MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce3e8c04362289ecdfae9345853fa329bb8c2cec67839bcdf1c357ceead67e2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VenomRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce3e8c04362289ecdfae9345853fa329bb8c2cec67839bcdf1c357ceead67e2a
SHA3-384 hash: ff287b9216fff835779cf4a007eaab6493d30fcc16aa258f2edf718e1d2a9244efc121663afc5645c25fe9a29055e030
SHA1 hash: 1e5acde3b8c70180662bbd99d7854e5868330212
MD5 hash: 7c79b44eed2b07e24f261a6b659da9d2
humanhash: arkansas-nebraska-finch-seventeen
File name:dhlchina2025260200000111.pdf.exe
Download: download sample
Signature VenomRAT
Create hunting rule
File size:1'061'888 bytes
First seen:2025-02-26 08:50:33 UTC
Last seen:2025-03-10 12:12:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:7h+ztZTrc3db4EHPesVz0EJnyB2Jnq6Kq8cuBwx+7:t+zj3mhvPZkB2dq6xuu+
Threatray 5'221 similar samples on MalwareBazaar
TLSH T185353345DB204184C63B037B68C6986EB7F9499F273EDA895520E0060BFF6369DB4F74
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:DHL exe RAT VenomRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
491
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
dhlchina2025260200000111.pdf.exe
Verdict:
Malicious activity
Analysis date:
2025-02-26 09:48:26 UTC
Tags:
pastebin purecrypter netreactor asyncrat
Link:
https://app.any.run/tasks/0b1bb14c-103e-4744-ab5e-73a4db442892

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.2685.14444.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67bed65a28ab76d43a5d39a9
Tags:
underscore autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% directory
Launching a process
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67bed6086222db7f23dc0f3b/reports/4a2c29b9-901a-4b7f-a7c8-540b7d08423b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ce3e8c04362289ecdfae9345853fa329bb8c2cec67839bcdf1c357ceead67e2a
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b067de51-d93e-4605-96df-54ebcd7690e9
Result
Threat name:
AsyncRAT, VenomRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1624445
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops VBS files to the startup folder
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Double Extension File Execution
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected VenomRAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ce3e8c04362289ecdfae9345853fa329bb8c2cec67839bcdf1c357ceead67e2a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce3e8c04362289ecdfae9345853fa329bb8c2cec67839bcdf1c357ceead67e2a/
Threat name:
ByteCode-MSIL.Hacktool.AMSIBypass
Create hunting rule
Status:
Malicious
First seen:
2025-02-26 00:57:25 UTC
AV detection:
20 of 24 (83.33%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zy7iybbweke6zx5osncykp5dfg5yylhmm6bzxtprynl452wwpyva._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
2214a5e0c7d32298e026efedefa80133e46687150b02e0291890575532034d73
VenomRAT
3bcb2edbdb58b3f4b04b1629b76a7b91c22077e5d021599c22e8c0fb97483683
VenomRAT
4f456f083e843fac3b49cccf201cd1aad7f9cdba6e70db0de6d9c025c9540105
VenomRAT
500e0511666a6aced9ceb6e727bbe21cfaacefbf6529704848286238056f9875
VenomRAT
689afb138cce81a04a517539d0b927bfd5ac8a3eb70bef2bb435d4c6b2a0b40e
VenomRAT
6ae91782bc6a429b1381d2c63d05d268be691a616c46e4c01481b2bab60938a8
VenomRAT
c7e0f46c480c2f461e249744298fcbb99bc035602b39339df980d962ad6fea01
VenomRAT
d0cac8b1d479f1d25c5cb669cc439b310f0467397456e1dde7837afce399183d
VenomRAT
edebdfc39d36e084ae1a91bc39818fab102a66a865f91da0fbe2725896e9fc80
VenomRAT
error
VenomRAT
f9ee3715793db624c00bf0f71624c483729719d0dce15b4922b52f7422a420fc
VenomRAT
+ 5'211 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:best discovery rat
Link:
https://tria.ge/reports/250226-kr852ssqs3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Drops startup file
AsyncRat
Asyncrat family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f9505bbb-944a-42bb-9657-b85e89c990e6
Unpacked files
SH256 hash:
ce3e8c04362289ecdfae9345853fa329bb8c2cec67839bcdf1c357ceead67e2a
MD5 hash:
7c79b44eed2b07e24f261a6b659da9d2
SHA1 hash:
1e5acde3b8c70180662bbd99d7854e5868330212
Link:
https://www.unpac.me/results/97a0debd-8c53-499e-afda-e32d25680f1a/
SH256 hash:
baca62f47345ca1bd6f01361e82294fc43491c7f2dffe8c7607296d62ef92e36
MD5 hash:
a7828d7d3e65992ee7faaa2e08864326
SHA1 hash:
0e00d6c627f3828bc7762b14f733308248c5c4ad
Link:
https://www.unpac.me/results/97a0debd-8c53-499e-afda-e32d25680f1a/
SH256 hash:
78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677
MD5 hash:
f9d2985aa1c41cca281321fffb5ed424
SHA1 hash:
3a7a58d2dcae2762882357ae34d372744b1dbb9d
Link:
https://www.unpac.me/results/97a0debd-8c53-499e-afda-e32d25680f1a/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/97a0debd-8c53-499e-afda-e32d25680f1a/
SH256 hash:
5bbb8c49f224157503c6004b9870d12b4a27942eb625ced52237dba56d0c6520
MD5 hash:
88164d7fbcee6fda6d2ec75af72c4f1d
SHA1 hash:
92d8bb748e605e2e07323370dacfc2231919642a
Link:
https://www.unpac.me/results/97a0debd-8c53-499e-afda-e32d25680f1a/
SH256 hash:
9efd1b704f9ed848022be27fabf3dc7df6dc8180eccfbbc40271a5d21d539b6a
MD5 hash:
c457161f2f3bdb8880067e7233d3d975
SHA1 hash:
e5a89f562a74fcf3eb2fa6046274b8a7af0375e0
Detections:
AsyncRAT
Create hunting rule
VenomRat
Create hunting rule
win_asyncrat_unobfuscated
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Link:
https://www.unpac.me/results/97a0debd-8c53-499e-afda-e32d25680f1a/
Parent samples :
ce3e8c04362289ecdfae9345853fa329bb8c2cec67839bcdf1c357ceead67e2a
0e96337c9c239e6151b82cd4caca508f1235787b14024e22f75606901016b232
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ce3e8c04362289ecdfae9345853fa329bb8c2cec67839bcdf1c357ceead67e2a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AcRat
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:AcRat Payload (based on AsyncRat)
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:MAL_AsnycRAT
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:MAL_AsyncRAT_Config_Decryption
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:Mal_WIN_AsyncRat_RAT_PE
Create hunting rule
Author:Phatcharadol Thangplub
Description:Use to detect AsyncRAT implant.
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:venomrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Windows_Generic_Threat_ce98c4bc
Create hunting rule
Author:Elastic Security
Rule name:win_asyncrat_unobfuscated
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in unobfuscated AsyncRat Samples. Rule may also pick up on other Asyncrat-derived malware (Dcrat/venom etc)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments