MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 165b528fb02e35b12a59a311102a8bef74ec2f0bf908864fd7fa7ed8f917261e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VenomRAT


Vendor detections: 19


Intelligence 19 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 165b528fb02e35b12a59a311102a8bef74ec2f0bf908864fd7fa7ed8f917261e
SHA3-384 hash: 8a1beacafee4ba1d710534af445ed8801c5cc4dd539cf32bcb205aaf8df4658c6c2832c4dbd1e71163d948dbde082aac
SHA1 hash: 3288002e35386ef8d96e2a737e280b6f536f2b1a
MD5 hash: f809bfbbcad332b4c6e9931be72147d5
humanhash: mike-november-mars-high
File name:Request for Quotation_RFQ#3200025006.cmd
Download: download sample
Signature VenomRAT
Create hunting rule
File size:1'510'912 bytes
First seen:2025-11-28 11:14:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:ddUz1tzkBCEAz+ydEow1xIOJ6iwkLs2eqj+YYWNItf7VGqT0/q2JHjC2gKh0ISnx:dOQBC1z+yOownIOJ6KY2eqj+Yzoo/fC/
Threatray 43 similar samples on MalwareBazaar
TLSH T1CE6523A112B5C913EDCD27B61EE2E33113B61F6EA813F1218FF9BCAB75196196C08350
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe VenomRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Request for Quotation_RFQ#3200025006.cmd
Verdict:
Malicious activity
Analysis date:
2025-11-28 11:14:44 UTC
Tags:
auto-startup auto-reg telegram remote xworm stealer auto generic ims-api auto-sch-xml
Link:
https://app.any.run/tasks/5f9b907e-4eec-4d1b-9305-a019d57a37aa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/41711/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=692984086657e3433281c8b8
Tags:
autorun shell micro sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Creating a file in the %temp% directory
Launching a process
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context masquerade packed snakekeylogger vbnet
Link:
https://www.filescan.io/uploads/69298406d0d5e7288b4f3c41/reports/5335f871-c068-438f-ab02-fad638d750fb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/165b528fb02e35b12a59a311102a8bef74ec2f0bf908864fd7fa7ed8f917261e
Result
Gathering data
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-27T22:08:00Z UTC
Last seen:
2025-11-28T08:11:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/165b528fb02e35b12a59a311102a8bef74ec2f0bf908864fd7fa7ed8f917261e/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d3863e91-b63f-4c53-a9d9-87ffe441696a
Result
Threat name:
Dacic, StormKitty, VenomRAT, XWorm, EICAR, XWor
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1822099
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to log keystrokes (.Net Source)
Disable Windows Defender real time protection (registry)
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Capture Wi-Fi password
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Windows Service Tampering
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Uses whoami command line tool to query computer and username
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Dacic
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Yara detected VenomRAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1822099 Sample: Request for Quotation_RFQ#3... Startdate: 28/11/2025 Architecture: WINDOWS Score: 100 141 api.telegram.org 2->141 143 ip-api.com 2->143 145 3 other IPs or domains 2->145 187 Suricata IDS alerts for network traffic 2->187 189 Found malware configuration 2->189 191 Malicious sample detected (through community Yara rule) 2->191 195 27 other signatures 2->195 15 Request for Quotation_RFQ#3200025006.cmd.exe 4 2->15         started        19 chromiuni.exe 2->19         started        21 tmRZBtg.exe 2->21         started        23 2 other processes 2->23 signatures3 193 Uses the Telegram API (likely for C&C communication) 141->193 process4 file5 137 Request for Quotat...0025006.cmd.exe.log, ASCII 15->137 dropped 157 Binary is likely a compiled AutoIt script file 15->157 159 Adds a directory exclusion to Windows Defender 15->159 161 Injects a PE file into a foreign processes 15->161 25 Request for Quotation_RFQ#3200025006.cmd.exe 4 15->25         started        28 powershell.exe 23 15->28         started        163 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->163 165 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 19->165 167 Encrypted powershell cmdline option found 19->167 169 Tries to harvest and steal WLAN passwords 19->169 30 powershell.exe 19->30         started        32 powershell.exe 19->32         started        34 schtasks.exe 19->34         started        40 2 other processes 19->40 171 Tries to delay execution (extensive OutputDebugStringW loop) 21->171 173 Queries memory information (via WMI often done to detect virtual machines) 21->173 36 schtasks.exe 21->36         started        38 tmRZBtg.exe 21->38         started        42 2 other processes 23->42 signatures6 process7 signatures8 201 Binary is likely a compiled AutoIt script file 25->201 203 Writes to foreign memory regions 25->203 205 Maps a DLL or memory area into another process 25->205 44 RegSvcs.exe 19 7 25->44         started        207 Suspicious powershell command line found 28->207 209 Uses whoami command line tool to query computer and username 28->209 211 Loading BitLocker PowerShell Module 28->211 49 conhost.exe 28->49         started        51 conhost.exe 30->51         started        53 conhost.exe 32->53         started        55 conhost.exe 34->55         started        57 conhost.exe 36->57         started        process9 dnsIp10 147 178.16.55.129, 4415, 49720, 49722 DUSNET-ASDE Germany 44->147 149 api.telegram.org 149.154.167.220, 443, 49718 TELEGRAMRU United Kingdom 44->149 131 C:\Users\user\AppData\Local\Temp\msxtqy.bat, PE32 44->131 dropped 133 C:\Users\user\AppData\Roaming\XClient.exe, PE32 44->133 dropped 135 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 44->135 dropped 231 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 44->231 59 msxtqy.bat 44->59         started        file11 signatures12 process13 file14 127 C:\Users\user\AppData\Roaming\tmRZBtg.exe, PE32 59->127 dropped 129 C:\Users\user\AppData\Local\...\tmp399E.tmp, XML 59->129 dropped 223 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 59->223 225 Uses schtasks.exe or at.exe to add and modify task schedules 59->225 227 Adds a directory exclusion to Windows Defender 59->227 229 3 other signatures 59->229 63 msxtqy.bat 59->63         started        66 powershell.exe 59->66         started        69 powershell.exe 59->69         started        71 schtasks.exe 59->71         started        signatures15 process16 file17 139 C:\Users\user\AppData\Local\...\chromiuni.exe, PE32 63->139 dropped 73 cmd.exe 63->73         started        75 cmd.exe 63->75         started        185 Loading BitLocker PowerShell Module 66->185 78 conhost.exe 66->78         started        80 conhost.exe 69->80         started        82 conhost.exe 71->82         started        signatures18 process19 signatures20 84 chromiuni.exe 73->84         started        87 conhost.exe 73->87         started        89 timeout.exe 73->89         started        219 Uses netsh to modify the Windows network and firewall settings 75->219 221 Tries to harvest and steal WLAN passwords 75->221 91 conhost.exe 75->91         started        93 schtasks.exe 75->93         started        process21 signatures22 197 Adds a directory exclusion to Windows Defender 84->197 199 Injects a PE file into a foreign processes 84->199 95 chromiuni.exe 84->95         started        100 powershell.exe 84->100         started        102 powershell.exe 84->102         started        104 2 other processes 84->104 process23 dnsIp24 151 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 95->151 153 icanhazip.com 104.16.184.241, 49729, 80 CLOUDFLARENETUS United States 95->153 155 2 other IPs or domains 95->155 121 C:\Users\user\AppData\...behaviorgraphIGIYTFFYT.docx, ASCII 95->121 dropped 123 C:\Users\user\AppData\...\TQDFJHPUIU.png, ASCII 95->123 dropped 125 C:\Users\user\AppData\...IVQSAOTAQ.docx, ASCII 95->125 dropped 175 Found many strings related to Crypto-Wallets (likely being stolen) 95->175 177 Encrypted powershell cmdline option found 95->177 179 Tries to harvest and steal browser information (history, passwords, etc) 95->179 183 2 other signatures 95->183 106 powershell.exe 95->106         started        109 cmd.exe 95->109         started        111 cmd.exe 95->111         started        181 Loading BitLocker PowerShell Module 100->181 113 conhost.exe 100->113         started        115 conhost.exe 102->115         started        117 conhost.exe 104->117         started        file25 signatures26 process27 signatures28 213 Suspicious powershell command line found 106->213 215 Uses whoami command line tool to query computer and username 106->215 119 conhost.exe 106->119         started        217 Tries to harvest and steal WLAN passwords 109->217 process29
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/165b528fb02e35b12a59a311102a8bef74ec2f0bf908864fd7fa7ed8f917261e
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.21 Win 32 Exe x86
Link:
https://app.malva.re/file/f809bfbbcad332b4c6e9931be72147d5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/165b528fb02e35b12a59a311102a8bef74ec2f0bf908864fd7fa7ed8f917261e/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/165b528fb02e35b12a59a311102a8bef74ec2f0bf908864fd7fa7ed8f917261e
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2025-11-28 02:35:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
21 of 35 (60.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cznvfd5qfy23ckszumirakul552oylyl7eeimt6x7j7nr6ixeypa._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
165b528fb02e35b12a59a311102a8bef74ec2f0bf908864fd7fa7ed8f917261e
VenomRAT
43d553a030652bbea63531ca694e1fdc990cd8bab3a31eff066e366ce5621de3
VenomRAT
4620b0f750ed50bacf8aba33b3dd0f3608b250e02515cf3d203d224b81f52e1e
VenomRAT
5fc5368bad8a8b519f2c392b97c458d9425307b00d52aaadea20eba58e8eeb24
VenomRAT
d7491c4e7c1981c039189cf7b772dc0b532b0bb6fd53f255aeafc9bbde029927
VenomRAT
error
VenomRAT
f7f0d0bcd56c2b929b687aa0c15305be4f71495d0b1ce5609fed155ddb0c016c
VenomRAT
+ 33 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:xworm botnet:moneysquad collection discovery execution persistence rat trojan
Link:
https://tria.ge/reports/251128-nb36mscq9s/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
AutoIT Executable
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Loads dropped DLL
Checks computer location settings
Drops startup file
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
AsyncRat
Asyncrat family
Contains code to disable Windows Defender
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
178.16.55.129:6333
178.16.55.129:4415
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e1eef37e-34af-4fea-a944-c584f871486f
Unpacked files
SH256 hash:
165b528fb02e35b12a59a311102a8bef74ec2f0bf908864fd7fa7ed8f917261e
MD5 hash:
f809bfbbcad332b4c6e9931be72147d5
SHA1 hash:
3288002e35386ef8d96e2a737e280b6f536f2b1a
Link:
https://www.unpac.me/results/50a83945-3d85-4265-9484-5afd3f8467af/
SH256 hash:
3aa8ce5d4766e6fa27c0f3e031c1425b79322fc25ced61c68998ddd0fe84afe0
MD5 hash:
62963935f4f4a7a5d71e15077781146b
SHA1 hash:
374f566ec38e44ea82e0aef8c79417067b37f003
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/50a83945-3d85-4265-9484-5afd3f8467af/
Parent samples :
5fc5368bad8a8b519f2c392b97c458d9425307b00d52aaadea20eba58e8eeb24
707fdafc56b969ced0f79032c766da29582068ae2630074ec8d41c4d53a73773
ac7a2d43da192df88b772d5f18ad2fbfff501236b4593c0e608474fedde91508
a0f0d732fb63ac2e8801fb5f3a7f969952a7fbdb8b2a782c64cb1c1c14bda72c
4528e9b7d05236ab6a225911e8978af4a7d49bc0221b5529d40ee85b60b0dae7
0be718f7b7a74c02cb6e13cf89c32e36e3385d3c8d6bf11459e8a43afafe4ab4
35c4d93f942a492df6f2c7a905cc0c05d8d0013f8361ef0453762ce8ed74a6c8
93d8f58337eb1309d7fadafe6707dde3a7d20d65870d05a689b3c2f264e61193
74ace00f731591af315dda87a91dcad538db3fab7a62d9e8612eef59dc128bde
e7a7b1d0ebf9cbb2760f3795b42b1b39596ab0eabf1cb12417ba2e8e42494708
165b528fb02e35b12a59a311102a8bef74ec2f0bf908864fd7fa7ed8f917261e
SH256 hash:
c595a47c7d9a4646cb84a060e63617c75a70571858bbf01f456b44aff42e775d
MD5 hash:
7641b8f85c854544783bcb64069d2278
SHA1 hash:
c52cbb75c57a350e59ea8d37d00765d0a1a89c5e
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/50a83945-3d85-4265-9484-5afd3f8467af/
SH256 hash:
5607381090f266a74cd70b33ba8e30e10c937d2df15ce91f3eacab573310383b
MD5 hash:
7d2e757a11789da1f83b9ef465605500
SHA1 hash:
e38532001e993b3178f4ac47322e16d502135a3b
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/50a83945-3d85-4265-9484-5afd3f8467af/
SH256 hash:
9009f46e55ce227956514cf10b1f675a0a4ad2007dfcd37c39cfe34f82bdbfe9
MD5 hash:
ce4abc7926b950eb170c26449ea15403
SHA1 hash:
a9f35afb3bb59f4dc118530a634fbb0035c36036
Detections:
win_xworm_a0
Create hunting rule
win_xworm_w0
Create hunting rule
XWorm
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/50a83945-3d85-4265-9484-5afd3f8467af/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/165b528fb02e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/165b528fb02e35b12a59a311102a8bef74ec2f0bf908864fd7fa7ed8f917261e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

VenomRAT

Executable exe 165b528fb02e35b12a59a311102a8bef74ec2f0bf908864fd7fa7ed8f917261e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/41711/

Comments