MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 779e2ff480a30df2c39e8bd27061a0cfd4fb0d234cd0374cf92c5dd21b6eeb55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VenomRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 779e2ff480a30df2c39e8bd27061a0cfd4fb0d234cd0374cf92c5dd21b6eeb55
SHA3-384 hash: f9adbeb9489e1724ba83272fbcbd4fae1da38bbbeea335b48b9a988a696768769631679e54b8f5efcbdef2dc03c9be8f
SHA1 hash: da8012cd64a962f9d24a21b73e43592640b6c4ff
MD5 hash: 46fd2b3f3a94dedf52571b13875e968f
humanhash: video-lion-undress-monkey
File name:sa.bat
Download: download sample
Signature VenomRAT
Create hunting rule
File size:268'565 bytes
First seen:2023-12-18 06:32:27 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 6144:4gyk7/7z3BzE4si5cAzgnoMqGhdMmCCNdzYCdWB:Mk7psMcAFfG/M/CdC
TLSH T1C844BE84D1F1A73707C6BF9925021C6C8689AD975AC1ADB0D409A6F1ABF7FB8CC35C12
Reporter ankit_anubhav
Tags:bat VenomRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
TH TH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
sa.bat
Verdict:
Malicious activity
Analysis date:
2023-12-18 06:33:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8a7d3901-dcab-45f6-8e4a-7336d09d09ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/468237/
Detection(s):
Win.Trojan.Batcloak-10007568-0
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/657fe79e7d4bdb7f8bf6bedb/reports/7ce8b2b0-2cf2-45cf-95ca-580629f184c5/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/779e2ff480a30df2c39e8bd27061a0cfd4fb0d234cd0374cf92c5dd21b6eeb55
Result
Verdict:
MALICIOUS
Result
Threat name:
DcRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1363796
Signature
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Encrypted powershell cmdline option found
Installs a global keyboard hook
Potential dropper URLs found in powershell memory
Powershell is started from unusual location (likely to bypass HIPS)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Renames powershell.exe to bypass HIPS
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses whoami command line tool to query computer and username
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DcRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1363796 Sample: sa.bat Startdate: 18/12/2023 Architecture: WINDOWS Score: 100 87 Snort IDS alert for network traffic 2->87 89 Antivirus detection for URL or domain 2->89 91 Yara detected DcRat 2->91 13 cmd.exe 2 2->13         started        17 wscript.exe 2->17         started        process3 file4 83 C:\Users\user\Desktop\sa.bat.exe, PE32+ 13->83 dropped 123 Renames powershell.exe to bypass HIPS 13->123 19 sa.bat.exe 3 21 13->19         started        23 conhost.exe 13->23         started        125 Windows Scripting host queries suspicious COM object (likely to drop second stage) 17->125 signatures5 process6 file7 79 C:\Users\user\AppData\...\startup_str.vbs, ASCII 19->79 dropped 81 C:\Users\user\AppData\...\startup_str.bat, ASCII 19->81 dropped 99 Suspicious powershell command line found 19->99 101 Powershell is started from unusual location (likely to bypass HIPS) 19->101 103 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 19->103 25 wscript.exe 19->25         started        27 powershell.exe 35 19->27         started        30 powershell.exe 37 19->30         started        signatures8 process9 signatures10 32 cmd.exe 25->32         started        113 Suspicious powershell command line found 27->113 115 Potential dropper URLs found in powershell memory 27->115 117 Uses whoami command line tool to query computer and username 27->117 35 conhost.exe 30->35         started        process11 file12 77 C:\Users\user\AppData\...\startup_str.bat.exe, PE32+ 32->77 dropped 37 startup_str.bat.exe 32->37         started        41 conhost.exe 32->41         started        process13 dnsIp14 85 163.5.215.211, 4449, 49736, 49737 EPITECHFR France 37->85 105 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 37->105 107 Suspicious powershell command line found 37->107 109 Query firmware table information (likely to detect VMs) 37->109 111 4 other signatures 37->111 43 powershell.exe 37->43         started        46 powershell.exe 37->46         started        48 wermgr.exe 37->48         started        signatures15 process16 signatures17 119 Suspicious powershell command line found 43->119 121 Uses whoami command line tool to query computer and username 43->121 50 powershell.exe 43->50         started        53 cmd.exe 43->53         started        55 conhost.exe 43->55         started        57 4 other processes 43->57 process18 signatures19 93 Disable Windows Defender notifications (registry) 50->93 95 Disable Windows Defender real time protection (registry) 50->95 97 Uses whoami command line tool to query computer and username 50->97 59 cmd.exe 50->59         started        61 MpCmdRun.exe 50->61         started        63 conhost.exe 50->63         started        69 4 other processes 50->69 65 conhost.exe 53->65         started        67 SecurityHealthSystray.exe 53->67         started        process20 process21 71 conhost.exe 59->71         started        73 SecurityHealthSystray.exe 59->73         started        75 conhost.exe 61->75         started       
Score:
99%
Verdict:
Malware
File Type:
ASCII
Link:
https://malprob.io/report/779e2ff480a30df2c39e8bd27061a0cfd4fb0d234cd0374cf92c5dd21b6eeb55
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/779e2ff480a30df2c39e8bd27061a0cfd4fb0d234cd0374cf92c5dd21b6eeb55/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o6pc75eaumg7fq46rpjhaynaz7kpwdjdjtidothzfro5eg3o5nkq._file
Verdict:
unknown
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default discovery rat
Link:
https://tria.ge/reports/231218-ha681shcej/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Launches sc.exe
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
163.005.215.211:4449
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/779e2ff480a30df2c39e8bd27061a0cfd4fb0d234cd0374cf92c5dd21b6eeb55

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/468237/

Comments


Avatar
Adm1n 32 USA commented on 2023-12-18 06:37:18 UTC

https://app.any.run/tasks/33a8fdae-01a6-447a-b45a-bb2762fd7336