File name:

$77-Venom.exe

Full analysis: https://app.any.run/tasks/d08f970e-0c53-4c8a-a6b0-cb0d012d0a38
Verdict: Malicious activity
Threats:

Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.

Malware Trends Tracker     >>>
Analysis date: November 23, 2023, 14:52:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
quasar
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

9D63C479D693BD9AA3C86C5DCD087FCE

SHA1:

CDDA73C9803EBE12D471E4BAFF7623027306B623

SHA256:

05654785B121E27F350AF9E0A8C0D72651A802804D2193F1EE259E342B757B87

SSDEEP:

12288:c1S0VFTjcBSpkO0RQXR15FldSQ9wWMIni:4SQ1jcBS5R1CQ9Ni

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • QUASAR has been detected (YARA)

      • $77-Venom.exe (PID: 3460)

  • SUSPICIOUS

    • Checks for external IP

      • $77-Venom.exe (PID: 3460)

    • Reads the Internet Settings

      • $77-Venom.exe (PID: 3460)

    • Connects to unusual port

      • $77-Venom.exe (PID: 3460)

  • INFO

    • Reads the computer name

      • $77-Venom.exe (PID: 3460)
      • wmpnscfg.exe (PID: 3524)

    • Checks supported languages

      • $77-Venom.exe (PID: 3460)
      • wmpnscfg.exe (PID: 3524)

    • Reads the machine GUID from the registry

      • $77-Venom.exe (PID: 3460)
      • wmpnscfg.exe (PID: 3524)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3524)

    • Creates files or folders in the user directory

      • $77-Venom.exe (PID: 3460)

    • Reads Environment values

      • $77-Venom.exe (PID: 3460)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Quasar

(PID) Process(3460) $77-Venom.exe
Version2.1.0.0
C2 (2)telebit.cloud:5543
Sub_DirSubDir
Install_NameClient.exe
MutexVNM_MUTEX_c2q7y2ayYutZ2XaYe7
StartupVenom Client Startup
TagOffice04
LogDirLogs
Signature
Certificate
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:11:23 15:50:42+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 544256
InitializedDataSize: 2560
UninitializedDataSize: -
EntryPoint: 0x86c2e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.1.0.0
ProductVersionNumber: 2.1.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: -
FileVersion: 2.1.0.0
InternalName: $77-Venom.exe
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: $77-Venom.exe
ProductName: -
ProductVersion: 2.1.0.0
AssemblyVersion: 2.1.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #QUASAR $77-venom.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3460"C:\Users\admin\AppData\Local\Temp\$77-Venom.exe" C:\Users\admin\AppData\Local\Temp\$77-Venom.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
2.1.0.0
Modules
Images
c:\users\admin\appdata\local\temp\$77-venom.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Quasar
(PID) Process(3460) $77-Venom.exe
Version2.1.0.0
C2 (2)telebit.cloud:5543
Sub_DirSubDir
Install_NameClient.exe
MutexVNM_MUTEX_c2q7y2ayYutZ2XaYe7
StartupVenom Client Startup
TagOffice04
LogDirLogs
Signature
Certificate
3524"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
Total events
496
Read events
493
Write events
0
Delete events
3

Modification events

(PID) Process:(3524) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{0A65B01F-E740-4F4D-9914-CFA40373C7AC}\{EDD7F990-3842-4F92-A599-B2B17B700032}
Operation:delete keyName:(default)
Value:
(PID) Process:(3524) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{0A65B01F-E740-4F4D-9914-CFA40373C7AC}
Operation:delete keyName:(default)
Value:
(PID) Process:(3524) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{BBBB6F61-6F04-4E74-8E20-5A88E8EFFBD3}
Operation:delete keyName:(default)
Value:
Executable files
0
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3460$77-Venom.exeC:\Users\admin\AppData\Roaming\Logs\11-23-2023binary
MD5:61E1EE8094C1C14F7E6D34DAFA728B3B
SHA256:22B198C77650F60A4C0BDB23EB5D7C2EB7E0473B5295A0B8ADA6E0930DA534A2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
109
DNS requests
3
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3460
$77-Venom.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
binary
293 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
3460
$77-Venom.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown
3460
$77-Venom.exe
104.248.242.224:5543
telebit.cloud
DIGITALOCEAN-ASN
DE
unknown

DNS requests

Domain
IP
Reputation
ip-api.com
  • 208.95.112.1
shared
telebit.cloud
  • 104.248.242.224
malicious

Threats

PID
Process
Class
Message
3460
$77-Venom.exe
A Network Trojan was detected
ET MALWARE Common RAT Connectivity Check Observed
3460
$77-Venom.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
3460
$77-Venom.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
$77-Venom.exe