Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\venomrat.exe

"C:\Users\user\Desktop\venomrat.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1732
Target ID:	0
Parent PID:	1244
Name:	venomrat.exe
Path:	C:\Users\user\Desktop\venomrat.exe
Commandline:	"C:\Users\user\Desktop\venomrat.exe"
Size:	14868480
MD5:	3B3A304C6FC7A3A1D9390D7CBFF56634
Time:	15:58:50
Date:	26/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x160000
Modulesize:	14893056
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AsyncRAT	Key, Mouse, Clipboard, Microphone and Screen Capturing, Boot Survival, Malware Analysis System Evasion, Lowering of HIPS / PFW / Operating System Security Settings	Scheduled Task/Job Obfuscated Files or Information
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Yara detected VenomRAT	Key, Mouse, Clipboard, Microphone and Screen Capturing, Boot Survival, Malware Analysis System Evasion, Lowering of HIPS / PFW / Operating System Security Settings	Scheduled Task/Job Obfuscated Files or Information
Machine Learning detection for sample	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

http://remote_server.com/modules/

unknown

https://api.telegram.org/bot

unknown

https://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5

unknown

https://pastebin.com/raw/LwwcrLg4

unknown

https://www.baidu.com

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

60A000

unkown

page execute read

20C000

unkown

page execute read

35B000

unkown

page execute read

C7000

heap

page read and write

261000

unkown

page execute read

1010000

trusted library allocation

page read and write

139000

heap

page read and write

7FE93D26000

trusted library allocation

page read and write

7FFFFF00000

trusted library allocation

page execute and read and write

1496000

heap

page read and write

12F000

heap

page read and write

34A000

unkown

page execute read

A0000

trusted library allocation

page read and write

140000

trusted library allocation

page read and write

110C000

stack

page read and write

12F01000

trusted library allocation

page read and write

160000

unkown

page readonly

7FE93DF6000

trusted library allocation

page execute and read and write

36F000

unkown

page execute read

7FE93EBC000

trusted library allocation

page read and write

1BAFB000

heap

page read and write

10000

heap

page read and write

2F01000

trusted library allocation

page read and write

F8E000

unkown

page readonly

1BC4E000

stack

page read and write

35E000

unkown

page execute read

114000

heap

page read and write

19C000

unkown

page execute read

12F0000

heap

page read and write

7FE93D14000

trusted library allocation

page read and write

12F4000

heap

page read and write

282000

unkown

page execute read

2EFE000

stack

page read and write | page guard

293000

unkown

page execute read

20E000

unkown

page execute read

22E000

unkown

page execute read

12D000

heap

page read and write

1156000

heap

page read and write

C0000

heap

page read and write

1120000

heap

page read and write

391000

unkown

page execute read

FD000

heap

page read and write

7FE93D1D000

trusted library allocation

page execute and read and write

121000

heap

page read and write

1AB000

unkown

page execute read

328000

unkown

page execute read

160000

unkown

page readonly

3C3000

unkown

page execute read

7FE93E30000

trusted library allocation

page execute and read and write

38F000

unkown

page execute read

80000

heap

page read and write

2EFF000

stack

page read and write

250000

unkown

page execute read

1BAC5000

heap

page read and write

7FE93D13000

trusted library allocation

page execute and read and write

7FE93EB7000

trusted library allocation

page read and write

36D000

unkown

page execute read

1B5DD000

stack

page read and write

1BAC0000

heap

page read and write

3A0000

unkown

page execute read

1AD000

unkown

page execute read

1B3F0000

heap

page read and write

2D20000

heap

page read and write

7FE93D24000

trusted library allocation

page read and write

119000

heap

page read and write

7FE93DC0000

trusted library allocation

page read and write

1013000

trusted library allocation

page read and write

7FE93DD0000

trusted library allocation

page execute and read and write

1BA4F000

stack

page read and write

2B4000

unkown

page execute read

84000

heap

page read and write

1B3B4000

heap

page read and write

1FD000

unkown

page execute read

12B000

heap

page read and write

162000

unkown

page execute read

12F08000

trusted library allocation

page read and write

1460000

heap

page read and write

1F9000

unkown

page execute read

13E0000

heap

page execute and read and write

1BE70000

heap

page execute and read and write

2BC000

unkown

page execute read

1250000

heap

page execute and read and write

339000

unkown

page execute read

3A3000

unkown

page execute read

12F03000

trusted library allocation

page read and write

There are 75 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
venomrat.exe

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportvenomrat.exe

Processes

URLs

Memdumps

IOC Report
venomrat.exe