Overview

overview

10

Static

static

10

vnm/7z.exe

windows10-2004-x64

1

vnm/Plugin...er.exe

windows10-2004-x64

1

vnm/Stub/Client.exe

windows10-2004-x64

10

vnm/Stub/client.exe

windows10-2004-x64

10

vnm/VenomRAT_HVNC.exe

windows10-2004-x64

10

vnm/client.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    vnm.rar

  • Size

    23.4MB

  • Sample

    230730-xmef4aba36

  • MD5

    79cde4eb0611e953c787ab71bbf81321

  • SHA1

    1aee8bd8458b72dcebbea42d0b49957646e04d31

  • SHA256

    f464d1eca16652727a68d9ba70a7760e992063907b2d9b3889d9accf0d0dc9ae

  • SHA512

    2adad93a9a67e8c4410f1bf2ee492c760977ea755dd6db1df8cbfd1a3d52bf84a4bf7820c3f44400c5983596b27254f13732305084aeaf1659fb186ad3719528

  • SSDEEP

    393216:fnZXJZg93FXKyK8mU3lFUpAezyz2144atwOWgE8kbENJ9IFrUCRcVDRcicD0r:f1gRF6yK89Fng9atwO9Eg39WR6RBRr

Score
10/10
arrowratasyncrat%group%ctovnmagilenetpersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

%Group%

C2

%Hosts%:%Ports%

Mutex

%MTX%

Extracted

Family

asyncrat

Version

VenomRAT_HVNC 5.0.4

Botnet

ctovnm

C2

85.31.45.6:4444

Mutex

OWAsgnAMn

Attributes
  • delay

    0

  • install

    true

  • install_file

    VenomStartup.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      vnm/7z.exe

    • Size

      436KB

    • MD5

      3e797119e0fd64297cb82794b8d68edd

    • SHA1

      a67d3b35743f6ca383673a3848b8c97ec164cc0d

    • SHA256

      c7245e21a7553d9e52d434002a401c77a7ca7d0f245f2311b0ddf16f8f946c6f

    • SHA512

      1378c54a3a1c5bd73c04e787d218f245024625003d689379013f1343c7f9e6282d670c3d68edce6006629ca90cddd27ac3f53f640f96c4936bbff319658caef8

    • SSDEEP

      12288:4DRHJamC1E+3ZZ4jjEKDywIYCsdtpu7Cdw:ghF+3ZZ4lRk7h

    Score
    1/10
    behavioral1

    • Target

      vnm/Plugins/Keylogger.exe

    • Size

      10KB

    • MD5

      4f846f2117c4eab285289b0090521b1e

    • SHA1

      e25287c39bad32159417c5f0bf798625b6beff45

    • SHA256

      a17a5bf35d8b784c3111632ba7e0c30a2c1a9c2c95b549235affc16d6d055477

    • SHA512

      fd946b5f7c3c7d32f226897283de7ba3b4a4ecc2919c363877f1258cd24ed1a52bce53af2fe4ef34c4ac30d00fc456fd4e1593b79c37f7c22211f2c4f6092e5e

    • SSDEEP

      192:irtmcuq65SoDxi4maEYbRzmEsLkjgv5JHT1eJYHcwY7fazB+LEi:irtlF60GE9rUhVsLF5p1rYydmE

    Score
    1/10
    behavioral2

    • Target

      vnm/Stub/Client.exe

    • Size

      63KB

    • MD5

      6158c0682f86511060619bba0fe864be

    • SHA1

      63a1738c87ba9449b1d572ee470da2b242742643

    • SHA256

      5bf4fc2c4d3115229d60511cad1af48019a4c291ad6144e73393e88e319f80a5

    • SHA512

      baef40b589d8717f419185ad0885173f790394827d72d78520890ae737c7ee1cebe3af062340847cfe705c223669562e7116f48ab11d59654653a0b269026bd1

    • SSDEEP

      1536:8WP+BbY58krxvI0TTCNsOoIK7q6LgRAIM8pqKmY7:8WP+BbY5xrxvI0Z7P8R8Xz

    Score
    10/10
    asyncratrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Async RAT payload

      rat
    behavioral3

    • Target

      vnm/Stub/client

    • Size

      144KB

    • MD5

      f4fdcb900e7af47100ac9e46945fbd55

    • SHA1

      c1d235a9a2cae8d5a8d4f6ceb4eab9417e1b1fb2

    • SHA256

      9160b90fa4a6a9cf22f943dba92cec64e2dc03c2317b5d9ab50a753fc410ce43

    • SHA512

      236eef98d4695a5e1224a87a1dc598639e5c49f6dd192a96cc1b9f8305faa57078deb62d73906a33ba1c1fac4fa5ccc5f344a0f196dbba718b76a36667984ac2

    • SSDEEP

      3072:Bsp9iv+DYM5ob0HGNSKsstcnZTJQDgWPaySsdH5boWz:Op9iTMSb0mgKFcQjhdH

    Score
    10/10
    arrowratasyncrat%group%persistencerat

    • ArrowRat

      Remote access tool with various capabilities first seen in late 2021.

      ratarrowrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Async RAT payload

      rat

    • Modifies Installed Components in the registry

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral4

    • Target

      vnm/VenomRAT_HVNC.exe

    • Size

      16.8MB

    • MD5

      d8291744ad4573fbc0c2f82b1ada7bec

    • SHA1

      94960ccdc763248cb03e29d3f7b5ac5e20c7c501

    • SHA256

      69821fd27dd83d225fc21c799b8223d416985ad4a3bb5e78586b6d319e77f351

    • SHA512

      30f2110a990a541bc64b065b9615581356bdd682765e813d9b0bf32d68cd7dd559498a4e719085b514b7258380681eb7d1789ce2879973f45e18c2050b1266ce

    • SSDEEP

      393216:0nu7cCgkszHR7G6lrbkDlyoB+Lj19TRA282+yKGoAZGPcFl:0rDhG61qyoBY7q282+JPA4E

    Score
    10/10
    asyncratctovnmrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Async RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral5

    • Target

      vnm/client.bin

    • Size

      144KB

    • MD5

      f4fdcb900e7af47100ac9e46945fbd55

    • SHA1

      c1d235a9a2cae8d5a8d4f6ceb4eab9417e1b1fb2

    • SHA256

      9160b90fa4a6a9cf22f943dba92cec64e2dc03c2317b5d9ab50a753fc410ce43

    • SHA512

      236eef98d4695a5e1224a87a1dc598639e5c49f6dd192a96cc1b9f8305faa57078deb62d73906a33ba1c1fac4fa5ccc5f344a0f196dbba718b76a36667984ac2

    • SSDEEP

      3072:Bsp9iv+DYM5ob0HGNSKsstcnZTJQDgWPaySsdH5boWz:Op9iTMSb0mgKFcQjhdH

    Score
    10/10
    arrowratasyncrat%group%persistencerat

    • ArrowRat

      Remote access tool with various capabilities first seen in late 2021.

      ratarrowrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Async RAT payload

      rat

    • Modifies Installed Components in the registry

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral6

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

4
T1112

Credential Access

Discovery

Query Registry

5
T1012

Peripheral Device Discovery

4
T1120

System Information Discovery

6
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks