MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97977a53c121eb7fb4d52c47c29f9266ae3e5ea0e795940ec7f2047d8db49d26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VenomRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97977a53c121eb7fb4d52c47c29f9266ae3e5ea0e795940ec7f2047d8db49d26
SHA3-384 hash: 64d6faf7b6881664db07a006e29e79065e9df27211a2fe9e7643d7daa9fc76b62789cfa9cd3791b689e739d9946fd52a
SHA1 hash: eb2feb30ede1f4f56773b1070a137ce94cf290f8
MD5 hash: 0077fe112c146a3788efbec5b10a9421
humanhash: high-oklahoma-massachusetts-solar
File name:dnRb_995.exe
Download: download sample
Signature VenomRAT
Create hunting rule
File size:2'126'018 bytes
First seen:2025-05-21 19:59:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash efd455830ba918de67076b7c65d86586 (56 x Gh0stRAT, 19 x ValleyRAT, 6 x OffLoader)
ssdeep 49152:KxXXm66OSy4MNek8y4/fzMiH6mVEPwnFU0:KxHXSy40Jc/vHPnW0
Threatray 47 similar samples on MalwareBazaar
TLSH T13EA5E027B2CB653FF0BE4A364977D612583BBA6169128C6697F8086CCF260D01D3F647
TrID 60.0% (.EXE) Inno Setup installer (107240/4/30)
23.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
5.8% (.EXE) Win64 Executable (generic) (10522/11/4)
3.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 824c69320c000000 (1 x VenomRAT)
Reporter aachum
Tags:AsyncRAT exe purecrypter PureLogs VenomRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
484
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
KL_软件安装.exe
Verdict:
Malicious activity
Analysis date:
2025-05-21 20:02:12 UTC
Tags:
purelogs purecrypter stealer
Link:
https://app.any.run/tasks/1e16cb12-9dcd-4b07-9381-d33fa2f29c1b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682e311dc28c67d66643d124
Tags:
extens virus spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Restart of the analyzed sample
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Launching a process
Using the Windows Management Instrumentation requests
Enabling the 'hidden' option for recently created files
Creating a file
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context embarcadero_delphi fingerprint installer overlay overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/682e3094fd02ed5e0580e518/reports/8e7185ca-def2-4bda-8aa9-cc1faf659430/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/97977a53c121eb7fb4d52c47c29f9266ae3e5ea0e795940ec7f2047d8db49d26
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0c809005-9a3f-419f-bbae-cca5d9185cb8
Result
Threat name:
DcRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1696274
Signature
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Yara detected DcRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1696274 Sample: dnRb_995.exe Startdate: 21/05/2025 Architecture: WINDOWS Score: 100 57 Suricata IDS alerts for network traffic 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Yara detected DcRat 2->61 63 4 other signatures 2->63 12 dnRb_995.exe 2 2->12         started        15 regsvr32.exe 2->15         started        process3 file4 51 C:\Users\user\AppData\Local\...\dnRb_995.tmp, PE32 12->51 dropped 17 dnRb_995.tmp 3 4 12->17         started        process5 file6 41 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 17->41 dropped 20 dnRb_995.exe 2 17->20         started        process7 file8 43 C:\Users\user\AppData\Local\...\dnRb_995.tmp, PE32 20->43 dropped 23 dnRb_995.tmp 3 4 20->23         started        process9 file10 45 C:\Users\user\AppData\...\is-1MF56.tmp, PE32+ 23->45 dropped 47 C:\Users\...\WSUS_Server_TLS_v9.p12 (copy), PE32+ 23->47 dropped 49 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 23->49 dropped 26 regsvr32.exe 23->26         started        process11 process12 28 regsvr32.exe 1 7 26->28         started        dnsIp13 53 27.124.4.150, 49691, 49692, 56000 BCPL-SGBGPNETGlobalASNSG Singapore 28->53 65 System process connects to network (likely due to code injection or exploit) 28->65 67 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->67 69 Sets debug register (to hijack the execution of another thread) 28->69 71 Tries to detect sandboxes / dynamic malware analysis system (Installed program check) 28->71 32 powershell.exe 37 28->32         started        35 powershell.exe 28->35         started        signatures14 process15 signatures16 55 Loading BitLocker PowerShell Module 32->55 37 conhost.exe 32->37         started        39 conhost.exe 35->39         started        process17
