MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f0e70dc0dcfc4cfdadd1e2d1c9678ed09a3e4d8eb2c742e454b8fe06256a7e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VenomRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f0e70dc0dcfc4cfdadd1e2d1c9678ed09a3e4d8eb2c742e454b8fe06256a7e2
SHA3-384 hash: 4523240d07b37d16f90d278e5291306ae6b62ed831bfaa5cc7473e56f9dea27f0c223c13731ce418b59e961fbaefcbd2
SHA1 hash: 4e5ad3c3ed1e8871abfd8d0f8466b3ddbc521be0
MD5 hash: c0e2ce250c4979a59970d22fd99f340f
humanhash: white-comet-asparagus-bacon
File name:List of Required PN#_Desc_&_Qty Details.vbs
Download: download sample
Signature VenomRAT
Create hunting rule
File size:80'994 bytes
First seen:2024-12-12 14:25:28 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:lcX2qy9/TpzprFm7xcGhX4y7t3t+JlpbebTQOsod:lcX2pl+HhXVxqild
TLSH T1E283B0F18F594BEDF72161E3F2F4DC0A892CDEB6D808536CC90ADE694EB015802A45B3
Magika vba
Reporter JAMESWT_WT
Tags:AsyncRAT emptyservices-xyz vbs VenomRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=675af45ae19061cac7f002e3
Tags:
virus shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive obfuscated persistence powershell
Link:
https://www.filescan.io/uploads/675af28ad00374fb90e1a9d9/reports/5d93a755-1f16-4b39-8146-ad872dca5297/overview
Verdict:
Malicious
Labled as:
BAT/TrojanDropper.Agent
Link:
https://www.hybrid-analysis.com/sample/9f0e70dc0dcfc4cfdadd1e2d1c9678ed09a3e4d8eb2c742e454b8fe06256a7e2
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1573761
Signature
AI detected suspicious sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates multiple autostart registry keys
Performs DNS queries to domains with low reputation
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Register Wscript In Run Key
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell decrypt and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1573761 Sample: List of Required PN#_Desc_&... Startdate: 12/12/2024 Architecture: WINDOWS Score: 100 103 emptyservices.xyz 2->103 107 Sigma detected: Register Wscript In Run Key 2->107 109 Antivirus detection for URL or domain 2->109 111 Antivirus detection for dropped file 2->111 115 9 other signatures 2->115 11 wscript.exe 1 2 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 6 other processes 2->18 signatures3 113 Performs DNS queries to domains with low reputation 103->113 process4 signatures5 131 VBScript performs obfuscated calls to suspicious functions 11->131 133 Suspicious powershell command line found 11->133 135 Wscript starts Powershell (via cmd or directly) 11->135 137 3 other signatures 11->137 20 cmd.exe 1 11->20         started        23 powershell.exe 14 15 11->23         started        25 powershell.exe 14->25         started        34 2 other processes 14->34 28 powershell.exe 16->28         started        36 2 other processes 16->36 30 cmd.exe 18->30         started        32 cmd.exe 18->32         started        38 4 other processes 18->38 process6 file7 121 Suspicious powershell command line found 20->121 123 Wscript starts Powershell (via cmd or directly) 20->123 40 powershell.exe 4 31 20->40         started        52 2 other processes 20->52 44 conhost.exe 23->44         started        95 C:\Users\user\AppData\...\Windows_Log_514.vbs, ASCII 25->95 dropped 97 C:\Users\user\AppData\...\Windows_Log_514.bat, DOS 25->97 dropped 125 Creates multiple autostart registry keys 25->125 46 wscript.exe 25->46         started        99 C:\Users\user\AppData\...\Windows_Log_395.vbs, ASCII 28->99 dropped 101 C:\Users\user\AppData\...\Windows_Log_395.bat, DOS 28->101 dropped 48 wscript.exe 28->48         started        50 powershell.exe 30->50         started        54 2 other processes 30->54 56 3 other processes 32->56 58 12 other processes 38->58 signatures8 process9 file10 89 C:\Users\user\AppData\...\Windows_Log_116.vbs, ASCII 40->89 dropped 91 C:\Users\user\AppData\...\Windows_Log_116.bat, DOS 40->91 dropped 127 Creates multiple autostart registry keys 40->127 60 wscript.exe 1 40->60         started        129 Wscript starts Powershell (via cmd or directly) 46->129 63 cmd.exe 46->63         started        65 cmd.exe 48->65         started        93 \Device\ConDrv, ASCII 50->93 dropped signatures11 process12 signatures13 139 Wscript starts Powershell (via cmd or directly) 60->139 67 cmd.exe 1 60->67         started        141 Suspicious powershell command line found 63->141 70 conhost.exe 63->70         started        72 cmd.exe 63->72         started        74 powershell.exe 63->74         started        76 conhost.exe 65->76         started        78 cmd.exe 65->78         started        80 powershell.exe 65->80         started        process14 signatures15 117 Suspicious powershell command line found 67->117 119 Wscript starts Powershell (via cmd or directly) 67->119 82 powershell.exe 67->82         started        85 conhost.exe 67->85         started        87 cmd.exe 1 67->87         started        process16 dnsIp17 105 45.88.88.7, 4164, 49815, 49831 LVLT-10753US Bulgaria 82->105
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/9f0e70dc0dcfc4cfdadd1e2d1c9678ed09a3e4d8eb2c742e454b8fe06256a7e2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f0e70dc0dcfc4cfdadd1e2d1c9678ed09a3e4d8eb2c742e454b8fe06256a7e2/
Threat name:
Script-WScript.Spyware.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2024-11-26 19:50:57 UTC
File Type:
Text (VBS)
AV detection:
7 of 38 (18.42%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t4hhbxanz7cm7ww5dywrzfty5ue2hzgy5mwhilsfjoh6ayswu7ra._file
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:omen core i9 execution persistence rat
Link:
https://tria.ge/reports/241212-rrve8aypar/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Async RAT payload
AsyncRat
Asyncrat family
Malware Config
C2 Extraction:
45.88.88.7:4164
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f0e70dc0dcfc4cfdadd1e2d1c9678ed09a3e4d8eb2c742e454b8fe06256a7e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments