MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ddb80d5f672a132f45f9a0114d465aa35bb7d3b31aca5473b42a7174eb018ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VenomRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ddb80d5f672a132f45f9a0114d465aa35bb7d3b31aca5473b42a7174eb018ff
SHA3-384 hash: 72ecc7fa4ba49173743cd8ea6b1fad45639c746b393ca6a3765d00679a6456ad3fbd467f5942b2bba4ddc45f8715f2ce
SHA1 hash: 8789f00e533da9b0a8bd380b9264cfaefe8ff7bc
MD5 hash: 870907ad00a8f53e022f042c92727d34
humanhash: white-enemy-quiet-spaghetti
File name:Turbo Generator_Pictures & Drawing.vbs
Download: download sample
Signature VenomRAT
Create hunting rule
File size:80'828 bytes
First seen:2024-12-12 14:26:12 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:KbiY5vZc5xg80mnBAH5JQGnDc3GiXs/P0Uese0A+giS5+p:giUvQYONp3Gi8/PW0Ats
Threatray 423 similar samples on MalwareBazaar
TLSH T1AA83C0B00F390788B7613BB7F7C69D823566CCF3998ACB61D4498B794EB812976E4013
Magika vba
Reporter JAMESWT_WT
Tags:AsyncRAT emptyservices-xyz vbs VenomRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=675af4624bc1eb3cc1ef284c
Tags:
shell virus sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive obfuscated powershell
Link:
https://www.filescan.io/uploads/675af2c7f17960099adc83c0/reports/b3c25ff3-dd3f-4620-a419-6d8e809b0c8e/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/6ddb80d5f672a132f45f9a0114d465aa35bb7d3b31aca5473b42a7174eb018ff
Result
Verdict:
UNKNOWN
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1573770
Signature
AI detected suspicious sample
Antivirus detection for dropped file
Performs DNS queries to domains with low reputation
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Register Wscript In Run Key
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell decrypt and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1573770 Sample: Turbo Generator_Pictures & ... Startdate: 12/12/2024 Architecture: WINDOWS Score: 100 68 emptyservices.xyz 2->68 76 Sigma detected: Register Wscript In Run Key 2->76 78 Antivirus detection for dropped file 2->78 80 Yara detected Powershell decrypt and execute 2->80 84 7 other signatures 2->84 11 wscript.exe 2 2->11         started        15 wscript.exe 2->15         started        17 wscript.exe 1 2->17         started        signatures3 82 Performs DNS queries to domains with low reputation 68->82 process4 file5 60 C:\Users\user\AppData\Local\Temp\system.bat, DOS 11->60 dropped 90 VBScript performs obfuscated calls to suspicious functions 11->90 92 Suspicious powershell command line found 11->92 94 Wscript starts Powershell (via cmd or directly) 11->94 96 2 other signatures 11->96 19 cmd.exe 1 11->19         started        22 powershell.exe 14 15 11->22         started        24 cmd.exe 15->24         started        26 cmd.exe 1 17->26         started        signatures6 process7 signatures8 86 Suspicious powershell command line found 19->86 88 Wscript starts Powershell (via cmd or directly) 19->88 28 powershell.exe 4 31 19->28         started        31 conhost.exe 19->31         started        33 cmd.exe 1 19->33         started        35 conhost.exe 22->35         started        37 powershell.exe 24->37         started        39 conhost.exe 24->39         started        41 cmd.exe 1 24->41         started        43 conhost.exe 26->43         started        45 2 other processes 26->45 process9 file10 62 C:\Users\user\AppData\...\Windows_Log_663.vbs, ASCII 28->62 dropped 64 C:\Users\user\AppData\...\Windows_Log_663.bat, DOS 28->64 dropped 47 wscript.exe 1 28->47         started        66 \Device\ConDrv, ASCII 37->66 dropped process11 signatures12 98 Wscript starts Powershell (via cmd or directly) 47->98 50 cmd.exe 1 47->50         started        process13 signatures14 72 Suspicious powershell command line found 50->72 74 Wscript starts Powershell (via cmd or directly) 50->74 53 powershell.exe 50->53         started        56 conhost.exe 50->56         started        58 cmd.exe 1 50->58         started        process15 dnsIp16 70 45.88.88.7, 4675, 49822, 49882 LVLT-10753US Bulgaria 53->70
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/6ddb80d5f672a132f45f9a0114d465aa35bb7d3b31aca5473b42a7174eb018ff
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ddb80d5f672a132f45f9a0114d465aa35bb7d3b31aca5473b42a7174eb018ff/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nxnybvpwokqtf5c7tiarjvdfvi23w7j3ggwkkrz3iktrotvqdd7q._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
051bcd80b859378e9ff45546ecc3766499f44190fe25716b7419769b38308320
VenomRAT
1a5910ce3b26031816250a63e0c2d77d14b73aafa45623d01f1d2de9bd46bdbe
VenomRAT
3e39efae22fcda501f858229af27be129f178c85723d4477ef9be2f80b61a8fd
VenomRAT
6d09d43c755d5081924748104ac487afadaf68add75d85feb2a256de032a5e2c
VenomRAT
9c1a4e3a1c90d013a9465ab585ad7a9cfc378ebdbe77fc1548cb81c791e6914e
VenomRAT
a678475627246ac2716b5618ec5010e67660ab4441367bee23de473449d98c11
VenomRAT
c61be8a80e413a855e38a6269b611f6c4b86718e0e0aea9964772ab11c836a74
VenomRAT
ce438c103a40dbd12f48547c2d8604c947232376f87eadd1a2da3b7bfac28d02
VenomRAT
error
VenomRAT
+ 413 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:hp elite execution rat
Link:
https://tria.ge/reports/241212-rseq6axjcs/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Async RAT payload
AsyncRat
Asyncrat family
Malware Config
C2 Extraction:
45.88.88.7:4675
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AsyncRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6ddb80d5f672a132f45f9a0114d465aa35bb7d3b31aca5473b42a7174eb018ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments