MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c0de2b5e95f5cddb78d767a2acf295088b1c11a9843d89b37d33bb646fbebf4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



VantaRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash: 0c0de2b5e95f5cddb78d767a2acf295088b1c11a9843d89b37d33bb646fbebf4
SHA3-384 hash: 6833928e117d2398b84cd741d268aa32a8f6a17051358896dc14075ca412171540facb40aa16a9f393c2d446673d9cb4
SHA1 hash: 467753ab0e90a99399b4dc9dab3543b1e17cb37d
MD5 hash: 7a2cca7b79606f125755ae7a28a53ae2
humanhash: idaho-oxygen-lion-snake
File name:WindowsUpdate1.bat
Download: download sample
Signature VantaRAT
File size:62'342 bytes
First seen:2026-06-16 11:58:01 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 768:nkCPd1Yg4FIqHE4nG/6zXi5nrXKYCdBHu1rlArK/K+33DhyaHQw:kCgnBG/QIrXKYYudCrgTFya7
TLSH T19253F47218C9311C04F699A90B606493572DC9ECEF9BD7FF76264AC1C92EB87FD20864
Magika batch
Reporter abuse_ch
Tags:bat RAT VantaRAT

Intelligence


File Origin
# of uploads :
1
# of downloads :
92
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
BatchScript
Details
Malware family:
n/a
ID:
1
File name:
WindowsUpdate1.bat
Verdict:
Malicious activity
Analysis date:
2026-06-15 16:33:12 UTC
Tags:
ip-check evasion stealer python pyinstaller openssl tool

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Tags:
emotet extens shell sage
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Launching a process
Creating a file in the %temp% directory
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Running batch commands
Loading a suspicious library
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug crypto encrypted expand lolbin powershell reconnaissance
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-06-15T13:53:00Z UTC
Last seen:
2026-06-16T23:41:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-PSW.Python.Agent.gen HEUR:Backdoor.Python.Agent.gen PDM:Trojan.Win32.Generic HEUR:Trojan.BAT.Alien.gen HEUR:Trojan.Python.Tpyc.i HEUR:Trojan.Python.Rodico.gen HEUR:Trojan.Python.Pytr.bi
Result
Threat name:
Discord Token Stealer
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Contains functionality to infect the boot sector
Joe Sandbox ML detected suspicious sample
Powershell drops PE file
Sigma detected: Suspicious PowerShell Parameter Substring
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Discord Token Stealer
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1928718 Sample: WindowsUpdate1.bat Startdate: 16/06/2026 Architecture: WINDOWS Score: 92 47 vanta.st 2->47 49 icanhazip.com 2->49 51 api.ipify.org 2->51 61 Antivirus detection for URL or domain 2->61 63 Yara detected Discord Token Stealer 2->63 65 Sigma detected: Suspicious PowerShell Parameter Substring 2->65 67 Joe Sandbox ML detected suspicious sample 2->67 11 cmd.exe 1 2->11         started        signatures3 process4 signatures5 73 Bypasses PowerShell execution policy 11->73 14 powershell.exe 14 25 11->14         started        19 conhost.exe 11->19         started        process6 dnsIp7 57 vanta.st 185.178.208.158, 443, 49692, 49697 DDOS-GUARDRU Russia 14->57 43 C:\Users\user\AppData\Local\...\o1ciur.exe, PE32+ 14->43 dropped 45 C:\Users\user\AppData\Local\...\SPZbM8.exe, PE32+ 14->45 dropped 59 Powershell drops PE file 14->59 21 o1ciur.exe 239 14->21         started        25 conhost.exe 14->25         started        file8 signatures9 process10 file11 35 C:\Users\user\...\_yaml.cp310-win_amd64.pyd, PE32+ 21->35 dropped 37 C:\Users\user\AppData\Local\...\shell.pyd, PE32+ 21->37 dropped 39 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 21->39 dropped 41 154 other malicious files 21->41 dropped 69 Antivirus detection for dropped file 21->69 71 Contains functionality to infect the boot sector 21->71 27 o1ciur.exe 1 3 21->27         started        signatures12 process13 dnsIp14 53 icanhazip.com 104.16.185.241, 443, 49700, 49703 CLOUDFLARENET-CloudflareIncUS Canada 27->53 55 api.ipify.org 172.67.74.152, 443, 49699, 49702 CLOUDFLARENET-CloudflareIncUS Canada 27->55 75 Tries to harvest and steal browser information (history, passwords, etc) 27->75 77 Tries to steal Crypto Currency Wallets 27->77 31 cmd.exe 1 27->31         started        signatures15 process16 process17 33 conhost.exe 31->33         started       
Threat name:
Win32.Trojan.Generic
Status:
Suspicious
First seen:
2026-06-15 16:33:16 UTC
File Type:
Text (Batch)
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
credential_access execution spyware stealer
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Badlisted process makes network request
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAT_Chunked_Payload_SetEnv
Author:marcin@ulikowski.pl
Description:Detects batch script storing chunks of payload in random environment variables
Rule name:obfuscated_BAT
Author:@warz_s
Description:Identifies obfuscated BAT files
Reference:https://github.com/secwarz/YaraRules

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments