Click to jump to signature section
Source: venomrat.exe | Malware Configuration Extractor: VenomRAT {"Server": "95.216.52.21", "Ports": "7575", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "9qMAKEcHjR7M51oiubg1s8nBGFZNF42Z", "Mutex": "xdnqiaxygefjfoolgo", "Certificate": "MIICMDCCAZmgAwIBAgIVAOmSmlLR0V/hbRrKsx8SjnnbUyU9MA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDQxNDEyNDQ0MVoXDTMzMDEyMTEyNDQ0MVowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALKj/PuhM34AjclHrUwA4cO5TtZf9pwyeyY2jj4O6tBdAMVFo1oTr814BGXUJwRzEJcecUo3Dr73vE0doa44vRC6SzikqmAPeaCFC6rHzVzrAmWGZJGizVPXaZzxV3l6bO+ybGuLY9UFjtnmS8sQIB00Fao3ir+BUZ5IlrQgTov7AgMBAAGjMjAwMB0GA1UdDgQWBBRefxQaHSgGG+YyOeYRZPjMVIyAjzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAv1GsPkh951Gm7xwpbcYCNfe1xyt7GCWOk7gFyEWtXZspjwJ5GjaQ553NT7jPVgzgg6ySxJ9JnaDND/HGiyNez1PQyZVDj/Pr/LiQKhy+e3axaICS3E5Q08tLsp/WoTAHMjOBp9eFDytI6qqCsZpJA8Yr+piIoFc0tP0WkkcJQ0", "ServerSignature": "Jk4qXbKFXoGaKaOMv/uJ5F44mQOKSCqSePunU5fhpydePGnElB7QelIcwMdXpJ6RzLA42a10t26OaXlxi9NEqDTUxTR33OBX66iPZx53RFmH1Yo4foWquypE14YgrNWF0uNVn/20bO205vgZWLf90bUVdv3JdcZr3KcQgNnFbEQ=", "BDOS": "null"} |
Source: venomrat.exe | Malware Configuration Extractor: AsyncRAT {"Ports": ["7575"], "Server": ["95.216.52.21"], "Certificate": "MIICMDCCAZmgAwIBAgIVAOmSmlLR0V/hbRrKsx8SjnnbUyU9MA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDQxNDEyNDQ0MVoXDTMzMDEyMTEyNDQ0MVowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALKj/PuhM34AjclHrUwA4cO5TtZf9pwyeyY2jj4O6tBdAMVFo1oTr814BGXUJwRzEJcecUo3Dr73vE0doa44vRC6SzikqmAPeaCFC6rHzVzrAmWGZJGizVPXaZzxV3l6bO+ybGuLY9UFjtnmS8sQIB00Fao3ir+BUZ5IlrQgTov7AgMBAAGjMjAwMB0GA1UdDgQWBBRefxQaHSgGG+YyOeYRZPjMVIyAjzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAv1GsPkh951Gm7xwpbcYCNfe1xyt7GCWOk7gFyEWtXZspjwJ5GjaQ553NT7jPVgzgg6ySxJ9JnaDND/HGiyNez1PQyZVDj/Pr/LiQKhy+e3axaICS3E5Q08tLsp/WoTAHMjOBp9eFDytI6qqCsZpJA8Yr+piIoFc0tP0WkkcJQ0", "Server Signature": "Jk4qXbKFXoGaKaOMv/uJ5F44mQOKSCqSePunU5fhpydePGnElB7QelIcwMdXpJ6RzLA42a10t26OaXlxi9NEqDTUxTR33OBX66iPZx53RFmH1Yo4foWquypE14YgrNWF0uNVn/20bO205vgZWLf90bUVdv3JdcZr3KcQgNnFbEQ="} |
Source: venomrat.exe | ReversingLabs: Detection: 91% |
Source: venomrat.exe | Virustotal: Detection: 75% | Perma Link |
Source: | Binary string: C:\Users\28718\source\repos\WindowsFormsApp3\obj\Release\Keylogger.pdbS<m< _<_CorExeMainmscoree.dll source: venomrat.exe |
Source: | Binary string: C:\Users\28718\source\repos\WindowsFormsApp3\obj\Release\Keylogger.pdb source: venomrat.exe |
Source: Yara match | File source: venomrat.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.venomrat.exe.f46c78.1.raw.unpack, type: UNPACKEDPE |
Source: venomrat.exe | String found in binary or memory: http://remote_server.com/modules/ |
Source: venomrat.exe | String found in binary or memory: https://api.telegram.org/bot |
Source: venomrat.exe | String found in binary or memory: https://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5 |
Source: venomrat.exe | String found in binary or memory: https://pastebin.com/raw/LwwcrLg4 |
Source: venomrat.exe | String found in binary or memory: https://www.baidu.com |
Source: Yara match | File source: 0.0.venomrat.exe.f46c78.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: venomrat.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.venomrat.exe.f46c78.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000000.346735908.000000000060A000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: venomrat.exe PID: 1732, type: MEMORYSTR |
Source: 0.0.venomrat.exe.3c816e.4.raw.unpack, Keylogger.cs | .Net Code: KeyboardLayout |
Source: venomrat.exe, type: SAMPLE | Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: venomrat.exe, type: SAMPLE | Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: venomrat.exe, type: SAMPLE | Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: 0.0.venomrat.exe.f46c78.1.unpack, type: UNPACKEDPE | Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: 0.0.venomrat.exe.f46c78.1.unpack, type: UNPACKEDPE | Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: 0.0.venomrat.exe.f46c78.1.raw.unpack, type: UNPACKEDPE | Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: 0.0.venomrat.exe.f46c78.1.raw.unpack, type: UNPACKEDPE | Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: 0.0.venomrat.exe.3c816e.4.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: 0.0.venomrat.exe.438f01.2.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: 0.0.venomrat.exe.3cbcfc.3.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: 00000000.00000000.346735908.00000000003C3000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: Process Memory Space: venomrat.exe PID: 1732, type: MEMORYSTR | Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: venomrat.exe, 00000000.00000000.346735908.000000000060A000.00000020.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenameClient.exe" vs venomrat.exe |
Source: venomrat.exe, 00000000.00000000.346735908.000000000060A000.00000020.00000001.01000000.00000003.sdmp | Binary or memory string: get_txtOriginalFilename vs venomrat.exe |
Source: venomrat.exe, 00000000.00000000.346735908.000000000060A000.00000020.00000001.01000000.00000003.sdmp | Binary or memory string: set_txtOriginalFilename vs venomrat.exe |
Source: venomrat.exe, 00000000.00000000.346735908.000000000060A000.00000020.00000001.01000000.00000003.sdmp | Binary or memory string: InternalName!OriginalFilename vs venomrat.exe |
Source: venomrat.exe, 00000000.00000000.346735908.000000000060A000.00000020.00000001.01000000.00000003.sdmp | Binary or memory string: txtFileVersion#txtProductVersion'txtOriginalFilename vs venomrat.exe |
Source: venomrat.exe, 00000000.00000000.347876579.0000000000F8E000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenameVenom RAT + HVNC + Stealer + Grabber.exe" vs venomrat.exe |
Source: venomrat.exe, 00000000.00000002.381704961.00000000000FD000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameclr.dllT vs venomrat.exe |
Source: venomrat.exe, 00000000.00000000.346735908.00000000003C3000.00000020.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenameKeylogger.exe4 vs venomrat.exe |
Source: venomrat.exe, 00000000.00000000.346735908.00000000003C3000.00000020.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilename7z.exe, vs venomrat.exe |
Source: venomrat.exe, 00000000.00000000.346735908.00000000003C3000.00000020.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilename vs venomrat.exe |
Source: venomrat.exe, 00000000.00000000.346735908.00000000003C3000.00000020.00000001.01000000.00000003.sdmp | Binary or memory string: `FileVersionFileDescriptionOriginalFilename: _winzip_.rsrcCOFF_SYMBOLSCERTIFICATE vs venomrat.exe |
Source: venomrat.exe, 00000000.00000000.346735908.00000000003C3000.00000020.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilename7z.dll, vs venomrat.exe |
Source: venomrat.exe | Binary or memory string: OriginalFilenameKeylogger.exe4 vs venomrat.exe |
Source: venomrat.exe | Binary or memory string: OriginalFilename7z.exe, vs venomrat.exe |
Source: venomrat.exe | Binary or memory string: OriginalFilename vs venomrat.exe |
Source: venomrat.exe | Binary or memory string: `FileVersionFileDescriptionOriginalFilename: _winzip_.rsrcCOFF_SYMBOLSCERTIFICATE vs venomrat.exe |
Source: venomrat.exe | Binary or memory string: OriginalFilename7z.dll, vs venomrat.exe |
Source: venomrat.exe | Binary or memory string: OriginalFilenameClient.exe" vs venomrat.exe |
Source: venomrat.exe | Binary or memory string: get_txtOriginalFilename vs venomrat.exe |
Source: venomrat.exe | Binary or memory string: set_txtOriginalFilename vs venomrat.exe |
Source: venomrat.exe | Binary or memory string: InternalName!OriginalFilename vs venomrat.exe |
Source: venomrat.exe | Binary or memory string: txtFileVersion#txtProductVersion'txtOriginalFilename vs venomrat.exe |
Source: venomrat.exe | Binary or memory string: OriginalFilenameVenom RAT + HVNC + Stealer + Grabber.exe" vs venomrat.exe |
Source: venomrat.exe, type: SAMPLE | Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: venomrat.exe, type: SAMPLE | Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: venomrat.exe, type: SAMPLE | Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: 0.0.venomrat.exe.f46c78.1.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: 0.0.venomrat.exe.f46c78.1.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: 0.0.venomrat.exe.f46c78.1.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: 0.0.venomrat.exe.f46c78.1.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: 0.0.venomrat.exe.3c816e.4.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: 0.0.venomrat.exe.438f01.2.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: 0.0.venomrat.exe.3cbcfc.3.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: 00000000.00000000.346735908.00000000003C3000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: Process Memory Space: venomrat.exe PID: 1732, type: MEMORYSTR | Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 0.0.venomrat.exe.f46c78.1.raw.unpack, Settings.cs | Base64 encoded string: 'GQZtqNa/a9G0KALj2LN6zLrXc/NXwcgTB97qrGxKJIZTQcHFB4DzgyEDHmb7/60b++T7WYRY7L1oIsyugZwWSw==', 'wjYX6BEPvKi5/mgqqLILFosQN/2MyaSSCbFjIofAuK6t/X7e70X9ArMdhNOnEfGoZWA7Ajmni4uRJMxXxAvgTQ==', 'u5heR6AMTbXmnv4FJMqIqkFvgzk5VPC2nrh3pzp4/lyQmlc4QoQPzsS9pMIZAPOGm9Fi38X4lGEpbOCEe+GjAw==', 'NA3Q+Ib6wTJlVFUxrFR2DMq6i3/OcOa6K1fBAiB/ErpTzszTxvyolmn7YmP+iLrhCI21qzvrwimV8glBzIRRE/F1ANkADP7poE8TffFFZqw=', 'HMc7dlmxZq8dxZHXwrxOrI794RugJzckIGc+x0c+rYXPICsZpFoe4XBd7KDUDdnF7ZBOmY4P1K2zLoXEn/la7g==', 'Ra8lsg7VWgiwtIccy7vwkKNgRJanNzBORu8RFwCxQ6ZtSF92C85NnbVAab6xo13vnRR8Pmp7kDdGWrMq0LCQpw==', 'i456xf2umb90T35uIfQulCLvieduONTxDfD/pdkum3v+ARbdfYL++XACHlH6KP/Qdl8jjfZiis6TxVLLmj3wmA==' |
Source: classification engine | Classification label: mal100.troj.spyw.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\venomrat.exe | Mutant created: NULL |
Source: venomrat.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: venomrat.exe | Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.70% |
Source: C:\Users\user\Desktop\venomrat.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: venomrat.exe | ReversingLabs: Detection: 91% |
Source: venomrat.exe | Virustotal: Detection: 75% |
Source: venomrat.exe | String found in binary or memory: -help |
Source: venomrat.exe | String found in binary or memory: Check charset encoding and -scs switch.Cannot find listfilebsobbbtbdba-helph?asut012sea0- |
Source: venomrat.exe | String found in binary or memory: richTextBoxLog#btnLoadOfflineLog%Load OfflineKeylog%xtraTabPageSetting-Installed Applications'listBoxInstalledApp#Processes Status |
Source: C:\Users\user\Desktop\venomrat.exe | File read: C:\Users\user\Desktop\venomrat.exe | Jump to behavior |
Source: C:\Users\user\Desktop\venomrat.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\Desktop\venomrat.exe | Section loaded: vcruntime140_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\venomrat.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\venomrat.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Users\user\Desktop\venomrat.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 | Jump to behavior |
Source: C:\Users\user\Desktop\venomrat.exe | File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll | Jump to behavior |
Source: venomrat.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: venomrat.exe | Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: venomrat.exe | Static file information: File size 14868480 > 1048576 |
Source: venomrat.exe | Static PE information: Raw size of .text is bigger than: 0x100000 < 0xe2b600 |
Source: | Binary string: C:\Users\28718\source\repos\WindowsFormsApp3\obj\Release\Keylogger.pdbS<m< _<_CorExeMainmscoree.dll source: venomrat.exe |
Source: | Binary string: C:\Users\28718\source\repos\WindowsFormsApp3\obj\Release\Keylogger.pdb source: venomrat.exe |
Source: 0.0.venomrat.exe.f46c78.1.raw.unpack, ClientSocket.cs | .Net Code: Invoke System.AppDomain.Load(byte[]) |
Source: venomrat.exe | Static PE information: 0xBA36F9E7 [Mon Dec 31 07:38:15 2068 UTC] |
Source: Yara match | File source: 0.0.venomrat.exe.f46c78.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: venomrat.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.venomrat.exe.f46c78.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000000.346735908.000000000060A000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: venomrat.exe PID: 1732, type: MEMORYSTR |
Source: C:\Users\user\Desktop\venomrat.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\venomrat.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\venomrat.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\venomrat.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\venomrat.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\venomrat.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\venomrat.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\venomrat.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\venomrat.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\venomrat.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\venomrat.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\venomrat.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: Yara match | File source: 0.0.venomrat.exe.f46c78.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: venomrat.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.venomrat.exe.f46c78.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000000.346735908.000000000060A000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: venomrat.exe PID: 1732, type: MEMORYSTR |
Source: venomrat.exe | Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE |
Source: C:\Users\user\Desktop\venomrat.exe | Memory allocated: 150000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\venomrat.exe | Memory allocated: 1AF00000 memory reserve | memory write watch | Jump to behavior |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\venomrat.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Users\user\Desktop\venomrat.exe | Process queried: DebugPort | Jump to behavior |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\venomrat.exe | Memory allocated: page read and write | page guard | Jump to behavior |
Source: 0.0.venomrat.exe.f46c78.1.raw.unpack, DInvokeCore.cs | Reference to suspicious API methods: DynamicAPIInvoke("ntdll.dll", "NtProtectVirtualMemory", typeof(Delegates.NtProtectVirtualMemory), ref Parameters) |
Source: 0.0.venomrat.exe.f46c78.1.raw.unpack, AntiProcess.cs | Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId) |
Source: 0.0.venomrat.exe.3c816e.4.raw.unpack, Keylogger.cs | Reference to suspicious API methods: MapVirtualKey(vkCode, 0u) |
Source: C:\Users\user\Desktop\venomrat.exe | Queries volume information: C:\Users\user\Desktop\venomrat.exe VolumeInformation | Jump to behavior |
Source: Yara match | File source: 0.0.venomrat.exe.f46c78.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: venomrat.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.venomrat.exe.f46c78.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000000.346735908.000000000060A000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: venomrat.exe PID: 1732, type: MEMORYSTR |
Source: venomrat.exe, 00000000.00000000.346735908.000000000060A000.00000020.00000001.01000000.00000003.sdmp | Binary or memory string: MSASCui.exe |
Source: venomrat.exe, 00000000.00000000.346735908.000000000060A000.00000020.00000001.01000000.00000003.sdmp | Binary or memory string: procexp.exe |
Source: venomrat.exe, 00000000.00000000.346735908.000000000060A000.00000020.00000001.01000000.00000003.sdmp | Binary or memory string: MsMpEng.exe |
Source: Yara match | File source: venomrat.exe, type: SAMPLE |
Source: Yara match | File source: Process Memory Space: venomrat.exe PID: 1732, type: MEMORYSTR |
Source: Yara match | File source: venomrat.exe, type: SAMPLE |
Source: Yara match | File source: Process Memory Space: venomrat.exe PID: 1732, type: MEMORYSTR |