SksK0Qzc67VclN:IURcxVMWiPMVndU1bvSSfHQLxY
TLSH:	3473390237E88D29E3AE47B9ACF211070EF4D5576116DE5E3CC440CE5A67BC99A037EA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c............................~4... ...@....@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x41347e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x63E41DD4 [Wed Feb 8 22:10:28 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x13430	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0xdf7	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x16000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x11484	0x11600	8716019aa1cbd92372f0a8d99f77326f	False	0.4828715152877698	data	5.830777450535218	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0xdf7	0xe00	af2b4fe7f2686637f8e50253cee78069	False	0.4037388392857143	data	5.1161120256832735	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x16000	0xc	0x200	e00605145d8e954818113d40af9e9488	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x140a0	0x2d4	data			0.44613259668508287
RT_MANIFEST	0x14374	0xa83	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.40245261984392416

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName
FileDescription
FileVersion	6.0.1
InternalName	Clientx86.exe
LegalCopyright
LegalTrademarks
OriginalFilename	Clientx86.exe
ProductName
ProductVersion	6.0.1
Assembly Version	6.0.1.0

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-20T18:25:12.504509+0100	2842478	ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)	1	81.19.131.153	50037	192.168.2.6	49686	TCP
2025-03-20T18:25:12.504509+0100	2052265	ET MALWARE Observed Malicious SSL Cert (VenomRAT)	1	81.19.131.153	50037	192.168.2.6	49686	TCP
2025-03-20T18:25:12.504509+0100	2052267	ET MALWARE Observed Malicious SSL Cert (VenomRAT)	1	81.19.131.153	50037	192.168.2.6	49686	TCP

Network Port Distribution

Total Packets: 128
• 50037 undefined
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 20, 2025 18:25:10.969135046 CET	49685	443	192.168.2.6	104.20.3.235
Mar 20, 2025 18:25:10.969173908 CET	443	49685	104.20.3.235	192.168.2.6
Mar 20, 2025 18:25:10.969299078 CET	49685	443	192.168.2.6	104.20.3.235
Mar 20, 2025 18:25:10.976161003 CET	49685	443	192.168.2.6	104.20.3.235
Mar 20, 2025 18:25:10.976181030 CET	443	49685	104.20.3.235	192.168.2.6
Mar 20, 2025 18:25:11.210067034 CET	443	49685	104.20.3.235	192.168.2.6
Mar 20, 2025 18:25:11.210417986 CET	49685	443	192.168.2.6	104.20.3.235
Mar 20, 2025 18:25:11.214793921 CET	49685	443	192.168.2.6	104.20.3.235
Mar 20, 2025 18:25:11.214808941 CET	443	49685	104.20.3.235	192.168.2.6
Mar 20, 2025 18:25:11.215106964 CET	443	49685	104.20.3.235	192.168.2.6
Mar 20, 2025 18:25:11.255409002 CET	49685	443	192.168.2.6	104.20.3.235
Mar 20, 2025 18:25:11.260663033 CET	49685	443	192.168.2.6	104.20.3.235
Mar 20, 2025 18:25:11.304322958 CET	443	49685	104.20.3.235	192.168.2.6
Mar 20, 2025 18:25:11.937634945 CET	443	49685	104.20.3.235	192.168.2.6
Mar 20, 2025 18:25:11.937736988 CET	443	49685	104.20.3.235	192.168.2.6
Mar 20, 2025 18:25:11.937813997 CET	49685	443	192.168.2.6	104.20.3.235
Mar 20, 2025 18:25:11.940861940 CET	49685	443	192.168.2.6	104.20.3.235
Mar 20, 2025 18:25:11.941725969 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:25:12.120614052 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:25:12.120748043 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:25:12.121656895 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:25:12.304805040 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:25:12.311259031 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:25:12.504508972 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:25:12.552001953 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:25:14.013498068 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:25:14.013564110 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:25:14.193253040 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:25:27.947319031 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:25:28.177145958 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:25:28.177278042 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:25:28.363490105 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:25:28.411549091 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:25:28.592545986 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:25:28.605031013 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:25:28.832273006 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:25:28.832386017 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:25:29.071192026 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:25:41.881067991 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:25:42.112756968 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:25:42.112869978 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:25:42.293539047 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:25:42.348957062 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:25:42.908866882 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:25:42.910986900 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:25:43.141491890 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:25:43.141675949 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:25:43.362767935 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:25:55.842597008 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:25:56.069185019 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:25:56.069264889 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:25:56.395901918 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:25:56.631263971 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:25:56.651115894 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:25:56.879920006 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:25:56.879987955 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:25:57.095623970 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:09.771476984 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:10.006618977 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:10.006725073 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:10.188086987 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:10.239687920 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:10.415879011 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:10.418080091 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:10.643940926 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:10.644141912 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:10.859498024 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:22.302535057 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:22.538096905 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:22.538155079 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:22.723093987 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:22.770814896 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:22.950424910 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:22.956517935 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:23.175173044 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:23.175230980 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:23.395999908 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:36.240122080 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:36.472918034 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:36.472971916 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:36.656169891 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:36.708340883 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:36.888700008 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:36.890965939 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:37.130835056 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:37.130909920 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:37.365360975 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:45.912167072 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:46.162883997 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:46.162971020 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:46.352845907 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:46.395848036 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:46.578497887 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:46.580486059 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:46.817251921 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:46.817523956 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:47.061835051 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:48.866143942 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:49.096712112 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:49.097587109 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:49.278151035 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:49.335434914 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:50.163192987 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:50.165380001 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:50.395615101 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:50.395663977 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:50.632644892 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:55.068120956 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:55.300659895 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:55.300761938 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:55.481936932 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:55.539465904 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:55.717394114 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:55.724853039 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:55.956393003 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:26:55.956444025 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:26:56.189754009 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:03.349294901 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:03.582129002 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:03.582179070 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:03.764106035 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:03.817724943 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:03.998183012 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:04.000004053 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:04.222198009 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:04.222263098 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:04.441185951 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:17.287075043 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:17.520441055 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:17.520519972 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:17.703486919 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:17.755300999 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:17.935327053 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:17.937596083 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:18.177778006 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:18.177894115 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:18.409737110 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:31.224730015 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:31.472337008 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:31.472398043 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:31.652416945 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:31.708384991 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:31.887350082 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:31.891514063 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:32.113881111 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:32.113962889 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:32.346968889 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:40.349471092 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:40.603988886 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:40.604058981 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:40.808697939 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:40.849052906 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:41.029958963 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:41.032358885 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:41.254889965 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:41.254952908 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:41.485409021 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:53.193494081 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:53.440855026 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:53.440937996 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:53.622277975 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:53.677223921 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:53.854223967 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:53.855751038 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:54.081367970 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:54.081423998 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:54.300364017 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:56.818577051 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:57.048976898 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:57.049072981 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:57.236558914 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:57.286652088 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:57.472599983 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:57.477555037 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:57.709147930 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:27:57.709240913 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:27:57.942925930 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:28:10.755740881 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:28:10.987387896 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:28:10.987643003 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:28:11.165363073 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:28:11.208496094 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:28:11.385848999 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:28:11.387927055 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:28:11.611160994 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:28:11.611303091 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:28:11.831183910 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:28:24.704592943 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:28:25.005330086 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:28:25.189152002 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:28:25.239691973 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:28:25.420392990 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:28:25.422533035 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:28:25.642640114 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:28:25.642692089 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:28:25.863764048 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:28:38.647582054 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:28:38.876245975 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:28:38.876297951 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:28:39.057419062 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:28:39.099140882 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:28:39.279295921 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:28:39.282361031 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:28:39.509650946 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:28:39.509865046 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:28:39.743643045 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:28:42.912916899 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:28:43.143769979 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:28:43.144203901 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:28:43.324831009 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:28:43.380433083 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:28:43.557915926 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:28:43.562614918 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:28:43.788074017 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:28:43.788203955 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:28:44.025413990 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:28:56.849570990 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:28:57.081937075 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:28:57.082010984 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:28:57.262042046 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:28:57.302242994 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:28:57.481581926 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:28:57.483140945 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:28:57.707835913 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:28:57.707902908 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:28:57.941905975 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:29:10.794295073 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:29:11.017815113 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:29:11.017874002 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:29:11.205595970 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:29:11.255378962 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:29:11.440926075 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:29:11.443197012 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:29:11.676271915 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:29:11.676362038 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:29:11.905774117 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:29:13.833818913 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:29:14.070224047 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:29:14.070281982 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:29:14.251260042 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:29:14.302241087 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:29:14.482305050 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:29:14.483025074 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:29:14.706134081 CET	50037	49686	81.19.131.153	192.168.2.6
Mar 20, 2025 18:29:14.706254959 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:29:15.021089077 CET	49686	50037	192.168.2.6	81.19.131.153
Mar 20, 2025 18:29:15.201967001 CET	50037	49686	81.19.131.153	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 20, 2025 18:25:10.851638079 CET	49326	53	192.168.2.6	1.1.1.1
Mar 20, 2025 18:25:10.963058949 CET	53	49326	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 20, 2025 18:25:10.851638079 CET	192.168.2.6	1.1.1.1	0x9019	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 20, 2025 18:25:10.963058949 CET	1.1.1.1	192.168.2.6	0x9019	No error (0)	pastebin.com	104.20.3.235	A (IP address)	IN (0x0001)	false
Mar 20, 2025 18:25:10.963058949 CET	1.1.1.1	192.168.2.6	0x9019	No error (0)	pastebin.com	172.67.19.24	A (IP address)	IN (0x0001)	false
Mar 20, 2025 18:25:10.963058949 CET	1.1.1.1	192.168.2.6	0x9019	No error (0)	pastebin.com	104.20.4.235	A (IP address)	IN (0x0001)	false
Mar 20, 2025 18:25:13.138247967 CET	1.1.1.1	192.168.2.6	0x7aaf	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	208.89.73.31	A (IP address)	IN (0x0001)	false
Mar 20, 2025 18:25:13.138247967 CET	1.1.1.1	192.168.2.6	0x7aaf	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	208.89.73.29	A (IP address)	IN (0x0001)	false
Mar 20, 2025 18:25:13.138247967 CET	1.1.1.1	192.168.2.6	0x7aaf	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	208.89.73.27	A (IP address)	IN (0x0001)	false
Mar 20, 2025 18:25:13.138247967 CET	1.1.1.1	192.168.2.6	0x7aaf	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	208.89.73.19	A (IP address)	IN (0x0001)	false
Mar 20, 2025 18:25:13.138247967 CET	1.1.1.1	192.168.2.6	0x7aaf	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	208.89.73.17	A (IP address)	IN (0x0001)	false
Mar 20, 2025 18:25:13.138247967 CET	1.1.1.1	192.168.2.6	0x7aaf	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	208.89.73.23	A (IP address)	IN (0x0001)	false
Mar 20, 2025 18:25:13.138247967 CET	1.1.1.1	192.168.2.6	0x7aaf	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	208.89.73.25	A (IP address)	IN (0x0001)	false
Mar 20, 2025 18:25:13.138247967 CET	1.1.1.1	192.168.2.6	0x7aaf	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	208.89.73.21	A (IP address)	IN (0x0001)	false
Mar 20, 2025 18:25:24.026901960 CET	1.1.1.1	192.168.2.6	0x6e8f	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Mar 20, 2025 18:25:24.026901960 CET	1.1.1.1	192.168.2.6	0x6e8f	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pastebin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49685	104.20.3.235	443	5748	C:\Users\user\Desktop\Venom_RAT.bin.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-20 17:25:11 UTC	74	OUT	GET /raw/i3NzmwEg HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2025-03-20 17:25:11 UTC	388	IN	HTTP/1.1 200 OK Date: Thu, 20 Mar 2025 17:25:11 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: MISS Last-Modified: Thu, 20 Mar 2025 17:25:11 GMT Server: cloudflare CF-RAY: 9236e84a4b088c45-EWR
2025-03-20 17:25:11 UTC	25	IN	Data Raw: 31 33 0d 0a 38 31 2e 31 39 2e 31 33 31 2e 31 35 33 3a 35 30 30 33 37 0d 0a Data Ascii: 1381.19.131.153:50037
2025-03-20 17:25:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Statistics

CPU Usage

• Venom_RAT.bin.exe

Click to jump to process

Memory Usage

• Venom_RAT.bin.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Target ID:	1
Start time:	13:25:06
Start date:	20/03/2025
Path:	C:\Users\user\Desktop\Venom_RAT.bin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Venom_RAT.bin.exe"
Imagebase:	0x1f0000
File size:	75'776 bytes
MD5 hash:	4069D5435F4E98F349A862CA454BC30B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000001.00000000.1205223690.00000000001F2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	12.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	10.3%
Total number of Nodes:	29
Total number of Limit Nodes:	2

Executed Functions

Function 00A62E72 Relevance: 2.0, APIs: 1, Instructions: 456
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 00A63351

Memory Dump Source

Source File: 00000001.00000002.3655587505.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a60000_Venom_RAT.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: b4cbec297b0e737b3b619da6d52fff37cef387ebbe0e19293c2b004762efc0ad
Instruction ID: 0bba3ae446205ae0961c25d06040155322ac1255544995d75aff7940791c286f
Opcode Fuzzy Hash: b4cbec297b0e737b3b619da6d52fff37cef387ebbe0e19293c2b004762efc0ad
Instruction Fuzzy Hash: C5E1A276F002054BDF14CABD9CA03EE76F3AFD4324F688229DA55DB784DA349E02A741

Function 00A632C8 Relevance: 1.6, APIs: 1, Instructions: 63
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 00A63351

Memory Dump Source

Source File: 00000001.00000002.3655587505.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a60000_Venom_RAT.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8e3faf016bc1cff1530f96bbaf03e777c0cdb16af2c31d72be01f26b574af87d
Instruction ID: b81cade5482dbdd63b98f7968edc558c6802d0642318be3fb6a96f99255481ab
Opcode Fuzzy Hash: 8e3faf016bc1cff1530f96bbaf03e777c0cdb16af2c31d72be01f26b574af87d
Instruction Fuzzy Hash: 8121F2B1D012099FCB10DFAAD984A9EFBF5FF48310F64842AE919A7310C7759901CBA0

Function 00A626F8 Relevance: .6, Instructions: 574
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.3655587505.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a60000_Venom_RAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb8e4f167dd0d9caab6dfb83f07d5cf74e5cd4936de82b7b460df5fd30f203fe
Instruction ID: 8e333f40e4fd3410cb8fd86baa3c6c31e11015c144120740183a9464a2a39bd9
Opcode Fuzzy Hash: cb8e4f167dd0d9caab6dfb83f07d5cf74e5cd4936de82b7b460df5fd30f203fe
Instruction Fuzzy Hash: C602B031B006068BDB14DBBC8C907AE76B3AFD8360F69823AD655DB3C5EA74DD029741

Function 00A699FA Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00A69A7E
GetCurrentThread.KERNEL32 ref: 00A69ABB
GetCurrentProcess.KERNEL32 ref: 00A69AF8
GetCurrentThreadId.KERNEL32 ref: 00A69B51

Memory Dump Source

Source File: 00000001.00000002.3655587505.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a60000_Venom_RAT.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ed1a427613d95e19b54d9d457a78ae2e1ce218384f24e40ee3318659af76a0ff
Instruction ID: 08928563a5a0cd791c48b9a1a14bc30bc8ebb194f43849e587aa572eda14e233
Opcode Fuzzy Hash: ed1a427613d95e19b54d9d457a78ae2e1ce218384f24e40ee3318659af76a0ff
Instruction Fuzzy Hash: 775197B1900209CFDB14CFA9D548BAEBBF5EF88304F248459E119B7360D778A944CF65

Function 00A69A00 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00A69A7E
GetCurrentThread.KERNEL32 ref: 00A69ABB
GetCurrentProcess.KERNEL32 ref: 00A69AF8
GetCurrentThreadId.KERNEL32 ref: 00A69B51

Memory Dump Source

Source File: 00000001.00000002.3655587505.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a60000_Venom_RAT.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0bccda986e64ec52ff10643e7bcb721beed1270ce061dcb1344358ca5dcdac77
Instruction ID: f677cfe9e0d2a3975e3b54065af05b11a8e113b3786ab9e51641615edc5d212e
Opcode Fuzzy Hash: 0bccda986e64ec52ff10643e7bcb721beed1270ce061dcb1344358ca5dcdac77
Instruction Fuzzy Hash: E35196B1900209CFDB14CFA9C548BAEBBF5EF88304F248059E019B73A0D778A944CF66

Function 00A69C40 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A69CCF

Memory Dump Source

Source File: 00000001.00000002.3655587505.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a60000_Venom_RAT.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b4d617eca0e0a10adebfabe7da2349454ce965369adedd08bb2b86b76b3dafa8
Instruction ID: 73c2801f8df3331f646ab585378224af16cee74807495b9c2f64f2f7989e665d
Opcode Fuzzy Hash: b4d617eca0e0a10adebfabe7da2349454ce965369adedd08bb2b86b76b3dafa8
Instruction Fuzzy Hash: 3721E3B5D00249DFDB10CFA9D584ADEBBF4EB48310F14841AE918A7351D378A954CF61

Function 00A69C48 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A69CCF

Memory Dump Source

Source File: 00000001.00000002.3655587505.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a60000_Venom_RAT.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 206df4f6c38935a37bcb66905f0b49e0717bfbc3f35b967bff84f53d23dcdad2
Instruction ID: e7bbe91dcdda67f27ba4d9dec43c8eccbcbc677a54788d7b0b43e9eae45b50b8
Opcode Fuzzy Hash: 206df4f6c38935a37bcb66905f0b49e0717bfbc3f35b967bff84f53d23dcdad2
Instruction Fuzzy Hash: 6921C2B59002499FDB10CFAAD984ADEBFF8FB48310F14841AE918B3351D378A954CFA5

Function 00A63C2C Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(00A045D0,00000000,?,?), ref: 00A6496B

Memory Dump Source

Source File: 00000001.00000002.3655587505.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a60000_Venom_RAT.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 5c3ae4023d32493cb02153664e8c5e5328024a41b6642cd637f88134bdc832c8
Instruction ID: d2cc59a0b2e5e5103168cbb8ff0cf2a4b9f02de015836754de94ad4bbf43e254
Opcode Fuzzy Hash: 5c3ae4023d32493cb02153664e8c5e5328024a41b6642cd637f88134bdc832c8
Instruction Fuzzy Hash: 2E21F575D002099FDB14DFA9D844BAFBBF5EB88310F248429E459A7250C774A945CFA1

Function 00A648E8 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(00A045D0,00000000,?,?), ref: 00A6496B

Memory Dump Source

Source File: 00000001.00000002.3655587505.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a60000_Venom_RAT.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 484e0a9305ed1a6a1ad9952102206a1a0c9d70e03150e586bbd8989c80cf6704
Instruction ID: f64f289e7085df0ba87a7a5047b48f5070fe84345105543719939a0fe4c68897
Opcode Fuzzy Hash: 484e0a9305ed1a6a1ad9952102206a1a0c9d70e03150e586bbd8989c80cf6704
Instruction Fuzzy Hash: D521F5759002098FDB14DFA9C944BDEBBF5EB88320F148429E469A7251C7789945CFA1

Function 00A0D0FC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3655428254.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a0d000_Venom_RAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6d130c3ae8750d89a7dff02db34c37e032742f04ab7f8d927ca0541eb80a95e
Instruction ID: 9658decbd6f85560ae3a26277b236f0993c309c965404c9a4a8e1112a2da5b4f
Opcode Fuzzy Hash: a6d130c3ae8750d89a7dff02db34c37e032742f04ab7f8d927ca0541eb80a95e
Instruction Fuzzy Hash: FD210776504208DFDB05DF54E9C0B26BBA5FB88324F24C66DD8094B296C73BD856CA61

Function 00A0D0F7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3655428254.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a0d000_Venom_RAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0f503f778aeac3a07bb6588130c9135d0a53f708ec3930929eee3262ecda282
Instruction ID: ca7f3279a57df208e3f4b243e6885561bac63c6d8e716bb3e608766753b867ce
Opcode Fuzzy Hash: e0f503f778aeac3a07bb6588130c9135d0a53f708ec3930929eee3262ecda282
Instruction Fuzzy Hash: D711D076504244CFDB06CF54E9C4B15FBB1FB44314F28C6A9D8094B296C33AD85ACB51

Non-executed Functions

Function 00A626E7 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3655587505.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a60000_Venom_RAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c749c9ad136e716352ffd1d44299842b74fe7945bece4443f443f4229b06cea4
Instruction ID: 50a73490379988ae8540bd2345c816dcc3f7d90051b0099aa3e3cb7fa9af9883
Opcode Fuzzy Hash: c749c9ad136e716352ffd1d44299842b74fe7945bece4443f443f4229b06cea4
Instruction Fuzzy Hash: A691AB32F0071647DB18CAED8D903AE61B3AFE4314F9D81399A42CB785EEB8DD026741

Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpack	String decryptor: null
Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpack	String decryptor: null
Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpack	String decryptor: Venom RAT + HVNC + Stealer + Grabber v6.0.3
Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpack	String decryptor: false
Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpack	String decryptor: dwjsrlleihmlidl
Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpack	String decryptor: MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz
Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpack	String decryptor: KRtbBX6+OhVpmFd/MgPxJrAuARtE/V+EmWvFc0HMsLvKFXqgb1UoUFSzeow7SDLOePjhcephhGw6HR1hi0sV1M0Jaj8rWGFRWTVftjDKGkAGjYBXfeaclRpOkyUlJay8e9cO7B5LmpzDUSbHW4GNGLTMTD+iX3aqvQgvCVoDRxM=
Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpack	String decryptor: https://pastebin.com/raw/i3NzmwEg
Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpack	String decryptor: false
Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpack	String decryptor: FEB 27 LOGS
Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpack	String decryptor: false
Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpack	String decryptor: false

Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 81.19.131.153:50037 -> 192.168.2.6:49686
Source: Network traffic	Suricata IDS: 2052265 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (VenomRAT) : 81.19.131.153:50037 -> 192.168.2.6:49686
Source: Network traffic	Suricata IDS: 2052267 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (VenomRAT) : 81.19.131.153:50037 -> 192.168.2.6:49686

Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235

Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.19.131.153

Source: Venom_RAT.bin.exe, 00000001.00000002.3654975697.0000000000759000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.1.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Venom_RAT.bin.exe, 00000001.00000002.3655860981.00000000026CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: Venom_RAT.bin.exe, 00000001.00000002.3655860981.00000000024B1000.00000004.00000800.00020000.00000000.sdmp, Venom_RAT.bin.exe, 00000001.00000002.3655860981.0000000002659000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Venom_RAT.bin.exe, 00000001.00000002.3655860981.00000000026BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: Venom_RAT.bin.exe, 00000001.00000002.3655860981.0000000002718000.00000004.00000800.00020000.00000000.sdmp, Venom_RAT.bin.exe, 00000001.00000002.3655860981.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/i3NzmwEg

Source: Venom_RAT.bin.exe	Malware Configuration Extractor: VenomRAT {"Pastebin Link": "https://pastebin.com/raw/i3NzmwEg", "Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.3", "Install": "false", "Mutex": "dwjsrlleihmlidl", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "Server Signature": "KRtbBX6+OhVpmFd/MgPxJrAuARtE/V+EmWvFc0HMsLvKFXqgb1UoUFSzeow7SDLOePjhcephhGw6HR1hi0sV1M0Jaj8rWGFRWTVftjDKGkAGjYBXfeaclRpOkyUlJay8e9cO7B5LmpzDUSbHW4GNGLTMTD+iX3aqvQgvCVoDRxM="}
Source: Venom_RAT.bin.exe	Malware Configuration Extractor: AsyncRAT {"Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.3", "Mutex": "dwjsrlleihmlidl", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "Server Signature": "KRtbBX6+OhVpmFd/MgPxJrAuARtE/V+EmWvFc0HMsLvKFXqgb1UoUFSzeow7SDLOePjhcephhGw6HR1hi0sV1M0Jaj8rWGFRWTVftjDKGkAGjYBXfeaclRpOkyUlJay8e9cO7B5LmpzDUSbHW4GNGLTMTD+iX3aqvQgvCVoDRxM=", "External_config_on_Pastebin": "https://pastebin.com/raw/i3NzmwEg"}

Source: Venom_RAT.bin.exe	Virustotal: Detection: 73%			Perma Link
Source: Venom_RAT.bin.exe	ReversingLabs: Detection: 83%

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443

Source: Venom_RAT.bin.exe, type: SAMPLE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: Venom_RAT.bin.exe, type: SAMPLE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen

Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Code function: 1_2_00A632C8 NtProtectVirtualMemory,		1_2_00A632C8
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Code function: 1_2_00A62E72 NtProtectVirtualMemory,		1_2_00A62E72

Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Code function: 1_2_00A626F8	1_2_00A626F8
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Code function: 1_2_00A626E7	1_2_00A626E7
Source: C:\Users\user\Desktop\Venom_RAT.bin.exe	Code function: 1_2_00A62E72	1_2_00A62E72

Source: Venom_RAT.bin.exe, 00000001.00000002.3654665455.000000000068E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Venom_RAT.bin.exe
Source: Venom_RAT.bin.exe, 00000001.00000002.3654486265.0000000000399000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Venom_RAT.bin.exe
Source: Venom_RAT.bin.exe, 00000001.00000000.1205223690.00000000001F2000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenameClientx86.exe" vs Venom_RAT.bin.exe
Source: Venom_RAT.bin.exe	Binary or memory string: OriginalFilenameClientx86.exe" vs Venom_RAT.bin.exe

Source: Venom_RAT.bin.exe, type: SAMPLE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: Venom_RAT.bin.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 1.0.Venom_RAT.bin.exe.1f0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Venom_RAT.bin.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VenomRAT

Threatname: AsyncRAT

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Roaming\MyData\DataLogs.conf

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Windows Analysis Report
Venom_RAT.bin.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre