MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d8a948214daf64f3b0b9b894ee8b18dbf9164e54238d8ef88f9372cd03ce3ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VenomRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d8a948214daf64f3b0b9b894ee8b18dbf9164e54238d8ef88f9372cd03ce3ce
SHA3-384 hash: 411156566fc09bcd3da130781e79b28f97735704b4e478fee5467229a3a2b7e301c607ef44c64c5898ab9d507796357e
SHA1 hash: 5ea6fd8795e4220944c96d6e4ba15e60791d35f2
MD5 hash: 5d1445e254cafe142dbfb9be9c10c4d5
humanhash: winner-red-twelve-papa
File name:KL_软件安装.exe
Download: download sample
Signature VenomRAT
Create hunting rule
File size:18'410'601 bytes
First seen:2025-05-21 19:58:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash efd455830ba918de67076b7c65d86586 (59 x Gh0stRAT, 19 x ValleyRAT, 6 x OffLoader)
ssdeep 393216:TKxF9GldbZeG+dmM+L1k2rT8WAwaYOhmWOPKMS3Bz:+F0llkCSA1AwaYOhmbP5S3Bz
TLSH T1DC073323A2CB613FF0BE4A36497AD362553BBA6169138C5797E8086CCF251D12C3F647
TrID 62.3% (.EXE) Inno Setup installer (107240/4/30)
24.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
6.1% (.EXE) Win64 Executable (generic) (10522/11/4)
2.6% (.EXE) Win32 Executable (generic) (4504/4/1)
1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon d0e0f86cf4dcdccc (4 x ValleyRAT, 1 x AsyncRAT, 1 x VenomRAT)
Reporter aachum
Tags:AsyncRAT exe purecrypter PureLogs


Avatar
iamaachum
https://www.letsvpnto.com/ => https://www.letsvpnto.com/Windows.zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
493
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
KL_软件安装.exe
Verdict:
Malicious activity
Analysis date:
2025-05-21 20:02:12 UTC
Tags:
purelogs purecrypter stealer
Link:
https://app.any.run/tasks/1e16cb12-9dcd-4b07-9381-d33fa2f29c1b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682e31192f280a98fb42f4e1
Tags:
dropper shell virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Restart of the analyzed sample
Creating a process with a hidden window
Creating a file
Moving a recently created file
Creating a file in the %AppData% directory
Moving a file to the %AppData% directory
Running batch commands
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Launching a process
Using the Windows Management Instrumentation requests
Enabling the 'hidden' option for recently created files
Connection attempt
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
embarcadero_delphi fingerprint installer invalid-signature overlay overlay packed signed
Link:
https://www.filescan.io/uploads/682e3093985349514e5ca69f/reports/9d58bbaa-2fca-4eef-ab72-f00c849c22d7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/1d8a948214daf64f3b0b9b894ee8b18dbf9164e54238d8ef88f9372cd03ce3ce
Result
Threat name:
DcRat
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1696275
Signature
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the DNS server
Modifies the windows firewall
Performs a network lookup / discovery via ARP
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sets debug register (to hijack the execution of another thread)
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Yara detected DcRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1696275 Sample: KL_#U8f6f#U4ef6#U5b89#U88c5.exe Startdate: 21/05/2025 Architecture: WINDOWS Score: 72 152 yandex.com 2->152 154 www.yandex.com 2->154 156 7 other IPs or domains 2->156 178 Suricata IDS alerts for network traffic 2->178 180 Malicious sample detected (through community Yara rule) 2->180 182 Yara detected DcRat 2->182 184 5 other signatures 2->184 15 KL_#U8f6f#U4ef6#U5b89#U88c5.exe 2 2->15         started        19 svchost.exe 2->19         started        21 svchost.exe 2->21         started        23 11 other processes 2->23 signatures3 process4 dnsIp5 148 C:\Users\...\KL_#U8f6f#U4ef6#U5b89#U88c5.tmp, PE32 15->148 dropped 166 Performs a network lookup / discovery via ARP 15->166 26 KL_#U8f6f#U4ef6#U5b89#U88c5.tmp 3 4 15->26         started        168 Changes security center settings (notifications, updates, antivirus, firewall) 19->168 170 Modifies the DNS server 21->170 158 127.0.0.1 unknown unknown 23->158 29 drvinst.exe 23->29         started        31 drvinst.exe 23->31         started        file6 signatures7 process8 file9 138 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 26->138 dropped 33 KL_#U8f6f#U4ef6#U5b89#U88c5.exe 2 26->33         started        140 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 29->140 dropped 142 C:\Windows\System32\...\SET7EC4.tmp, PE32+ 29->142 dropped 144 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 31->144 dropped 146 C:\Windows\System32\drivers\SET8857.tmp, PE32+ 31->146 dropped process10 file11 112 C:\Users\...\KL_#U8f6f#U4ef6#U5b89#U88c5.tmp, PE32 33->112 dropped 36 KL_#U8f6f#U4ef6#U5b89#U88c5.tmp 23 11 33->36         started        40 conhost.exe 33->40         started        42 ARP.EXE 33->42         started        process12 file13 130 C:\Users\user\AppData\...\Ylsb_611.exe (copy), PE32 36->130 dropped 132 C:\Users\user\AppData\Roaming\is-VO5VL.tmp, PE32 36->132 dropped 134 C:\Users\user\AppData\Roaming\is-STADP.tmp, PE32 36->134 dropped 136 10 other files (none is malicious) 36->136 dropped 186 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 36->186 44 cmd.exe 1 36->44         started        47 cmd.exe 1 36->47         started        signatures14 process15 signatures16 192 Uses netsh to modify the Windows network and firewall settings 44->192 194 Uses ipconfig to lookup or modify the Windows network settings 44->194 49 Ylsb_611.exe 10 287 44->49         started        53 conhost.exe 44->53         started        55 dnRb_995.exe 2 47->55         started        57 conhost.exe 47->57         started        process17 file18 114 C:\Program Files (x86)\...\tap0901.sys, PE32+ 49->114 dropped 116 C:\Program Files (x86)\...\LetsPRO.exe, PE32 49->116 dropped 118 C:\Program Files (x86)\...\LetsPRO.exe.config, XML 49->118 dropped 122 218 other files (1 malicious) 49->122 dropped 172 Bypasses PowerShell execution policy 49->172 174 Modifies the windows firewall 49->174 176 Sample is not signed and drops a device driver 49->176 59 LetsPRO.exe 49->59         started        61 powershell.exe 49->61         started        64 tapinstall.exe 49->64         started        69 8 other processes 49->69 120 C:\Users\user\AppData\Local\...\dnRb_995.tmp, PE32 55->120 dropped 67 dnRb_995.tmp 3 4 55->67         started        signatures19 process20 file21 71 LetsPRO.exe 59->71         started        196 Loading BitLocker PowerShell Module 61->196 75 conhost.exe 61->75         started        106 C:\Users\user~1\...\tap0901.sys (copy), PE32+ 64->106 dropped 108 C:\Users\user\AppData\Local\...\SETC5B.tmp, PE32+ 64->108 dropped 77 conhost.exe 64->77         started        110 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 67->110 dropped 79 dnRb_995.exe 2 67->79         started        82 conhost.exe 69->82         started        84 conhost.exe 69->84         started        86 conhost.exe 69->86         started        88 8 other processes 69->88 signatures22 process23 dnsIp24 160 yandex.com 5.255.255.77, 443, 49698 YANDEXRU Russian Federation 71->160 162 23.98.101.155, 443, 49706, 49721 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 71->162 164 11 other IPs or domains 71->164 188 Loading BitLocker PowerShell Module 71->188 90 cmd.exe 71->90         started        93 cmd.exe 71->93         started        95 cmd.exe 71->95         started        150 C:\Users\user\AppData\Local\...\dnRb_995.tmp, PE32 79->150 dropped 97 dnRb_995.tmp 3 4 79->97         started        100 conhost.exe 79->100         started        102 netsh.exe 79->102         started        file25 signatures26 process27 file28 190 Performs a network lookup / discovery via ARP 90->190 124 C:\Users\user\AppData\...\is-G8G4V.tmp, PE32+ 97->124 dropped 126 C:\Users\...\WSUS_Server_TLS_v9.p12 (copy), PE32+ 97->126 dropped 128 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 97->128 dropped 104 regsvr32.exe 97->104         started        signatures29 process30
Score:
53%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/1d8a948214daf64f3b0b9b894ee8b18dbf9164e54238d8ef88f9372cd03ce3ce
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d8a948214daf64f3b0b9b894ee8b18dbf9164e54238d8ef88f9372cd03ce3ce/
Threat name:
Win32.Worm.Chir
Create hunting rule
Status:
Malicious
First seen:
2025-05-21 19:59:18 UTC
File Type:
PE (Exe)
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dwfjjaqu3l3e6oyltoeu52frrw7zczhfii4nr34i7e3szub44pha._file
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat defense_evasion discovery execution persistence privilege_escalation rat
Link:
https://tria.ge/reports/250521-yqgajabp7w/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Gathers network information
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks installed software on the system
Network Service Discovery
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Drops file in Drivers directory
Modifies Windows Firewall
Async RAT payload
AsyncRat
Asyncrat family
Unpacked files
SH256 hash:
1d8a948214daf64f3b0b9b894ee8b18dbf9164e54238d8ef88f9372cd03ce3ce
MD5 hash:
5d1445e254cafe142dbfb9be9c10c4d5
SHA1 hash:
5ea6fd8795e4220944c96d6e4ba15e60791d35f2
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
fb42fd8ea2955d3acd26bfbec98c245b26825492fbfdf60662e9564355511910
MD5 hash:
1fb02f541e4095a7445d5703085a1dda
SHA1 hash:
da216948b89020b671041cb9f383defab15349b1
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
d2456beb661f712066c9428e7fa8a2b933251e6bec8c6522b239d24276c7d3e2
MD5 hash:
209c5d733a6494649eff75be83054b0a
SHA1 hash:
2097ec37e6f202c58192e57355c631769c256a90
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
de641c08907202222e18e830f6bfd4a072f21953e27581aefe89e8d30588b335
MD5 hash:
e6fede11a92505c0bd7738810ccf1af4
SHA1 hash:
529d1179b5f46a30bb60a27a022cfb35421876ee
Detections:
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
Parent samples :
1d8a948214daf64f3b0b9b894ee8b18dbf9164e54238d8ef88f9372cd03ce3ce
266632523da6b47b23e9071cae0dde0b0a612d947495c4fb62b61800b397bbfa
SH256 hash:
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
MD5 hash:
192639861e3dc2dc5c08bb8f8c7260d5
SHA1 hash:
58d30e460609e22fa0098bc27d928b689ef9af78
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912
MD5 hash:
b7d61f3f56abf7b7ff0d4e7da3ad783d
SHA1 hash:
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
dfb3bb98cfe620841fbf2a15aa67c1614d4746a2ea0e5925211de1fee7138b38
MD5 hash:
bf2bbecd323865428aa9c919c81def68
SHA1 hash:
b74c6ef70d5ec4f28eaa706e55aaf852059b6077
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
a1268e37fd8573696e7a5ac72245f9e68d03da58e233aa8459ade1ebaceb5e9e
MD5 hash:
272e07f476c7e1c5aca60830b56e0a34
SHA1 hash:
7fa680d08bdf89cb239cb0477bd2670bc551dd21
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
31f5be8f8c915b9380f9313c7207d443ed9457ebe85082b24351bf0dba2de3d4
MD5 hash:
b9a679b3b6e628877a583c69d1494eb8
SHA1 hash:
ba15003edf48bac6ca355278462ce35d6cef1504
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
9928c168b3df8088952f0a22041488d8259dc3860b840277f0c13e4d34662bba
MD5 hash:
c1538d2dea45f600ea94366a6953bb6a
SHA1 hash:
8447ba4ac05d5bc1370b58326f0040510edc883c
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
Parent samples :
2431ef60a5f5c610cdab7ab95de6a8d58a4a216042aa3150571d105e5c4b7917
1d8a948214daf64f3b0b9b894ee8b18dbf9164e54238d8ef88f9372cd03ce3ce
2ec48bb380b2b245432c9d312e3272325c66911123f1b12c1b06504729b526b1
38ff8d6e05742766864764c2c8c7d5752f3653d504449dd8d0d089f0f63032a3
266632523da6b47b23e9071cae0dde0b0a612d947495c4fb62b61800b397bbfa
41f12ece23a813b74dbaf3c5ad30b8672d33cd416d146854cc095bdea191db54
86943869650c77b3a4ac1c1124d197cb92303758d496ba9a4eaa333da53da06d
a970cc51051fd6923b98acc862e68a201610d54638a6523d6a7b271ae9ec05bc
df38776644c675f864709f6f508018e95b39a44d3719c3b320c9cfe206678ebf
2f99f89baa3385d879e5d687874e8595c0ba23f1540fa406c045208af10837e3
SH256 hash:
867e02930955c7b46f056f75103b3f319201f9e17fbf5b43e232339b31aabf23
MD5 hash:
8c7f419509838cba5f21f39354093e2e
SHA1 hash:
7f36028d846d1cfd32431acde5d54347e0751740
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
6ce84b76065b3be4681f8b426bd205b6136b0a86645adb648bcaaf591091a5c4
MD5 hash:
5ca51114b792fc913e1f02f7eee38da7
SHA1 hash:
03ee7ba91620551c7405c7b793274a60c1299baa
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
b55d1e505df751c0a1124fdb603ef0930fff877c444aeb9e032eacfa4d418c16
MD5 hash:
0d5f7e68fa09525e167e03c75eac729a
SHA1 hash:
1f9ba859c2e13ec607fcda992f482566ad4fea92
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
869c7e2c335ac0b4ea8c10ea6b06d46e15cf7e5ddadbc1601b8650382822284c
MD5 hash:
55355b036ab87e8fc8668c903023946e
SHA1 hash:
7e53ae7041706b7d0915f6dd6aba93a53d7a6b7c
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
cc750b2713707819a9040ee4f606ebc3cd1c62ba8280b96dde425c3a356bff00
MD5 hash:
8c0b729c5f2e3a6b3ff67d9e654623c1
SHA1 hash:
d77aaeb6bc94bc71d9f16c67187c695886bca8b5
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
0773e5eb4d9937c29af68f7b44ade7427d1fd682b2242b4cb29daaf8b0e3f56e
MD5 hash:
74f339d5d47aedacd574ea8e43c78eef
SHA1 hash:
9ce203e22c170217a726531b81b3b1119320f5e2
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
66aaef421a6e5600c9a55df8c2408ba6ac393a18481763234062b5b4d6219463
MD5 hash:
7be1e3cf7ce2218c91f8ea5329855106
SHA1 hash:
19e11bd58759d161d6b63c3166c9783cbe25ea53
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
51accaea47c925c746289dcc2c2468000e52d35014d5beec0d4527ba5edb8f32
MD5 hash:
2ab0f22398c97c110ebcec4a16696754
SHA1 hash:
0b3c5f61dd906154849e3641abef80b703f5a524
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
421f535f975206581a319388cf5c4446b13d38fb577cd8d0949cee95d0355bcd
MD5 hash:
61ce4d7a9ce800ae1a2640eb354d8699
SHA1 hash:
e598725c90a17576c348aeb091f62ed8254eca05
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
df37bae8908a3ff8c81f24fe8af7cbed5e7866c06c9d0501e5622cf92f24f2b4
MD5 hash:
4ca0f090fdcfe7f69e76c74ed4061c5f
SHA1 hash:
3f6b2ade15bd17e3788f28a4234579fb29145cb4
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
0fb3e6ce76adb9382505786ca72e54795610ae0945aa2188f1aaa1e2434bc758
MD5 hash:
d11586531b1ad873c75414af8f522b12
SHA1 hash:
e9ffada993abfc3c137b29116b2b0fe825fd5b89
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
2fd76a0b108dae5a8c7f2d3ddb211578708a7fb290f04ab21aa5590afc08bff5
MD5 hash:
52db06f93ceb63971cc6a57f47b2ca08
SHA1 hash:
d7f2fba5bd65626fc277b4119486a9981698f72e
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
e66ecc070ca8d11695e4419a237c8772db52ae379cc25fa8f2d730cd18a1634a
MD5 hash:
c76c74988b910e15a33600329e10d5f7
SHA1 hash:
6062928b46a7a9bbb48460884cd43cfa961e11a3
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
24baf40aaa25034bec86ecf320346f9ff78ce193e0183a9dde30cd88f0aaee0a
MD5 hash:
f28c6dab4323451de706e09f1ae88a1a
SHA1 hash:
93ff9c39dad928a7ba058876e16dab27a97e389e
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
2dcfc29720137e3202d10f58fe12e82550302b6afea08180afc86791e3fc0c44
MD5 hash:
f4398fe43e52a4a4fcae21d461b43372
SHA1 hash:
92a5d557dfa367aff9ee7a1042da259d7da670d9
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
75947d11b416413e79da6ab5f44dcb54b1dc48eebfde6c85610bb8b3d6134004
MD5 hash:
674a8ba78b28a220503c8f98e281fd1d
SHA1 hash:
14fdc05872adf4c6871e07ebcdd470088b987149
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
1ccb3d44ace876f746329fe7fcf2856023e73e55af3d9e903b23a5a25af12c8b
MD5 hash:
7290c34bb20cc24a484db06ae4397f99
SHA1 hash:
0d8277cef404251a8850f463001f4ba57202c6b0
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
3ab9cead7cef63380c067a2dbbab74cf235eae7d0062d6b87bdd54dd3d47d29d
MD5 hash:
c4fd23daaa6cbd1f874a6de29249e265
SHA1 hash:
ca60063bb6116d2d64c8b341a5d629f1b2343309
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
28313d126e02792fb92178bcb85ceb076512f8f5fcad08fa020433c3fc8f62d6
MD5 hash:
d723b270a44704b397a3105227473736
SHA1 hash:
0f9a2e4ebce6b7b5116a331a7f0d12cb1b9cd521
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
c89f066f65528371744e7b11dc5d6ae8d60412f9eedb0ea3b16da34d2b49a0a1
MD5 hash:
3292894be0809414901c1ab760927c9f
SHA1 hash:
de7d403e2b6714ff789442bb0fb3d5568fdaabd3
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
341e481706ec61e991373e0fbd3ed224f74b9b91c3f1d122d0e802f7145fedb1
MD5 hash:
27139c2eaab131627031a142b6eb8fee
SHA1 hash:
3ff180e3709f7b4c70c922dab1ad9544308e132b
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
de86d770cbcf733688daf90f6a7845cc937bd4e0bacc36bcb092ac5552d153c0
MD5 hash:
1a129494d9fa3d82eda1935ae5952bbf
SHA1 hash:
b7523c2d680f2dbca67eca4ba56b2a768b558a63
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
8efb2d14b79c25ede58b2440c533c0469287b8d05e21fc087fa7ceeab35e08db
MD5 hash:
f727238aac4966b90b592873a6675d95
SHA1 hash:
0c05d1ec5aacf7bcecdd9a873b08026e866a262c
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
SH256 hash:
8751f05a3fe9f47769688dffbb1a693a4ed294fb926c48977403a33335e8aa16
MD5 hash:
ae161bb3c83ab4b8734180bced6d2f2d
SHA1 hash:
8761f19a2bd2b79f977f60cab4be6eb6cdbeb340
Link:
https://www.unpac.me/results/24d418f6-973a-464c-b153-ef4acc25dd3c/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1d8a948214da/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d8a948214daf64f3b0b9b894ee8b18dbf9164e54238d8ef88f9372cd03ce3ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AcRat
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:AcRat Payload (based on AsyncRat)
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:HUNTING_SUSP_TLS_SECTION
Create hunting rule
Author:chaosphere
Description:Detect PE files with .tls section that can be used for anti-debugging
Reference:Practical Malware Analysis - Chapter 16
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:MAL_AsnycRAT
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:MAL_AsyncRAT_Config_Decryption
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Generic_Threat_ce98c4bc
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Donutloader_f40e3759
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

VenomRAT

Executable exe 1d8a948214daf64f3b0b9b894ee8b18dbf9164e54238d8ef88f9372cd03ce3ce

(this sample)

VenomRAT

Executable exe 97977a53c121eb7fb4d52c47c29f9266ae3e5ea0e795940ec7f2047d8db49d26

  
Link
https://tria.ge/250521-yaj2gs1ny2/behavioral2
  
Delivery method
Distributed via web download
  
Dropping
SHA256 97977a53c121eb7fb4d52c47c29f9266ae3e5ea0e795940ec7f2047d8db49d26
  
Dropping
MD5 0077fe112c146a3788efbec5b10a9421

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::AllocateAndInitializeSid
advapi32.dll::ConvertSidToStringSidW
advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
advapi32.dll::EqualSid
advapi32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
advapi32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
advapi32.dll::OpenThreadToken
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetDriveTypeW
kernel32.dll::GetVolumeInformationW
kernel32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetSystemDirectoryW
kernel32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments