MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26c9a1df0b429d6dfe09dd2bc84a61eada354d0c27959c3f486c8d94c7dbc1f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

VenomRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 11 File information Comments 1

SHA256 hash:	26c9a1df0b429d6dfe09dd2bc84a61eada354d0c27959c3f486c8d94c7dbc1f2
SHA3-384 hash:	c85b2b5f5b31eea54354e14814b5425eefc18f08744a26e52837fa9bda4c7271134e0306a0af62ea78038b769609d31e
SHA1 hash:	e5c8542cd384de64dd99b096ffdaa633e8f2edb6
MD5 hash:	74bae7aac1e952c4aacda6e5861bdea5
humanhash:	cola-arizona-salami-batman
File name:	74bae7aac1e952c4aacda6e5861bdea5
Download:	download sample
Signature	VenomRAT Create hunting rule
File size:	75'776 bytes
First seen:	2023-12-11 15:51:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	1536:8UUPcxVteCW7PMVee9VdQuDI6H1bf/64kQzcBLVclN:8UmcxV4x7PMVee9VdQsH1bfS4kQYBY
Threatray	326 similar samples on MalwareBazaar
TLSH	T183734A013BD88D2AF2AE47B9ACF256070EF4D5576112CE5E3CC840DD5A67BC58A037EA
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	zbetcheckin
Tags:	32 exe VenomRAT

Intelligence

File Origin

# of uploads :

# of downloads :

246

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/465589/

Detection(s):

Win.Packed.Razy-9807129-0

Win.Malware.Generickdz-9865912-0

Win.Trojan.AsyncRAT-9914220-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% subdirectories

Сreating synchronization primitives

Creating a window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Setting a global event handler for the keyboard

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm asyncrat configsecuritypolicy evasive hacktool hook keylogger lolbin mpcmdrun msconfig msiexec njrat rat razy regedit replace schtasks

Link:

https://www.filescan.io/uploads/657734f3da3178d99ce18e50/reports/dad8e6cd-9159-4de4-903e-f2fe27efb6d3/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/26c9a1df0b429d6dfe09dd2bc84a61eada354d0c27959c3f486c8d94c7dbc1f2

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

ModernLoader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4bff3dec-c171-4df4-985b-98c0326604f2

Result

Threat name:

AsyncRAT, DcRat, VenomRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1359596

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Yara detected AsyncRAT

Yara detected DcRat

Yara detected VenomRAT

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/26c9a1df0b429d6dfe09dd2bc84a61eada354d0c27959c3f486c8d94c7dbc1f2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/26c9a1df0b429d6dfe09dd2bc84a61eada354d0c27959c3f486c8d94c7dbc1f2/

Threat name:

ByteCode-MSIL.Backdoor.AsyncRAT

Status:

Malicious

First seen:

2023-12-09 07:48:50 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 23 (91.30%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=e3e2dxylikow37qj3uv4qstb5lndktime6kzyp2insgzjr63yhza._file

Verdict:

malicious

VenomRAT

951dbdb3c729d3ea42bb5aa2d2ce9f265d7acb67b170e890365a783a99e24164

VenomRAT

c51113f85313a5ae90aaccae9c7172a96160c5915159fcc7ed390ae3ea416385

VenomRAT

c56c57e77a34895e23a4074201021f516694eef5b917035c375e05390a5a4976

VenomRAT

c61be8a80e413a855e38a6269b611f6c4b86718e0e0aea9964772ab11c836a74

VenomRAT

ce438c103a40dbd12f48547c2d8604c947232376f87eadd1a2da3b7bfac28d02

VenomRAT

+ 316 additional samples on MalwareBazaar

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat botnet:default rat

Link:

https://tria.ge/reports/231211-tjwdnabeer/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Async RAT payload

AsyncRat

Malware Config

C2 Extraction:

103.161.112.130:4449

Unpacked files

SH256 hash:

26c9a1df0b429d6dfe09dd2bc84a61eada354d0c27959c3f486c8d94c7dbc1f2

MD5 hash:

74bae7aac1e952c4aacda6e5861bdea5

SHA1 hash:

e5c8542cd384de64dd99b096ffdaa633e8f2edb6

Detections:

VenomRat

INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice

win_asyncrat_unobfuscated

Link:

https://www.unpac.me/results/d840edbd-e0c1-4db8-9faa-1d2abc31c8f7/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/26c9a1df0b42/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/26c9a1df0b429d6dfe09dd2bc84a61eada354d0c27959c3f486c8d94c7dbc1f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice Create hunting rule
Author:	ditekSHen
Description:	Detects executables attemping to enumerate video devices using WMI

Rule name:	MAL_AsnycRAT Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects AsnycRAT based on it's config decryption routine

Rule name:	MAL_AsyncRAT_Config_Decryption Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects AsnycRAT based on it's config decryption routine

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	Njrat Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_DOTNET_PE_List_AV Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detecs .NET Binary that lists installed AVs

Rule name:	win_asyncrat_unobfuscated Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in unobfuscated AsyncRat Samples. Rule may also pick up on other Asyncrat-derived malware (Dcrat/venom etc)