MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VenomRAT


Vendor detections: 14


Intelligence 14 IOCs 2 YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7
SHA3-384 hash: ee114c1648059fe5a1b3bfcffca165f776fb6947b2943e7700a8c50cc1d374f04945a81b4aa0e6920e1a5a10d3c52a84
SHA1 hash: 3c4747ad182898466a9314e536fda1fe5983db42
MD5 hash: b770d62550d8ff48c7fd45dd04d790f2
humanhash: table-minnesota-mike-summer
File name:b770d62550d8ff48c7fd45dd04d790f2.exe
Download: download sample
Signature VenomRAT
Create hunting rule
File size:1'799'680 bytes
First seen:2024-08-06 15:45:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:cKJU9ltTMMRYpY4TJtqjv7KtGQdHyedH7:zi5TMM+Dg7K0WHj7
TLSH T1688533E99E1A8866C2A9147F58C7706052307B717661F38F6C48A606E71C3DBDF328DB
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter abuse_ch
Tags:exe VenomRAT


Avatar
abuse_ch
VenomRAT C2:
45.66.231.202:7777

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.66.231.202:7777 https://threatfox.abuse.ch/ioc/1307452/
154.216.20.242:5000 https://threatfox.abuse.ch/ioc/1307453/

Intelligence

File Origin
# of uploads :
1
# of downloads :
398
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Win.Packed.Msilheracles-10017859-0
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b2453eaa5b40be0a9fafa5
Tags:
Heur
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/66b2453d5743b16748e81013/reports/6de81948-2ace-4c88-a398-4b547fad9bc6/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/24093352-c817-456d-98ec-649adba4411f
Result
Threat name:
AsyncRAT, Neshta, PureLog Stealer, RedLi
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1488876
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Drops PE files with a suspicious file extension
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Sample is not signed and drops a device driver
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Neshta
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected VenomRAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1488876 Sample: vZ2HwQ4Vrq.exe Startdate: 06/08/2024 Architecture: WINDOWS Score: 100 180 server.underground-cheat.xyz 2->180 182 gia.o7lab.me 2->182 184 blue.o7lab.me 2->184 202 Found malware configuration 2->202 204 Malicious sample detected (through community Yara rule) 2->204 206 Antivirus detection for dropped file 2->206 210 31 other signatures 2->210 15 vZ2HwQ4Vrq.exe 1 6 2->15         started        19 powershell.exe 2->19         started        21 Taskhostw.exe 2->21         started        23 3 other processes 2->23 signatures3 208 Performs DNS queries to domains with low reputation 180->208 process4 file5 174 C:\Users\user\AppData\Local\Temp\adns.exe, PE32 15->174 dropped 176 C:\Users\user\AppData\Local\Taskhostw.exe, PE32 15->176 dropped 178 C:\Users\...\Taskhostw.exe:Zone.Identifier, ASCII 15->178 dropped 190 Creates multiple autostart registry keys 15->190 192 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->192 194 Writes to foreign memory regions 15->194 25 InstallUtil.exe 3 6 15->25         started        30 adns.exe 1 4 15->30         started        32 cmd.exe 1 15->32         started        40 2 other processes 15->40 196 Modifies the context of a thread in another process (thread injection) 19->196 198 Found suspicious powershell code related to unpacking or dynamic code loading 19->198 200 Injects a PE file into a foreign processes 19->200 34 conhost.exe 19->34         started        42 4 other processes 21->42 36 Taskhostw.exe 23->36         started        38 Okqpfkqo.exe 23->38         started        44 2 other processes 23->44 signatures6 process7 dnsIp8 188 gia.o7lab.me 154.216.20.242, 26644, 4449, 49715 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 25->188 164 C:\Users\user\AppData\Local\Temp\hzngxv.exe, PE32 25->164 dropped 166 C:\Users\user\AppData\Local\Temp\hyoxuj.exe, PE32 25->166 dropped 168 C:\Users\user\AppData\Local\Temp\aznhlh.exe, PE32 25->168 dropped 234 Found many strings related to Crypto-Wallets (likely being stolen) 25->234 46 cmd.exe 25->46         started        49 svchost.com 25->49         started        170 C:\Users\user\AppData\Local\Okqpfkqo.exe, PE32 30->170 dropped 236 Creates multiple autostart registry keys 30->236 238 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 30->238 240 Writes to foreign memory regions 30->240 51 InstallUtil.exe 30->51         started        59 2 other processes 30->59 242 Suspicious powershell command line found 32->242 244 Bypasses PowerShell execution policy 32->244 246 Uses schtasks.exe or at.exe to add and modify task schedules 32->246 248 Uses ipconfig to lookup or modify the Windows network settings 32->248 61 2 other processes 32->61 250 Injects a PE file into a foreign processes 36->250 55 svchost.com 36->55         started        57 svchost.com 38->57         started        63 2 other processes 40->63 65 3 other processes 42->65 file9 signatures10 process11 dnsIp12 252 Suspicious powershell command line found 46->252 67 powershell.exe 46->67         started        69 conhost.exe 46->69         started        71 cmd.exe 49->71         started        186 blue.o7lab.me 45.66.231.202, 4449, 49719, 49720 CMCSUS Germany 51->186 148 C:\Users\user\AppData\Local\Temp\updpit.exe, PE32 51->148 dropped 150 C:\Users\user\AppData\Local\Temp\veubtw.cmd, Unicode 51->150 dropped 74 svchost.com 51->74         started        76 cmd.exe 55->76         started        78 cmd.exe 57->78         started        80 conhost.exe 59->80         started        82 3 other processes 59->82 84 2 other processes 65->84 file13 signatures14 process15 signatures16 86 hyoxuj.exe 67->86         started        222 Suspicious powershell command line found 71->222 90 powershell.exe 71->90         started        92 conhost.exe 71->92         started        94 cmd.exe 74->94         started        96 conhost.exe 76->96         started        98 ipconfig.exe 76->98         started        100 conhost.exe 78->100         started        102 ipconfig.exe 78->102         started        process17 file18 152 C:\Windows\svchost.com, PE32 86->152 dropped 154 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 86->154 dropped 156 C:\Users\user\AppData\Local\...\hyoxuj.exe, PE32 86->156 dropped 158 86 other malicious files 86->158 dropped 224 Creates an undocumented autostart registry key 86->224 226 Drops PE files with a suspicious file extension 86->226 228 Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS) 86->228 232 2 other signatures 86->232 104 hyoxuj.exe 86->104         started        107 svchost.com 90->107         started        109 conhost.exe 90->109         started        230 Suspicious powershell command line found 94->230 111 conhost.exe 94->111         started        113 powershell.exe 94->113         started        signatures19 process20 file21 160 C:\Users\user\AppData\Local\...\Install.exe, PE32 104->160 dropped 162 C:\Users\user\AppData\...\$77svchost.exe, PE32 104->162 dropped 115 svchost.com 104->115         started        119 Install.exe 104->119         started        121 hzngxv.exe 107->121         started        process22 file23 138 C:\...\maintenanceservice.exe, PE32 115->138 dropped 140 C:\...\MicrosoftEdgeUpdateSetup.exe, PE32 115->140 dropped 142 C:\...\MicrosoftEdgeUpdateOnDemand.exe, PE32 115->142 dropped 146 84 other malicious files 115->146 dropped 212 Sample is not signed and drops a device driver 115->212 214 Drops executable to a common third party application directory 115->214 216 Infects executable files (exe, dll, sys, html) 115->216 123 $77svchost.exe 115->123         started        144 C:\Users\user\AppData\Roaming\$77pop2.exe, PE32 121->144 dropped 218 Drops executables to the windows directory (C:\Windows) and starts them 121->218 220 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 121->220 126 svchost.com 121->126         started        128 cmd.exe 121->128         started        signatures24 process25 file26 172 C:\Users\user\AppData\Roaming\WinUpdate.exe, PE32 123->172 dropped 130 svchost.com 123->130         started        132 cmd.exe 123->132         started        134 cmd.exe 126->134         started        process27 process28 136 cmd.exe 130->136         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7/
Threat name:
ByteCode-MSIL.Spyware.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2024-08-06 15:46:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zogea5dbftldbimqpp225ngc5ryl3dwp63nml3y7i4ckg2v4hddq._file
Verdict:
malicious
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:neshta family:redline family:sectoprat botnet:default botnet:gia.o7lab.me:26644 botnet:o7lab botnet:underground-cheat.com credential_access defense_evasion discovery evasion execution infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/240806-s7l98awhne/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Gathers network information
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Command and Scripting Interpreter: PowerShell
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Loads dropped DLL
Modifies system executable filetype association
Reads user/profile data of web browsers
Sets file to hidden
Async RAT payload
Credentials from Password Stores: Credentials from Web Browsers
AsyncRat
Detect Neshta payload
Modifies security service
Neshta
RedLine
RedLine payload
SectopRAT
SectopRAT payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
154.216.20.242:5000
gia.o7lab.me:5000
blue.o7lab.me:7777
server.underground-cheat.xyz:7777
154.216.20.242:4449
gia.o7lab.me:26644
server.underground-cheat.xyz:4449
bluedns.o7lab.me:4449
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ac895e2e-b44b-4167-9b99-5831d674ab53
Unpacked files
SH256 hash:
3ec59c4cf1f6f55f30592d3ad4c018822ba879f11eb9c3d95a863eebc1ebeeb4
MD5 hash:
3ae392b59f46655d93f270eee4a96097
SHA1 hash:
94119504ddc8ca9ccf8fc2b6347b7797549514ce
Link:
https://www.unpac.me/results/9479867c-2f2f-4b2d-baa8-9e05ff64d6a2/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/9479867c-2f2f-4b2d-baa8-9e05ff64d6a2/
SH256 hash:
89a68c4a8b90c1dc7de726d35f4625f6e53e313010fe3f7d91e18a16527de13a
MD5 hash:
51a8c2b01c55533ff58b41ffb35238c6
SHA1 hash:
2868393f20a1fa3f5057dd8f697e35f3de471300
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/9479867c-2f2f-4b2d-baa8-9e05ff64d6a2/
SH256 hash:
cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7
MD5 hash:
b770d62550d8ff48c7fd45dd04d790f2
SHA1 hash:
3c4747ad182898466a9314e536fda1fe5983db42
Link:
https://www.unpac.me/results/9479867c-2f2f-4b2d-baa8-9e05ff64d6a2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
SombRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

VenomRAT

Executable exe cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3092472/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments


Avatar
Kasibe commented on 2024-08-06 16:48:41 UTC

AsyncRat