MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d25076b0cf8d493bd252bcfdee87c9ec9e23ddb814cfc671e3e80d31e2bf6f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VenomRAT


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d25076b0cf8d493bd252bcfdee87c9ec9e23ddb814cfc671e3e80d31e2bf6f8
SHA3-384 hash: 74eb06747a59d5b6b33a08cf653e97ebcf57f09a2b95b42c4598693f67060ed6019c738ee108e4c9b68111ab712d95c4
SHA1 hash: 6789610dd85bbac6f0a3cb907abcfd9b50a3554a
MD5 hash: 198805306d17118fa6bd5f8444007622
humanhash: nebraska-oscar-nine-fix
File name:198805306d17118fa6bd5f8444007622.exe
Download: download sample
Signature VenomRAT
Create hunting rule
File size:1'510'400 bytes
First seen:2026-05-02 07:15:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash df32d3df09d23b38aec4581fe99b70ad (1 x VenomRAT)
ssdeep 24576:6U41mYEttAKuQ0OhrxbM/tCDseCgA+2lOxhg8kcNx:6UNYOAKuQ0O91M/tCDcgA+2lOx+8ke
TLSH T1CB657B16B6F801F9E0B7C238C9939506EB72BC664770E75F139056475F237A0AE3AB21
TrID 37.0% (.EXE) Win64 Executable (generic) (6522/11/2)
28.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
11.3% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
dhash icon 6563bbd756505099 (10 x ValleyRAT, 1 x VenomRAT)
Reporter abuse_ch
Tags:exe VenomRAT


Avatar
abuse_ch
VenomRAT C2:
137.220.225.117:22011

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
137.220.225.117:22011 https://threatfox.abuse.ch/ioc/1804670/

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
NL NL
Vendor Threat Intelligence
Gathering data
Malware family:
n/a
ID:
1
File name:
_6d25076b0cf8d493bd252bcfdee87c9ec9e23ddb814cfc671e3e80d31e2bf6f8.exe
Verdict:
Malicious activity
Analysis date:
2026-05-02 07:16:59 UTC
Tags:
gofly64-sys vuln-driver
Link:
https://app.any.run/tasks/0b3193ea-3dcb-4eb1-b205-cc6fa52b664e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WinosStager
Create hunting rule
Link:
https://www.capesandbox.com/analysis/64269/
Detection(s):
Win.Tool.Valley-10059872-0
Create hunting rule

ditekSHen.MALWARE.Win.Ransomware.MedusaLocker.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Restart of the analyzed sample
Creating a file in the %temp% directory
DNS request
Creating a service
Launching a service
Loading a system driver
Setting a prohibition to launch some applications
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file
Launching a process
Creating a process from a recently created file
Launching the process to change the firewall settings
Сreating synchronization primitives
Enabling autorun for a service
Firewall traversal
Forced shutdown of a system process
Blocking the Windows Defender launch
Blocking the Windows Security Center notifications
Blocking the User Account Control
Prohibiting to launch files
Disabling the operating system update service
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm base64 cmd crypter evasive evasive exploit explorer fingerprint installer-heuristic lolbin microsoft_visual_cc netsh
Link:
https://www.filescan.io/uploads/69f5a4b02fcb905ec279e898/reports/a3b0a17f-55d6-43a3-83ed-215cc0414796/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/6d25076b0cf8d493bd252bcfdee87c9ec9e23ddb814cfc671e3e80d31e2bf6f8
Result
Gathering data
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-04-28T22:37:00Z UTC
Last seen:
2026-04-29T00:58:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.Win32.Generic HEUR:Trojan.MSIL.Agent.gen Backdoor.MSIL.VenomRAT.a Backdoor.Agent.TCP.C&C Trojan.Win32.PostWorker.sb Trojan.Win32.PostWorker.qf Trojan.MSIL.DInvoke.sb Trojan.MSIL.BypassUAC.byg HEUR:Trojan-PSW.MSIL.Agent.gen Backdoor.MSIL.Crysan.sb PDM:Trojan.Win32.Generic Backdoor.Xkcp.TCP.ServerRequest Trojan.Win32.Agent.sb Trojan.MSIL.BypassUAC.sb Trojan-Dropper.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/6d25076b0cf8d493bd252bcfdee87c9ec9e23ddb814cfc671e3e80d31e2bf6f8/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0156d51a-c5fa-408b-b933-135ef4a8f784
Result
Threat name:
Dacic, Metasploit, ValleyRAT, VenomRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1907599
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Contains functionality to modify Windows User Account Control (UAC) settings
Disable UAC(promptonsecuredesktop)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disable Windows Defender Security Center Settings (registry)
Disables UAC (registry)
Disables Windows Defender (deletes autostart)
Disables Windows Defender Tamper protection
Disables Windows system restore
Forces installed software to run under restricted privileges
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies security policies related information
Modifies the hosts file
Modifies the windows firewall
Modifies Windows Defender signatures updates days
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Sample is not signed and drops a device driver
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Yara detected Dacic
Yara detected MetasploitPayload
Yara detected UAC Bypass using CMSTP
Yara detected ValleyRAT
Yara detected VenomRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1907599 Sample: DNG2urqytp.exe Startdate: 02/05/2026 Architecture: WINDOWS Score: 100 114 shed.dual-low.part-0012.t-0009.t-msedge.net 2->114 116 part-0012.t-0009.t-msedge.net 2->116 118 2 other IPs or domains 2->118 126 Found malware configuration 2->126 128 Malicious sample detected (through community Yara rule) 2->128 130 Multi AV Scanner detection for dropped file 2->130 132 14 other signatures 2->132 10 DNG2urqytp.exe 2->10         started        13 svchost.exe 2->13         started        16 fi_info.exe 1 2->16         started        18 3 other processes 2->18 signatures3 process4 file5 158 Contains functionality to automate explorer (e.g. start an application) 10->158 160 Contains functionality to modify Windows User Account Control (UAC) settings 10->160 162 Contains functionality to detect sleep reduction / modifications 10->162 20 DNG2urqytp.exe 334 6 10->20         started        110 C:\Windows\Temp\drv_GoFly.sys, PE32+ 13->110 dropped 164 Benign windows process drops PE files 13->164 166 Forces installed software to run under restricted privileges 13->166 168 Disables Windows Defender Tamper protection 13->168 170 Sample is not signed and drops a device driver 13->170 25 fi_info.exe 13->25         started        27 cmd.exe 13->27         started        29 fi_info.exe 14 1 16->29         started        31 conhost.exe 16->31         started        33 fi_info.exe 1 18->33         started        35 fi_info_1.exe 18->35         started        37 fi_info_1.exe 18->37         started        39 conhost.exe 18->39         started        signatures6 process7 dnsIp8 122 google.com 20->122 100 C:\Users\user\AppData\Local\...\drv_99020.sys, PE32+ 20->100 dropped 102 C:\ProgramDatabehaviorgrapholden\libfabric.dll, PE32+ 20->102 dropped 104 C:\ProgramDatabehaviorgrapholden\fi_info_1.exe, PE32+ 20->104 dropped 106 C:\ProgramDatabehaviorgrapholden\fi_info.exe, PE32+ 20->106 dropped 136 Forces installed software to run under restricted privileges 20->136 138 Changes security center settings (notifications, updates, antivirus, firewall) 20->138 140 Disables Windows Defender (deletes autostart) 20->140 152 8 other signatures 20->152 41 cmd.exe 1 20->41         started        44 explorer.exe 20->44         started        46 fi_info.exe 25->46         started        50 conhost.exe 25->50         started        56 2 other processes 27->56 108 C:\Windows\System32\drivers\etc\hosts, ASCII 29->108 dropped 142 Modifies the hosts file 29->142 144 Disables Windows system restore 29->144 58 14 other processes 29->58 146 Contains functionality to automate explorer (e.g. start an application) 33->146 148 Modifies the windows firewall 33->148 150 Contains functionality to modify Windows User Account Control (UAC) settings 33->150 52 conhost.exe 33->52         started        60 13 other processes 35->60 54 conhost.exe 37->54         started        file9 signatures10 process11 dnsIp12 154 Uses netsh to modify the Windows network and firewall settings 41->154 62 conhost.exe 41->62         started        64 gpupdate.exe 1 41->64         started        124 137.220.225.117, 22011 BCPL-SGBGPNETGlobalASNSG Singapore 46->124 112 C:\Users\user\AppData\Local\...\00420dca.exe, PE32+ 46->112 dropped 156 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 46->156 66 00420dca.exe 46->66         started        70 cmd.exe 46->70         started        72 cmd.exe 46->72         started        76 11 other processes 46->76 74 netsh.exe 58->74         started        78 23 other processes 58->78 80 24 other processes 60->80 file13 signatures14 process15 dnsIp16 120 137.220.225.21, 7878 BCPL-SGBGPNETGlobalASNSG Singapore 66->120 134 Antivirus detection for dropped file 66->134 82 conhost.exe 70->82         started        84 netsh.exe 70->84         started        86 conhost.exe 72->86         started        88 netsh.exe 72->88         started        90 conhost.exe 74->90         started        92 conhost.exe 76->92         started        94 netsh.exe 76->94         started        96 conhost.exe 76->96         started        98 17 other processes 76->98 signatures17 process18
Score:
61%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/6d25076b0cf8d493bd252bcfdee87c9ec9e23ddb814cfc671e3e80d31e2bf6f8
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6d25076b0cf8d493bd252bcfdee87c9ec9e23ddb814cfc671e3e80d31e2bf6f8/
Verdict:
Malicious
Threat:
Family.VENOMRAT
Link:
https://tip.neiki.dev/file/6d25076b0cf8d493bd252bcfdee87c9ec9e23ddb814cfc671e3e80d31e2bf6f8
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-04-29 02:11:50 UTC
File Type:
PE+ (Exe)
Extracted files:
45
AV detection:
18 of 36 (50.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nusqo2ym7dkjhpjffph552d4t3e6epo3qfgpyzy6h2anghrl634a._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260502-h3883sax4w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
6d25076b0cf8d493bd252bcfdee87c9ec9e23ddb814cfc671e3e80d31e2bf6f8
MD5 hash:
198805306d17118fa6bd5f8444007622
SHA1 hash:
6789610dd85bbac6f0a3cb907abcfd9b50a3554a
Link:
https://www.unpac.me/results/b5700078-9c73-426e-8953-71846cad26e6/
SH256 hash:
8d467094c515a1f36a11c9130068a29b27e4902dabb6319857eef7b93c845442
MD5 hash:
f3ddaed6bc4312704f4cfc7091d2bec6
SHA1 hash:
484ba358fa2bfc97021db7d24f18047ca47c767d
Link:
https://www.unpac.me/results/b5700078-9c73-426e-8953-71846cad26e6/
SH256 hash:
375a5738ea0b982b542ca17d129e0c936cc55203cac206fea28f17b8757b804b
MD5 hash:
36c90b2023178103c8dcac4d451c2a7c
SHA1 hash:
6e6749650c4be7b3ef3ccb9e39971327de7c318f
Detections:
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Link:
https://www.unpac.me/results/b5700078-9c73-426e-8953-71846cad26e6/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ICMLuaUtil_UACMe_M41
Create hunting rule
Author:Marius 'f0wL' Genheimer <hello@dissectingmalwa.re>
Description:A Yara rule for UACMe Method 41 -> ICMLuaUtil Elevated COM interface
Reference:https://github.com/hfiref0x/UACME
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:test_rule_vldslv
Create hunting rule
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:WinosStager
Create hunting rule
Author:YungBinary
Description:https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/64269/

Comments