Update 2024-04-22-VenomRAT.md

_posts/2024-04-22-VenomRAT.md

@@ -11,7 +11,8 @@ tags:
   - malware
 ---
 
-#Intro.
+##Intro.
+
 In early April, organizations in the Russian Federation (and not only) received letters from an unknown sender. In the contents of the letter, besides wishing a good day and asking to reply “soon”, there was a RAR archive, and inside the archive was a *.bat file
 
 ![1](/assets/images/venom_rat/1.png){:class="img-responsive"}
@@ -24,7 +25,7 @@ However, there were some components of the bat file: obfuscated PowerShell strin
 
 This was enough to start analyzing the content, find IoC's, and see if there were any in the traffic from the organization.
 
-#Analyzing the attachment.
+##Analyzing the attachment.
 
 As we have already mentioned, the archive contained a bat file.
 
@@ -34,7 +35,7 @@ There are obfuscated functions and encrypted payloads inside, but let's talk abo
 
 ![Bat_File_Part2](/assets/images/venom_rat/4.png){:class="img-responsive"}
 
-#Deobfuscation
+##Deobfuscation
 
 The first part of the bat script declares the necessary variables in obfuscated form
 
@@ -275,7 +276,7 @@ One of the interesting features of the trojan is downloading the Tor browser to
 I did not extract and write a decoder for 5 resources. I limited myself to the indicators of compromise that I managed to find during the analysis.
 
 
-#Conclusion.
+##Conclusion.
 
 I managed to study such interesting samples in the beginning of April. A more in-depth analysis (module analysis) of such a malware was performed by the Fortinet team. After the analysis, we can conclude that attackers more often use fileless attacks, various obfuscation techniques, anti-Dbg/anti-Sandbox techniques to successfully conduct an attack, bypass defenses and gain a foothold in the system. I hope this material will be useful and will help in the future when studying similar workloads.