MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 051bcd80b859378e9ff45546ecc3766499f44190fe25716b7419769b38308320. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VenomRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 051bcd80b859378e9ff45546ecc3766499f44190fe25716b7419769b38308320
SHA3-384 hash: d08d92c2c60346c318b09e5de3196fdd5dcc78fcc60a74b0060bdfd2d125c7385b93ed4ecfc33f25c561a1a5e50a23ab
SHA1 hash: 9c5e5e550e15b4e0e949591488ba72154e13378f
MD5 hash: 7f67c01cf304afa0adf4c3095477ab07
humanhash: asparagus-finch-louisiana-comet
File name:Needed Aircraft PN#_Desc_&_Qty Details.vbs
Download: download sample
Signature VenomRAT
Create hunting rule
File size:93'750 bytes
First seen:2024-12-12 14:27:33 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:M8we4uQyXKFD5cFkWLcaxdYOyhGhRW9w+vcdlziIqzRNBHarEZ+2K:M8z4DOOW4eOFGhRW9wCIzi/8rE42K
Threatray 528 similar samples on MalwareBazaar
TLSH T1309322958B040788BA2613D7F68D8C666172FDB7C400972CCE184DBC5EFA5C9DBE019B
Magika vba
Reporter JAMESWT_WT
Tags:emptyservices-xyz vbs VenomRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=675af46ce19061cac7f00333
Tags:
shell virus sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive obfuscated powershell
Link:
https://www.filescan.io/uploads/675af2ffd00374fb90e1aa32/reports/0a4062be-3415-4902-8e30-ae7cac6c8935/overview
Verdict:
Malicious
Labled as:
TrojanDropper/BAT.Agent
Link:
https://www.hybrid-analysis.com/sample/051bcd80b859378e9ff45546ecc3766499f44190fe25716b7419769b38308320
Result
Verdict:
UNKNOWN
Result
Threat name:
AsyncRAT, VenomRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1573772
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Malicious sample detected (through community Yara rule)
Performs DNS queries to domains with low reputation
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Register Wscript In Run Key
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Yara detected Powershell decode and execute
Yara detected Powershell decrypt and execute
Yara detected VenomRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1573772 Sample: Needed Aircraft PN#_Desc_&_... Startdate: 12/12/2024 Architecture: WINDOWS Score: 100 61 emptyservices.xyz 2->61 65 Sigma detected: Register Wscript In Run Key 2->65 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 73 20 other signatures 2->73 11 wscript.exe 2 2->11         started        15 wscript.exe 1 2->15         started        17 wscript.exe 2->17         started        signatures3 71 Performs DNS queries to domains with low reputation 61->71 process4 file5 55 C:\Users\user\AppData\Local\Temp\system.bat, DOS 11->55 dropped 83 VBScript performs obfuscated calls to suspicious functions 11->83 85 Suspicious powershell command line found 11->85 87 Wscript starts Powershell (via cmd or directly) 11->87 89 2 other signatures 11->89 19 cmd.exe 1 11->19         started        22 powershell.exe 14 15 11->22         started        24 cmd.exe 15->24         started        26 cmd.exe 17->26         started        signatures6 process7 signatures8 75 Suspicious powershell command line found 19->75 77 Wscript starts Powershell (via cmd or directly) 19->77 79 Bypasses PowerShell execution policy 19->79 28 powershell.exe 4 18 19->28         started        31 conhost.exe 19->31         started        33 conhost.exe 22->33         started        35 powershell.exe 24->35         started        38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        42 powershell.exe 26->42         started        process9 file10 57 C:\Users\user\AppData\...\startup_str_954.vbs, ASCII 28->57 dropped 59 C:\Users\user\AppData\...\startup_str_954.bat, DOS 28->59 dropped 44 wscript.exe 1 28->44         started        81 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 35->81 signatures11 process12 signatures13 91 Wscript starts Powershell (via cmd or directly) 44->91 47 cmd.exe 1 44->47         started        process14 signatures15 93 Suspicious powershell command line found 47->93 95 Wscript starts Powershell (via cmd or directly) 47->95 50 powershell.exe 18 47->50         started        53 conhost.exe 47->53         started        process16 dnsIp17 63 45.88.88.7, 4164, 49758, 49772 LVLT-10753US Bulgaria 50->63
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/051bcd80b859378e9ff45546ecc3766499f44190fe25716b7419769b38308320
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/051bcd80b859378e9ff45546ecc3766499f44190fe25716b7419769b38308320/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aun43afyle3y5h7ukvdozq3wmsm7iqmq7ysxc23udf3jwobqqmqa._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
1a5910ce3b26031816250a63e0c2d77d14b73aafa45623d01f1d2de9bd46bdbe
VenomRAT
2b350cc0413da0f03e0c900959dac67bb88ad965b8cb4775e452c0f639ff4b7b
VenomRAT
3e39efae22fcda501f858229af27be129f178c85723d4477ef9be2f80b61a8fd
VenomRAT
44baa120c32e2bbe83d9c1b1f8b2cc269e1e18c53efd08a648bf068ccef3153e
VenomRAT
a924f18d12acc2fcedcbf6a268715ceee220f82d43e34578e3a25df7123c58e4
VenomRAT
ae4100252450220b4f7d39214d4660894ee149d9c96a885f844f0652283198e9
VenomRAT
c61be8a80e413a855e38a6269b611f6c4b86718e0e0aea9964772ab11c836a74
VenomRAT
ce438c103a40dbd12f48547c2d8604c947232376f87eadd1a2da3b7bfac28d02
VenomRAT
error
VenomRAT
+ 518 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:core i9 omen execution rat
Link:
https://tria.ge/reports/241212-rs1nmaxjdz/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Async RAT payload
AsyncRat
Asyncrat family
Malware Config
C2 Extraction:
45.88.88.7:4164
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/051bcd80b859378e9ff45546ecc3766499f44190fe25716b7419769b38308320

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments