Malware analysis https://gofile.io/d/vJypj7 Malicious activity

Add for printing

URL:	https://gofile.io/d/vJypj7
Full analysis:	https://app.any.run/tasks/a728b98c-b8aa-40e4-91e3-7cbbf871837d
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Malware Trends Tracker >>>
Analysis date:	September 28, 2024, 13:16:02
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	fileshare ims-api generic asyncrat themida
Indicators:
MD5:	B2D2AE529BB35A3DBB01EEE43F6DA62B
SHA1:	C1D1DA7FAD6D74BC740C40DB6400AFF5A2805768
SHA256:	EF5C7B8610A101EFD3F67A68AB768E5C12EB7DA237FE003EFF348AF028C7B93C
SSDEEP:	3:N8rxL1Zn:2Zn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- ASYNCRAT has been detected (YARA)
  - Venom RAT + HVNC + Stealer + Grabber.exe (PID: 2384)
  - Venom RAT + HVNC + Stealer + Grabber.exe (PID: 5140)
SUSPICIOUS
- Process drops legitimate windows executable
  - WinRAR.exe (PID: 6368)
- Executes application which crashes
  - Clientx86.exe (PID: 7620)
  - Clientx64.exe (PID: 5984)
  - ClientAny.exe (PID: 7652)
- There is functionality for taking screenshot (YARA)
  - Venom RAT + HVNC + Stealer + Grabber.exe (PID: 2384)
  - Venom RAT + HVNC + Stealer + Grabber.exe (PID: 5140)
- Possible usage of Discord/Telegram API has been detected (YARA)
  - Venom RAT + HVNC + Stealer + Grabber.exe (PID: 2384)
  - Venom RAT + HVNC + Stealer + Grabber.exe (PID: 5140)
INFO
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 6368)
- Themida protector has been detected
  - Venom RAT + HVNC + Stealer + Grabber.exe (PID: 2384)
  - Venom RAT + HVNC + Stealer + Grabber.exe (PID: 5140)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

ims-api

(PID) Processunknown

Telegram-Tokens (1)5819716395:AAEP-yuJ_QA22yswxx2C-lVY5yPkxnaxFMQ

Telegram-Info-Links

5819716395:AAEP-yuJ_QA22yswxx2C-lVY5yPkxnaxFMQ

Get info about bothttps://api.telegram.org/bot5819716395:AAEP-yuJ_QA22yswxx2C-lVY5yPkxnaxFMQ/getMe

Get incoming updateshttps://api.telegram.org/bot5819716395:AAEP-yuJ_QA22yswxx2C-lVY5yPkxnaxFMQ/getUpdates

Get webhookhttps://api.telegram.org/bot5819716395:AAEP-yuJ_QA22yswxx2C-lVY5yPkxnaxFMQ/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot5819716395:AAEP-yuJ_QA22yswxx2C-lVY5yPkxnaxFMQ/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot5819716395:AAEP-yuJ_QA22yswxx2C-lVY5yPkxnaxFMQ/deleteWebhook?drop_pending_updates=true

Discord-Webhook-Tokens (1)1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5Xnk3vl2YBdVD37L0qTWnM

Discord-Info-Links

1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5Xnk3vl2YBdVD37L0qTWnM

Get Webhook Infohttps://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5Xnk3vl2YBdVD37L0qTWnM

(PID) Processunknown

Telegram-Tokens (1)5819716395:AAEP-yuJ_QA22yswxx2C-lVY5yPkxnaxFMQ

Telegram-Info-Links

5819716395:AAEP-yuJ_QA22yswxx2C-lVY5yPkxnaxFMQ

Get info about bothttps://api.telegram.org/bot5819716395:AAEP-yuJ_QA22yswxx2C-lVY5yPkxnaxFMQ/getMe

Get incoming updateshttps://api.telegram.org/bot5819716395:AAEP-yuJ_QA22yswxx2C-lVY5yPkxnaxFMQ/getUpdates

Get webhookhttps://api.telegram.org/bot5819716395:AAEP-yuJ_QA22yswxx2C-lVY5yPkxnaxFMQ/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot5819716395:AAEP-yuJ_QA22yswxx2C-lVY5yPkxnaxFMQ/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot5819716395:AAEP-yuJ_QA22yswxx2C-lVY5yPkxnaxFMQ/deleteWebhook?drop_pending_updates=true

Discord-Webhook-Tokens (1)1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5Xnk3vl2YBdVD37L0qTWnM

Discord-Info-Links

1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5Xnk3vl2YBdVD37L0qTWnM

Get Webhook Infohttps://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5Xnk3vl2YBdVD37L0qTWnM

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

168

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1148

"C:\Users\admin\Desktop\VenomRAT.v6.0.3.+SOURCE\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Keylogger.exe"

C:\Users\admin\Desktop\VenomRAT.v6.0.3.+SOURCE\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Keylogger.exe

explorer.exe

User:

admin

Company:

Keylogger

Integrity Level:

HIGH

Description:

Keylogger

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\venomrat.v6.0.3.+source\venomrat v6.0.3 (+source)\venomrat v6.0.3 (source)\keylogger.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

2256

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2384

"C:\Users\admin\Desktop\VenomRAT.v6.0.3.+SOURCE\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe"

C:\Users\admin\Desktop\VenomRAT.v6.0.3.+SOURCE\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

VenomRAT

Version:

6.0.1

Modules

Images
c:\users\admin\desktop\venomrat.v6.0.3.+source\venomrat v6.0.3 (+source)\venomrat v6.0.3 (source)\venom rat + hvnc + stealer + grabber.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

5140

"C:\Users\admin\Desktop\VenomRAT.v6.0.3.+SOURCE\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe"

C:\Users\admin\Desktop\VenomRAT.v6.0.3.+SOURCE\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Description:

VenomRAT

Exit code:

Version:

6.0.1

Modules

Images
c:\users\admin\desktop\venomrat.v6.0.3.+source\venomrat v6.0.3 (+source)\venomrat v6.0.3 (source)\venom rat + hvnc + stealer + grabber.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

5500

C:\WINDOWS\system32\WerFault.exe -u -p 7652 -s 940

C:\Windows\System32\WerFault.exe

ClientAny.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll

5984

"C:\Users\admin\Desktop\VenomRAT.v6.0.3.+SOURCE\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\Clientx64.exe"

C:\Users\admin\Desktop\VenomRAT.v6.0.3.+SOURCE\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\Clientx64.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

3762504530

Version:

6.0.1

Modules

Images
c:\users\admin\desktop\venomrat.v6.0.3.+source\venomrat v6.0.3 (+source)\venomrat v6.0.3 (source)\stub\clientx64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

6368

"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\VenomRAT.v6.0.3.+SOURCE.7z" "?\"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

6736

C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7620 -s 1004

C:\Windows\SysWOW64\WerFault.exe

Clientx86.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

7256

C:\WINDOWS\system32\WerFault.exe -u -p 5984 -s 956

C:\Windows\System32\WerFault.exe

Clientx64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll

7620

"C:\Users\admin\Desktop\VenomRAT.v6.0.3.+SOURCE\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\Clientx86.exe"

C:\Users\admin\Desktop\VenomRAT.v6.0.3.+SOURCE\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Stub\Clientx86.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

3762504530

Version:

6.0.1

Modules

Images
c:\users\admin\desktop\venomrat.v6.0.3.+source\venomrat v6.0.3 (+source)\venomrat v6.0.3 (source)\stub\clientx86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

Add for printing

Total events

16 720

Read events

16 670

Write events

Delete events

Modification events


(PID) Process:	(6368) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	15
Value:
(PID) Process:	(6368) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	14
Value:
(PID) Process:	(6368) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	13
Value:
(PID) Process:	(6368) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	12
Value:
(PID) Process:	(6368) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	11
Value:
(PID) Process:	(6368) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	10
Value:
(PID) Process:	(6368) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	9
Value:
(PID) Process:	(6368) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	8
Value:
(PID) Process:	(6368) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	7
Value:
(PID) Process:	(6368) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	6
Value:

Add for printing

Executable files

109

Suspicious files

Text files

166

Unknown types

Dropped files

PID	Process	Filename		Type
6368	WinRAR.exe	C:\Users\admin\Desktop\VenomRAT.v6.0.3.+SOURCE\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Plugins\ip2region.db		—
		MD5:—	SHA256:—
6368	WinRAR.exe	C:\Users\admin\Desktop\VenomRAT.v6.0.3.+SOURCE\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Resources.resx		—
		MD5:—	SHA256:—
6368	WinRAR.exe	C:\Users\admin\Desktop\VenomRAT.v6.0.3.+SOURCE\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Server.Properties.Resources.resources		—
		MD5:—	SHA256:—
6368	WinRAR.exe	C:\Users\admin\Desktop\VenomRAT.v6.0.3.+SOURCE\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\online		binary
		MD5:4E642F0D041D6EF79D7701E599E4BBE9	SHA256:C2CFBABF111D231FB2531B6C0759C5191FD91F767059790FF53AEF87FAB2280F
6368	WinRAR.exe	C:\Users\admin\Desktop\VenomRAT.v6.0.3.+SOURCE\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\offline		binary
		MD5:829C84C8F69856AABA8DFAD042BC1CF4	SHA256:21B4173439BDCB6338D99A8F060B98426CCA95B2830B62965A72C94BC6C77236
6368	WinRAR.exe	C:\Users\admin\Desktop\VenomRAT.v6.0.3.+SOURCE\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Server.Properties.Resources.resources.txt		text
		MD5:87E6DB607C89F5FCF8465995F84D2AEC	SHA256:FF90E7F24C52AF8CC22AB93484A90EDB26F92BB0CD07F5F9F3E11565E516B38A
6368	WinRAR.exe	C:\Users\admin\Desktop\VenomRAT.v6.0.3.+SOURCE\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Plugins\Stealer.dll.config		xml
		MD5:EE37D8DDE7F969B007430B18386EF45F	SHA256:63837BDE3BFB609D59002B88831786E7B0BF285A6090F9252C35AF9EE3F75FF6
6368	WinRAR.exe	C:\Users\admin\Desktop\VenomRAT.v6.0.3.+SOURCE\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Source Code\app.ico		image
		MD5:71C699BD1EB8CF9FD981BABBF5524FC9	SHA256:B714CAE7F66BB4E924D4E942DE68D690746FC38160476F7AA48F5CB51A02AE22
6368	WinRAR.exe	C:\Users\admin\Desktop\VenomRAT.v6.0.3.+SOURCE\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Source Code\Forms\FormFileManager.cs		text
		MD5:74E47852A33BFB0695C94F8D5E32D52D	SHA256:D886ABD5121561330E65EF4C2B1B5F1FCF2169CED33603BA2D5576457C831465
6368	WinRAR.exe	C:\Users\admin\Desktop\VenomRAT.v6.0.3.+SOURCE\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Source Code\Forms\FormAudio.cs		text
		MD5:FAB5341AE57CAE5D27309A7B8508ABED	SHA256:E3FF142D34A50817E9D94AE33465D0AC80B0ACD48E32F5EE8BB5B588F6304AE7

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7108	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	unknown	—	—	whitelisted
—	—	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	unknown	—	—	whitelisted
—	—	POST	200	184.24.77.79:80	http://r10.o.lencr.org/	unknown	—	—	whitelisted
—	—	POST	200	184.24.77.79:80	http://r10.o.lencr.org/	unknown	—	—	whitelisted
—	—	POST	200	184.24.77.79:80	http://r10.o.lencr.org/	unknown	—	—	whitelisted
—	—	POST	200	142.250.186.35:80	http://o.pki.goog/s/wr3/XjA	unknown	—	—	whitelisted
—	—	POST	200	184.24.77.79:80	http://r10.o.lencr.org/	unknown	—	—	whitelisted
—	—	POST	—	142.250.186.35:80	http://o.pki.goog/wr2	unknown	—	—	whitelisted
—	—	POST	200	142.250.186.35:80	http://o.pki.goog/wr2	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
7108	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6776	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
—	—	45.112.123.126:443	gofile.io	AMAZON-02	SG	whitelisted
—	—	34.107.221.82:80	detectportal.firefox.com	GOOGLE	US	whitelisted
—	—	34.117.188.166:443	contile.services.mozilla.com	GOOGLE-CLOUD-PLATFORM	US	whitelisted
—	—	184.24.77.79:80	r10.o.lencr.org	Akamai International B.V.	DE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
www.microsoft.com	184.30.21.171 88.221.169.152	whitelisted
google.com	142.250.186.46	whitelisted
gofile.io	45.112.123.126	whitelisted
detectportal.firefox.com	34.107.221.82	whitelisted
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82 2600:1901:0:38d7::	whitelisted
example.org	93.184.215.14	whitelisted
ipv4only.arpa	192.0.0.170 192.0.0.171	whitelisted
contile.services.mozilla.com	34.117.188.166	whitelisted
spocs.getpocket.com	34.117.188.166	whitelisted

Threats

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
—	—	Potentially Bad Traffic	ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
—	—	Potentially Bad Traffic	ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
—	—	Misc activity	ET INFO File Sharing Related Domain in TLS SNI (gofile .io)
—	—	Potentially Bad Traffic	ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
—	—	Potentially Bad Traffic	ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
—	—	Potentially Bad Traffic	ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
—	—	Misc activity	ET INFO File Sharing Related Domain in TLS SNI (gofile .io)
—	—	Potentially Bad Traffic	ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
—	—	Potentially Bad Traffic	ET INFO Online File Storage Domain in DNS Lookup (gofile .io)

Add for printing

No debug info

General Info

https://gofile.io/d/vJypj7

B2D2AE529BB35A3DBB01EEE43F6DA62B

C1D1DA7FAD6D74BC740C40DB6400AFF5A2805768

EF5C7B8610A101EFD3F67A68AB768E5C12EB7DA237FE003EFF348AF028C7B93C

3:N8rxL1Zn:2Zn

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ASYNCRAT has been detected (YARA)

SUSPICIOUS

Process drops legitimate windows executable

Executes application which crashes

There is functionality for taking screenshot (YARA)

Possible usage of Discord/Telegram API has been detected (YARA)

INFO

Executable content was dropped or overwritten

Themida protector has been detected

Malware configuration

ims-api

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings