MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84c2b21f5b3c48dfb7481094b8e7f8c2f56e041fe3244b1a608bc264d83536bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VenomRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84c2b21f5b3c48dfb7481094b8e7f8c2f56e041fe3244b1a608bc264d83536bb
SHA3-384 hash: c3564a106cc451d513b52a6e9cad1f388c48d76edd6ff667c44d3ebc7d9b787daa43372d89102837f4f2ef5460f1dfc6
SHA1 hash: 0f83db9b94d8d3975116732282364ee7aa8d142f
MD5 hash: 4cbf5db190e95e44d2a637e3513cb39f
humanhash: bulldog-california-black-crazy
File name:windefragsvc.exe
Download: download sample
Signature VenomRAT
Create hunting rule
File size:12'311'040 bytes
First seen:2024-05-16 13:26:17 UTC
Last seen:2024-05-16 14:43:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 196608:0vcp1Se3LVaChCXpogOPA53p79DMG/TiOyg:13h/g/OE3p5Dxby
TLSH T18CC6C31024D95647FD7ADFBC95DC32400F79B2E27B22EA389B5259ED0ED1B18D8438A3
TrID 35.4% (.EXE) Win64 Executable (generic) (10523/12/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4504/4/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter rmceoin
Tags:exe VenomRAT


Avatar
rmceoin
147.45.50.86/Downloads/Invoice.pdf.lnk
Last modified: Wed, 15 May 2024 17:03:50 GMT
machine_identifier: win-hm6fi4voiep
LNK > mshta https://invoiceinformations.com/InvoiceInfo/Evernote-Invoice > https://invoiceinformations.com/InvoiceInfo/windefragsvc.exe

Decoy: https://invoiceinformations.com/InvoiceInfo/Evernote-Supplemental-Terms.pdf

84297536d9873d971dcc783ae2f95af8cbf32c65fccf3c8687af2ba5294b7f30 Invoice.pdf.lnk
eb5134e46f59a26415369857aa1a1dddd9ba1e3d5dced245266ccbc4ec25fec5 Evernote-Invoice
84c2b21f5b3c48dfb7481094b8e7f8c2f56e041fe3244b1a608bc264d83536bb windefragsvc.exe
861b8186ac5e7157ff17abe83c9aff3856113d43adf3bae520f93d75940c9c46 Evernote-Supplemental-Terms.pdf

Intelligence

File Origin
# of uploads :
3
# of downloads :
326
Origin country :
US US
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
84c2b21f5b3c48dfb7481094b8e7f8c2f56e041fe3244b1a608bc264d83536bb.exe
Verdict:
Malicious activity
Analysis date:
2024-05-16 13:26:52 UTC
Tags:
rat asyncrat remote
Link:
https://app.any.run/tasks/93abae08-f59d-448b-816b-515064cfd859

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.23424.13043.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Launching a process
Searching for the window
Creating a file
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/664609a9636c5be33c7eb6f3/reports/8f8ac947-6c9c-42ae-8ed6-e55011e84d87/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/84c2b21f5b3c48dfb7481094b8e7f8c2f56e041fe3244b1a608bc264d83536bb
Result
Verdict:
MALICIOUS
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/375d7335-a57d-42fd-a19b-97f889eb2b46
Result
Threat name:
AsyncRAT, VenomRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1442630
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Potentially Suspicious Malware Callback Communication
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected VenomRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1442630 Sample: windefragsvc.exe Startdate: 16/05/2024 Architecture: WINDOWS Score: 100 34 Snort IDS alert for network traffic 2->34 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 10 other signatures 2->40 6 windefragsvc.exe 1 8 2->6         started        10 mcsfwservice.exe 3 2->10         started        12 mcsfwservice.exe 2 2->12         started        process3 file4 26 C:\Users\user\AppData\...\mcsfwservice.exe, PE32 6->26 dropped 42 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 6->42 44 Writes to foreign memory regions 6->44 46 Allocates memory in foreign processes 6->46 48 Injects a PE file into a foreign processes 6->48 14 RegAsm.exe 6->14         started        17 RegAsm.exe 1 4 6->17         started        20 RegAsm.exe 6->20         started        50 Antivirus detection for dropped file 10->50 52 Multi AV Scanner detection for dropped file 10->52 54 Machine Learning detection for dropped file 10->54 22 RegAsm.exe 3 10->22         started        24 RegAsm.exe 2 12->24         started        signatures5 process6 dnsIp7 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->56 28 94.156.64.5, 4443, 49736 TERASYST-ASBG Bulgaria 17->28 30 94.156.69.164, 49742, 49743, 8900 TERASYST-ASBG Bulgaria 17->30 32 94.156.69.166, 49745, 8900 TERASYST-ASBG Bulgaria 17->32 signatures8
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/84c2b21f5b3c48dfb7481094b8e7f8c2f56e041fe3244b1a608bc264d83536bb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84c2b21f5b3c48dfb7481094b8e7f8c2f56e041fe3244b1a608bc264d83536bb/
Threat name:
ByteCode-MSIL.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2024-05-15 20:56:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qtbleh23hren7n2iccklrz7yyl2w4ba74msewgtarpbgjwbvg25q._file
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default discovery persistence rat
Link:
https://tria.ge/reports/240516-qp3s5seg9s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
AsyncRat
Malware Config
C2 Extraction:
94.156.69.161:8900
94.156.69.161:4443
94.156.69.163:8900
94.156.69.163:4443
94.156.69.164:8900
94.156.69.164:4443
94.156.69.165:8900
94.156.69.165:4443
94.156.69.166:8900
94.156.69.166:4443
91.92.248.82:8900
91.92.248.82:4443
91.92.251.136:8900
91.92.251.136:4443
91.92.251.153:8900
91.92.251.153:4443
91.92.251.159:8900
91.92.251.159:4443
91.92.251.179:8900
91.92.251.179:4443
91.92.251.245:8900
91.92.251.245:4443
91.92.254.21:8900
91.92.254.21:4443
91.92.254.201:8900
91.92.254.201:4443
91.92.255.16:8900
91.92.255.16:4443
91.92.255.25:8900
91.92.255.25:4443
91.92.255.79:8900
91.92.255.79:4443
94.156.64.5:8900
94.156.64.5:4443
94.156.64.21:8900
94.156.64.21:4443
94.156.64.51:8900
94.156.64.51:4443
94.156.64.90:8900
94.156.64.90:4443
Unpacked files
SH256 hash:
e6b08656426ab656c2c07f6f8919dd1bc4c73b66c69bc4b7943d224ea211080d
MD5 hash:
1e01f2a5290aaf4c12fc737647e8609c
SHA1 hash:
76b879b42673398649691b796805a8344df79bd1
Link:
https://www.unpac.me/results/6fb1a2f8-8739-43c4-b2ed-39286068a50a/
SH256 hash:
ed627b6f81984b6a902c27044377c317c0a80773dee4077bdad6d36843aaabe8
MD5 hash:
cf96de7e1d98effd2269c56d13237f07
SHA1 hash:
1032992e7f233864e1de6c1eb149317b34229fd1
Detections:
VenomRat
Create hunting rule
AsyncRAT
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Link:
https://www.unpac.me/results/6fb1a2f8-8739-43c4-b2ed-39286068a50a/
SH256 hash:
84c2b21f5b3c48dfb7481094b8e7f8c2f56e041fe3244b1a608bc264d83536bb
MD5 hash:
4cbf5db190e95e44d2a637e3513cb39f
SHA1 hash:
0f83db9b94d8d3975116732282364ee7aa8d142f
Link:
https://www.unpac.me/results/6fb1a2f8-8739-43c4-b2ed-39286068a50a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/84c2b21f5b3c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84c2b21f5b3c48dfb7481094b8e7f8c2f56e041fe3244b1a608bc264d83536bb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:MAL_AsnycRAT
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:MAL_AsyncRAT_Config_Decryption
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:venomrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Windows_Generic_Threat_ce98c4bc
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

VenomRAT

Executable exe eb5134e46f59a26415369857aa1a1dddd9ba1e3d5dced245266ccbc4ec25fec5

VenomRAT

Executable exe 84c2b21f5b3c48dfb7481094b8e7f8c2f56e041fe3244b1a608bc264d83536bb

(this sample)

  
Dropped by
SHA256 eb5134e46f59a26415369857aa1a1dddd9ba1e3d5dced245266ccbc4ec25fec5
  
URLhaus
https://urlhaus.abuse.ch/url/2852185/
  
Delivery method
Distributed via web download
  
Dropped by
MD5 9256ea8ac77c2bd01d0e7d2db9afa8be

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments