MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 658d8cc670cfd05ce62ccfbde1885db5e5581a658c2fae67b96c01f4fdf6957a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

VenomRAT

Vendor detections: 15

Intelligence 15 IOCs YARA 12 File information Comments 1

SHA256 hash:	658d8cc670cfd05ce62ccfbde1885db5e5581a658c2fae67b96c01f4fdf6957a
SHA3-384 hash:	9c5e3fe995535cad84befabd79c56e16664f04b05770d8cbc91c5f8af35602b6037e7eb2e45334caf334cbc0fa98e11b
SHA1 hash:	10cbda77553e4d1441c0d7d81c838dd41307c751
MD5 hash:	a042db8045036de713193f079fe61d6f
humanhash:	monkey-echo-oscar-shade
File name:	a042db8045036de713193f079fe61d6f
Download:	download sample
Signature	VenomRAT Create hunting rule
File size:	75'264 bytes
First seen:	2024-01-17 22:29:49 UTC
Last seen:	2024-01-18 06:10:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	1536:aKUUPcx9FbKHoPCdLR33s3qbQSM0ThEPMwS/eqmmRhdWVH1bfbXyebhSwzUobVcD:aKUmcx9FbKHo6dLR33s3qbQSM0NEPMwk
Threatray	357 similar samples on MalwareBazaar
TLSH	T17F734A003BD88D26F2AD47B9BCB162070EF4D55B2416CE9E3CC454DE5A67BC58A036EA
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	zbetcheckin
Tags:	32 exe VenomRAT

Intelligence

File Origin

# of uploads :

# of downloads :

424

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

a91ab913b292db7d5791d76bcf96303ce16bddcf84e631ba109a0f0c2eb9563b.exe

Verdict:

Malicious activity

Analysis date:

2024-01-17 19:35:14 UTC

Tags:

stealer redline trojan loader asyncrat

Link:

https://app.any.run/tasks/21dcc75b-5e0a-4daa-9558-5b1099ec1902

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/471375/

Detection(s):

Win.Packed.Razy-9807129-0

Win.Malware.Generickdz-9865912-0

Win.Trojan.AsyncRAT-9914220-0

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug anti-vm configsecuritypolicy evasive hacktool hook keylogger lolbin mpcmdrun msconfig msiexec njrat rat regedit replace schtasks

Link:

https://www.filescan.io/uploads/65a854ef3c61cd5b4251d398/reports/80b9951e-489e-4f3b-b9af-785ad30dae7a/overview

Verdict:

Malicious

Labled as:

Dacic.6C2EA08B.A.Generic

Link:

https://www.hybrid-analysis.com/sample/658d8cc670cfd05ce62ccfbde1885db5e5581a658c2fae67b96c01f4fdf6957a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

ModernLoader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6b7640f7-c057-47a9-9cf2-1554e7327a55

Result

Threat name:

AsyncRAT, VenomRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1376388

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AsyncRAT

Yara detected VenomRAT

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/658d8cc670cfd05ce62ccfbde1885db5e5581a658c2fae67b96c01f4fdf6957a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/658d8cc670cfd05ce62ccfbde1885db5e5581a658c2fae67b96c01f4fdf6957a/

Threat name:

ByteCode-MSIL.Backdoor.AsyncRAT

Status:

Malicious

First seen:

2024-01-17 19:45:48 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mwgyzrtqz7ifzzrmz666dcc5wxsvqgtfrqx24z5znqa7j7pwsv5a._file

Verdict:

malicious

VenomRAT

7b7da08ce864f34537071bd1bfcb8e649ce079c518575d1fdf7fc88a63e98afc

VenomRAT

c51113f85313a5ae90aaccae9c7172a96160c5915159fcc7ed390ae3ea416385

VenomRAT

c61be8a80e413a855e38a6269b611f6c4b86718e0e0aea9964772ab11c836a74

VenomRAT

ce438c103a40dbd12f48547c2d8604c947232376f87eadd1a2da3b7bfac28d02

VenomRAT

+ 347 additional samples on MalwareBazaar

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat botnet:default rat

Link:

https://tria.ge/reports/240117-2esqzagdf7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Async RAT payload

AsyncRat

Malware Config

C2 Extraction:

94.156.66.169:4449

Unpacked files

SH256 hash:

658d8cc670cfd05ce62ccfbde1885db5e5581a658c2fae67b96c01f4fdf6957a

MD5 hash:

a042db8045036de713193f079fe61d6f

SHA1 hash:

10cbda77553e4d1441c0d7d81c838dd41307c751

Detections:

VenomRat

INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice

Link:

https://www.unpac.me/results/88afc8ff-9219-4525-9e39-c96864ea02c6/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/658d8cc670cf/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/658d8cc670cfd05ce62ccfbde1885db5e5581a658c2fae67b96c01f4fdf6957a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice Create hunting rule
Author:	ditekSHen
Description:	Detects executables attemping to enumerate video devices using WMI

Rule name:	MAL_AsnycRAT Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects AsnycRAT based on it's config decryption routine

Rule name:	MAL_AsyncRAT_Config_Decryption Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects AsnycRAT based on it's config decryption routine

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	Njrat Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_DOTNET_PE_List_AV Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detecs .NET Binary that lists installed AVs

Rule name:	Windows_Generic_Threat_ce98c4bc Create hunting rule
Author:	Elastic Security

Rule name:	win_asyncrat_unobfuscated Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in unobfuscated AsyncRat Samples. Rule may also pick up on other Asyncrat-derived malware (Dcrat/venom etc)