Score:
63%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/97977a53c121eb7fb4d52c47c29f9266ae3e5ea0e795940ec7f2047d8db49d26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/97977a53c121eb7fb4d52c47c29f9266ae3e5ea0e795940ec7f2047d8db49d26/
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-05-21 20:00:31 UTC
File Type:
PE (Exe)
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s6lxuu6behvx7ngvfrd4fh4sm2xd4xva46kzidwh6ich3dnututa._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0d2df79021d53ebf591cc6f32c8a0766b1d98dd37b24721d86bdf0c5c9a2de4b
VenomRAT
122e308d760f8f3b757b7e9dc59f71777b9e33726645057ef2e8ef5617700ea5
VenomRAT
15919a58528476cc7bd02a5f4174b82e76ccfbd2291d1be4f7926add063355a0
VenomRAT
1c0dbb4434505d5eb0d2c42bad90015b1580a9dbd973c3b5e8c2c1dcd018a2d8
VenomRAT
2e275551ec59973546e2e02393f82524f98c3002604d90d4fdffd03312d4d48b
VenomRAT
6a31c17b7e29889a94709e13de77d2726ad08f8876c12b9d7f3694543b748f02
VenomRAT
97977a53c121eb7fb4d52c47c29f9266ae3e5ea0e795940ec7f2047d8db49d26
VenomRAT
a4b0f381813efd51a931c3ecd7f9d004ad416ae2b5df70d5278a73682ae2332e
VenomRAT
error
VenomRAT
+ 37 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat discovery execution rat
Link:
https://tria.ge/reports/250521-yq7gqa1rz7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Async RAT payload
AsyncRat
Asyncrat family
Unpacked files
SH256 hash:
97977a53c121eb7fb4d52c47c29f9266ae3e5ea0e795940ec7f2047d8db49d26
MD5 hash:
0077fe112c146a3788efbec5b10a9421
SHA1 hash:
eb2feb30ede1f4f56773b1070a137ce94cf290f8
Link:
https://www.unpac.me/results/51333626-3bcf-438b-b8f2-e2a15539ec2c/
SH256 hash:
1c44eced76a8ddd7eb81f4ade1a1523d588fb6ca7499f109ea9f152cbd9c1291
MD5 hash:
1d24b542fecfd07109ce49e525f2b4b8
SHA1 hash:
c4270e3f942058d9508a3c09042d7dca752ebcc3
Link:
https://www.unpac.me/results/51333626-3bcf-438b-b8f2-e2a15539ec2c/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/97977a53c121/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/97977a53c121eb7fb4d52c47c29f9266ae3e5ea0e795940ec7f2047d8db49d26

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AcRat
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:AcRat Payload (based on AsyncRat)
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:MAL_AsnycRAT
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:MAL_AsyncRAT_Config_Decryption
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Generic_Threat_ce98c4bc
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Donutloader_f40e3759
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

VenomRAT

Executable exe 1d8a948214daf64f3b0b9b894ee8b18dbf9164e54238d8ef88f9372cd03ce3ce

VenomRAT

Executable exe 97977a53c121eb7fb4d52c47c29f9266ae3e5ea0e795940ec7f2047d8db49d26

(this sample)

  
Link
https://tria.ge/250521-ymc4psbp3x/behavioral1
  
Dropped by
SHA256 1d8a948214daf64f3b0b9b894ee8b18dbf9164e54238d8ef88f9372cd03ce3ce
  
Delivery method
Distributed via web download
  
Dropped by
MD5 5d1445e254cafe142dbfb9be9c10c4d5

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::AllocateAndInitializeSid
advapi32.dll::ConvertSidToStringSidW
advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
advapi32.dll::EqualSid
advapi32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
advapi32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
advapi32.dll::OpenThreadToken
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetDriveTypeW
kernel32.dll::GetVolumeInformationW
kernel32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetSystemDirectoryW
kernel32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments