MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 cd4408b09cd2a66a8b6d1d1fc1934355b98b70281c5eaa4e0783f2a0d76af3bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
VenomRAT
Vendor detections: 16
| SHA256 hash: | cd4408b09cd2a66a8b6d1d1fc1934355b98b70281c5eaa4e0783f2a0d76af3bd |
|---|---|
| SHA3-384 hash: | ddf0869fe87c396708567335bee71e662145befdeb345c47f2366b15db5b9d383e8280c2f1cc14da3196dd70caab8c6c |
| SHA1 hash: | 96cd536e1345af8bd24286d9e78a412acb01e815 |
| MD5 hash: | 3d90e10fd4119038caee547b29c6d566 |
| humanhash: | princess-nuts-social-charlie |
| File name: | cd4408b09cd2a66a8b6d1d1fc1934355b98b70281c5eaa4e0783f2a0d76af3bd |
| Download: | download sample |
| Signature | VenomRAT |
| File size: | 1'141'760 bytes |
| First seen: | 2025-05-09 14:52:58 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger) |
| ssdeep | 24576:Utb20pkaCqT5TBWgNQ7aGEdXu1bYvskkBfcFf6A:9Vg5tQ7aGEdSbjBEN5 |
| Threatray | 1'718 similar samples on MalwareBazaar |
| TLSH | T13735CF1273DD8365C3B25273BA267741BEBF782506A1F96B2FD4093DF920122521EA73 |
| TrID | 40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3) |
| Magika | pebin |
| dhash icon | aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla) |
| Reporter |  adrian__luca |
| Tags: | exe VenomRAT |
Intelligence
File Origin
# of uploads :
1
# of downloads :
367
Origin country :
HUVendor Threat Intelligence
Malware family:
asyncrat
ID:
1
File name:
cd4408b09cd2a66a8b6d1d1fc1934355b98b70281c5eaa4e0783f2a0d76af3bd
Verdict:
Malicious activity
Analysis date:
2025-05-10 02:44:22 UTC
Tags:
asyncrat netreactor
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Tags:
asyncrat autoit emotet
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Connection attempt
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
adaptive-context autoit compiled-script fingerprint keylogger microsoft_visual_cc obfuscated packed packed packer_detected
Verdict:
Malicious
Labled as:
Trojan.Generic
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT, PureLog Stealer, VenomRAT
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious Malware Callback Communication
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected PureLog Stealer
Yara detected VenomRAT
Behaviour
Behavior Graph:
Score:
100%
Verdict:
Malware
File Type:
PE
Threat name:
Win32.Backdoor.FormBook
Status:
Malicious
First seen:
2025-04-28 15:53:51 UTC
AV detection:
20 of 37 (54.05%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
unc_loader_036
zgrat
autoit
unc_loader_001
Similar samples:
+ 1'708 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Score:
10/10
Tags:
family:asyncrat botnet:default discovery rat
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
Async RAT payload
AsyncRat
Asyncrat family
Malware Config
C2 Extraction:
127.0.0.1:100
196.251.89.167:100
196.251.89.167:100
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
cd4408b09cd2a66a8b6d1d1fc1934355b98b70281c5eaa4e0783f2a0d76af3bd
MD5 hash:
3d90e10fd4119038caee547b29c6d566
SHA1 hash:
96cd536e1345af8bd24286d9e78a412acb01e815
SH256 hash:
0e2283506de7b546a530d818f9757aa5d5ca75b1ac23245aacb904b4b93fc6e7
MD5 hash:
cb244f3a37b1c960500875c20a2e372e
SHA1 hash:
d541a0eb4436763b1c839d696dda0ae31c32cfb9
Detections:
win_samsam_auto
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
MAL_Malware_Imphash_Mar23_1
MetaStealer_NET_Reactor_packer
MALWARE_Win_RedLine
SH256 hash:
8772003d9f2657695db82bb7107122787aa75cf24513eda152d1bbe10ce6ac55
MD5 hash:
5f6ac710b04cc1fca66829cb151fbdc9
SHA1 hash:
26db55efc11fb366d9e7f02e7231690d44e5c61c
Detections:
AsyncRAT
VenomRat
SUSP_OBF_NET_Reactor_Indicators_Jan24
win_asyncrat_unobfuscated
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
SH256 hash:
a5e56d2dfb879470798233abdf1f6457c06f15d178e691ea64ec6395e014a677
MD5 hash:
fa19c2f05082dabf732b9260fbd19835
SHA1 hash:
dd02be72a1c471197ba8c49f04c67c8e7d61308a
Detections:
AsyncRAT
VenomRat
SUSP_OBF_NET_Reactor_Indicators_Jan24
RedLine_Campaign_June2021
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Please note that we are no longer able to provide a coverage score for Virus Total.
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | AutoIT_Compiled |
|---|---|
| Author: | @bartblaze |
| Description: | Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious. |
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | golang_bin_JCorn_CSC846 |
|---|---|
| Author: | Justin Cornwell |
| Description: | CSC-846 Golang detection ruleset |
| Rule name: | MALWARE_Win_RedLine |
|---|---|
| Author: | ditekSHen |
| Description: | Detects RedLine infostealer |
| Rule name: | MAL_Malware_Imphash_Mar23_1 |
|---|---|
| Author: | Arnim Rupp |
| Description: | Detects malware by known bad imphash or rich_pe_header_hash |
| Reference: | https://yaraify.abuse.ch/statistics/ |
| Rule name: | NET |
|---|---|
| Author: | malware-lu |
| Rule name: | Sus_Obf_Enc_Spoof_Hide_PE |
|---|---|
| Author: | XiAnzheng |
| Description: | Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP) |
| Rule name: | win_samsam_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | autogenerated rule brought to you by yara-signator |
| Rule name: | YahLover |
|---|---|
| Author: | Kevin Falcoz |
| Description: | YahLover |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
No further information available
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
| CHECK_NX | Missing Non-Executable Memory Protection | critical |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| AUTH_API | Manipulates User Authorization | ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::CopySid ADVAPI32.dll::FreeSid ADVAPI32.dll::GetLengthSid ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::GetAce |
| COM_BASE_API | Can Download & Execute components | ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance ole32.dll::CoCreateInstanceEx ole32.dll::CoInitializeSecurity ole32.dll::CreateStreamOnHGlobal |
| MULTIMEDIA_API | Can Play Multimedia | WINMM.dll::mciSendStringW WINMM.dll::timeGetTime WINMM.dll::waveOutSetVolume |
| SECURITY_BASE_API | Uses Security Base API | ADVAPI32.dll::AddAce ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::CheckTokenMembership ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetAclInformation ADVAPI32.dll::GetSecurityDescriptorDacl |
| SHELL_API | Manipulates System Shell | SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW |
| WIN32_PROCESS_API | Can Create Process and Threads | ADVAPI32.dll::CreateProcessAsUserW KERNEL32.dll::CreateProcessW ADVAPI32.dll::CreateProcessWithLogonW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::TerminateProcess KERNEL32.dll::SetSystemPowerState KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetDriveTypeW |
| WIN_BASE_EXEC_API | Can Execute other programs | KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW IPHLPAPI.DLL::IcmpCreateFile KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW |
| WIN_BASE_USER_API | Retrieves Account Information | KERNEL32.dll::GetComputerNameW ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LogonUserW ADVAPI32.dll::LookupPrivilegeValueW |
| WIN_NETWORK_API | Supports Windows Networking | MPR.dll::WNetAddConnection2W MPR.dll::WNetUseConnectionW |
| WIN_REG_API | Can Manipulate Windows Registry | ADVAPI32.dll::RegConnectRegistryW ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW |
| WIN_USER_API | Performs GUI Actions | USER32.dll::BlockInput USER32.dll::CloseDesktop USER32.dll::CreateMenu USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::FindWindowW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.