VenomRAT

VenomRAT (Remote Access Trojan) is a hacking tool that, at first glance, may appear as a legitimate application. The creators of the VenomRAT present this tool as a genuine utility named ‘Venom Software,’ which is meant for surveillance of employees and family members. However, it is clear that this is nothing more than a disguise for a threatening piece of malware.

Users who want to subscribe to the services of the VenomRAT would have to pay $150 per month. The VenomRAT is a malware-as-a-commodity service, which can be purchased from a publicly available Web page. Users who subscribe to the VenomRAT also will receive a step-by-step guide and multiple videos, which outline how one should set up the hacking tools and how to deploy it in an attack. The fact that anyone can get their hands on the VenomRAT and that there are detailed instructions on how to use it, make this Trojan very threatening.

Once the VenomRAT is installed on a targeted host, it will be able to:

• Open hidden Web browser pages.
• Deploy an infostealer module, which collects important files, sensitive data, browser information, etc.
• Deploy a keylogging module used to collect the keystrokes of the victim.
• Establish a hidden remote desktop connection.
• Run remote commands.
• Transfer files between the C&C (Command & Control) server of the attackers and the infected system.
• Use the host’s camera to record video.
• Use the host’s microphone to record audio.

It is clear that the VenomRAT is not a threat we can underestimate. This malware is capable of collecting a wide range of files and data from its targets. Make sure your PC is protected by an up-to-date, trustworthy anti-virus software suite, which will not allow pests like the VenomRAT anywhere near your data and your system.

Table of Contents

Toggle

Analysis Report

General information

Family Name:	Trojan.VenomRat
Signature status:	No Signature

Known Samples

i

Known Samples

This section lists other file samples believed to be associated with this family.

MD5: 442c95dc93b58bd987170b6410333c67 SHA1: f33a0db78fa837c877a900e8678c2ec1d2ee93ea SHA256: 36977FDFA8B087164E257C280EAB06711591D56515C8F2F0BB2A58AC79D010DD File Size: 335.36 KB, 335360 bytes

Windows Portable Executable Attributes

i

Windows Portable Executable Attributes

This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

• File doesn't have "Rich" header
• File doesn't have debug information
• File doesn't have exports table
• File doesn't have security information
• File is .NET application
• File is 32-bit executable
• File is either console or GUI application
• File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
• File is not packed
• IMAGE_FILE_DLL is not set inside PE header (Executable)

Show More

• IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

i

File Icons

This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

Windows PE Version Information

i

Windows PE Version Information

This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.

Name	Value
Assembly Version	5.0.5.0
File Description	Venom RAT + HVNC
File Version	5.0.5
Internal Name	Client.exe
Legal Copyright	Copyright © 2022
Original Filename	Client.exe
Product Name	Venom
Product Version	5.0.5

File Traits

• .NET
• ntdll
• x86

Block Information

i

Block Information

During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.

Total Blocks:	132
Potentially Malicious Blocks:	90
Whitelisted Blocks:	39
Unknown Blocks:	3

Visual Map

0 x x 0 0 0 x 0 x x 0 0 x x x x 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 0 x x 0 0 0 x 0 x 0 x x x 0 ? x x x x x x x x x x x x x x ? ? 0 x x x x x x 0 x x x x x x x x x x x x x x x x x x x x x x x x x 0 x x x x x x x x x x x x x 0 x x x x x x x x x x x x

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

i

Similar Families

This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.

• MSIL.Agent.F
• MSIL.DllInject.R
• MSIL.DllInject.RE

Windows API Usage

i

Windows API Usage

This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.

Category	API
Syscall Use	ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtApphelpCacheControl ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateMutant ntdll.dll!NtCreatePrivateNamespace ntdll.dll!NtCreateSection ntdll.dll!NtCreateThreadEx Show More ntdll.dll!NtDelayExecution ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateObject ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtOpenDirectoryObject ntdll.dll!NtOpenEvent ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcess ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenSection ntdll.dll!NtOpenThreadToken ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryDirectoryFileEx ntdll.dll!NtQueryFullAttributesFile ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationJobObject ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtReadFile ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtResumeThread ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationKey ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationThread ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtUnmapViewOfSectionEx ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWaitForWorkViaWorkerFactory ntdll.dll!NtWaitLowEventPair ntdll.dll!NtWriteFile UNKNOWN
User Data Access	GetUserDefaultLocaleName GetUserObjectInformation
Encryption Used	BCryptOpenAlgorithmProvider