MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f24da1d458f078adf96dca79955313eea5cfe7a6a36334b1352553a31928cec6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VenomRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f24da1d458f078adf96dca79955313eea5cfe7a6a36334b1352553a31928cec6
SHA3-384 hash: 8c109247a527f1da0d33ddb6c76f62fde0766b706b7a1c9ad040e756bae28d0354b8ee9d3a5a8f184c0c3bb29650e9bc
SHA1 hash: 539298c574b25b70379fccd8c47c3dbee5184877
MD5 hash: ab631b79a8f6cc0f48e17765c33c8fee
humanhash: quiet-burger-jupiter-tango
File name:Round Trip Itinerary details.vbs
Download: download sample
Signature VenomRAT
Create hunting rule
File size:80'788 bytes
First seen:2024-12-12 14:24:27 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:rtYq5Mv5eaBf+kvAQKCidRC0Xe6Tw/LP5KU52t+gN4:lmRea3vAWGOyZsu4
Threatray 429 similar samples on MalwareBazaar
TLSH T1A683CFF42F18CBDDB72121E7B7B0DD125A29CDBACC60537F865A8A385DB152813B44A3
Magika vba
Reporter JAMESWT_WT
Tags:AsyncRAT emptyservices-xyz vbs VenomRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=675af44ce19061cac7f0029f
Tags:
shell virus sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive obfuscated powershell
Link:
https://www.filescan.io/uploads/675af24d3e4895d844766b13/reports/ee896d4b-43c9-4df3-8476-038b83652cbe/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f24da1d458f078adf96dca79955313eea5cfe7a6a36334b1352553a31928cec6
Result
Verdict:
UNKNOWN
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1573756
Signature
AI detected suspicious sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Performs DNS queries to domains with low reputation
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Register Wscript In Run Key
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell decrypt and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1573756 Sample: Round Trip Itinerary details.vbs Startdate: 12/12/2024 Architecture: WINDOWS Score: 100 68 emptyservices.xyz 2->68 76 Sigma detected: Register Wscript In Run Key 2->76 78 Antivirus detection for URL or domain 2->78 80 Antivirus detection for dropped file 2->80 84 8 other signatures 2->84 11 wscript.exe 2 2->11         started        15 wscript.exe 2->15         started        17 wscript.exe 1 2->17         started        signatures3 82 Performs DNS queries to domains with low reputation 68->82 process4 file5 60 C:\Users\user\AppData\Local\Temp\system.bat, DOS 11->60 dropped 90 VBScript performs obfuscated calls to suspicious functions 11->90 92 Suspicious powershell command line found 11->92 94 Wscript starts Powershell (via cmd or directly) 11->94 96 2 other signatures 11->96 19 cmd.exe 1 11->19         started        22 powershell.exe 14 15 11->22         started        24 cmd.exe 15->24         started        26 cmd.exe 17->26         started        signatures6 process7 signatures8 86 Suspicious powershell command line found 19->86 88 Wscript starts Powershell (via cmd or directly) 19->88 28 powershell.exe 4 31 19->28         started        31 conhost.exe 19->31         started        33 cmd.exe 1 19->33         started        35 conhost.exe 22->35         started        37 powershell.exe 24->37         started        45 2 other processes 24->45 39 conhost.exe 26->39         started        41 cmd.exe 26->41         started        43 powershell.exe 26->43         started        process9 file10 62 C:\Users\user\AppData\...\Windows_Log_317.vbs, ASCII 28->62 dropped 64 C:\Users\user\AppData\...\Windows_Log_317.bat, DOS 28->64 dropped 47 wscript.exe 1 28->47         started        66 \Device\ConDrv, ASCII 37->66 dropped process11 signatures12 98 Wscript starts Powershell (via cmd or directly) 47->98 50 cmd.exe 1 47->50         started        process13 signatures14 72 Suspicious powershell command line found 50->72 74 Wscript starts Powershell (via cmd or directly) 50->74 53 powershell.exe 27 50->53         started        56 conhost.exe 50->56         started        58 cmd.exe 1 50->58         started        process15 dnsIp16 70 45.149.241.239, 1978, 49706, 49718 UUNETUS Germany 53->70
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/f24da1d458f078adf96dca79955313eea5cfe7a6a36334b1352553a31928cec6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f24da1d458f078adf96dca79955313eea5cfe7a6a36334b1352553a31928cec6/
Threat name:
Script-WScript.Spyware.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2024-11-26 01:36:04 UTC
File Type:
Text (VBS)
AV detection:
5 of 38 (13.16%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6jg2dvcy6b4k36lnzj4zkuyt52s47z5gunrtjmjvevj2ggjiz3da._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
051bcd80b859378e9ff45546ecc3766499f44190fe25716b7419769b38308320
VenomRAT
1a5910ce3b26031816250a63e0c2d77d14b73aafa45623d01f1d2de9bd46bdbe
VenomRAT
3e39efae22fcda501f858229af27be129f178c85723d4477ef9be2f80b61a8fd
VenomRAT
6415105cf9e677626d5d9d25520b1dd1279bb8bc2ee820787d0fcc76ecd3e663
VenomRAT
6d09d43c755d5081924748104ac487afadaf68add75d85feb2a256de032a5e2c
VenomRAT
6ddb80d5f672a132f45f9a0114d465aa35bb7d3b31aca5473b42a7174eb018ff
VenomRAT
9c1a4e3a1c90d013a9465ab585ad7a9cfc378ebdbe77fc1548cb81c791e6914e
VenomRAT
9f0e70dc0dcfc4cfdadd1e2d1c9678ed09a3e4d8eb2c742e454b8fe06256a7e2
VenomRAT
a678475627246ac2716b5618ec5010e67660ab4441367bee23de473449d98c11
VenomRAT
error
VenomRAT
+ 419 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default execution rat
Link:
https://tria.ge/reports/241212-rq9thsynhj/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Async RAT payload
AsyncRat
Asyncrat family
Malware Config
C2 Extraction:
45.149.241.239:1978
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f24da1d458f078adf96dca79955313eea5cfe7a6a36334b1352553a31928cec6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments