MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VenomRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944
SHA3-384 hash: fa1f59a58d10e8db35f700071bdcc28b4b06a17980aa07cc5a398b006f48376d67d0f54edd954135226a3ef8b09b4de2
SHA1 hash: 1a11d76a6ab646a0d699efa0e5fc71de6e5af92c
MD5 hash: 144f1b1c4b9cdad97d8dd1a3a89e7ea1
humanhash: beer-zulu-magazine-oscar
File name:SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669
Download: download sample
Signature VenomRAT
Create hunting rule
File size:236'544 bytes
First seen:2024-05-23 13:32:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 6144:TZ+geAPqybJnO5AbpbO9jhJdrz8U6n4eOP07NyGyG2qYlw5S3U19:T4FvybJNpazzfoyG
Threatray 575 similar samples on MalwareBazaar
TLSH T185341250225E902DE5133E33BF7283054ADCBE0A6D52DA2B74FC65826F078AD55D28BB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:exe VenomRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
380
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe
Verdict:
Malicious activity
Analysis date:
2024-05-23 13:36:09 UTC
Tags:
telegram exfiltration stealer rat asyncrat remote evasion
Link:
https://app.any.run/tasks/c457acd0-0b6f-4dd7-9ca3-83d5f1f110b3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=664f467a02cf134c1c7f85eewin7simulatehigh_evasion
Tags:
Banker Encryption Execution Network Stealth Msil Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a window
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Blocking the User Account Control
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
asyncrat azorult coinminer loki masquerade packed
Link:
https://www.filescan.io/uploads/664f4591458fabe8a956e92a/reports/5c89ff2b-709f-4a17-8017-b303ffb1f82b/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c3823827-8323-417d-945c-3a04658e83a8
Result
Threat name:
AsyncRAT, DcRat, StormKitty, VenomRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1446514
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary or sample is protected by dotNetProtector
Check if machine is in data center or colocation facility
Contains functionality to log keystrokes (.Net Source)
Disable UAC(promptonsecuredesktop)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables UAC (registry)
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Windows Service Tampering
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Uses whoami command line tool to query computer and username
Very long command line found
Yara detected AsyncRAT
Yara detected BrowserPasswordDump
Yara detected Costura Assembly Loader
Yara detected DcRat
Yara detected StormKitty Stealer
Yara detected VenomRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446514 Sample: SecuriteInfo.com.Trojan.Pac... Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 127 api.telegram.org 2->127 129 ip-api.com 2->129 131 5 other IPs or domains 2->131 137 Snort IDS alert for network traffic 2->137 139 Found malware configuration 2->139 141 Malicious sample detected (through community Yara rule) 2->141 145 22 other signatures 2->145 13 SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe 7 2->13         started        17 Loader.exe 2->17         started        19 Loaader.exe 2->19         started        21 3 other processes 2->21 signatures3 143 Uses the Telegram API (likely for C&C communication) 127->143 process4 file5 115 C:\Users\user\AppData\Local\...\WinDefend.exe, PE32 13->115 dropped 117 C:\Users\user\AppData\Local\...\Infected.exe, PE32 13->117 dropped 119 C:\Users\user\AppData\Local\Temp\Client.exe, PE32 13->119 dropped 183 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->183 23 Client.exe 9 13->23         started        27 Infected.exe 7 13->27         started        29 WinDefend.exe 16 3 13->29         started        185 Multi AV Scanner detection for dropped file 17->185 187 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->187 189 Very long command line found 17->189 191 Encrypted powershell cmdline option found 17->191 193 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 19->193 signatures6 process7 dnsIp8 111 C:\Users\user\AppData\Roaming\Loader.exe, PE32 23->111 dropped 155 Antivirus detection for dropped file 23->155 157 Multi AV Scanner detection for dropped file 23->157 159 Machine Learning detection for dropped file 23->159 32 cmd.exe 23->32         started        34 cmd.exe 23->34         started        113 C:\Users\user\AppData\Roaming\Loaader.exe, PE32 27->113 dropped 36 cmd.exe 27->36         started        38 cmd.exe 27->38         started        133 api.telegram.org 149.154.167.220, 443, 49707, 61006 TELEGRAMRU United Kingdom 29->133 135 api64.ipify.org 64.185.227.155, 443, 49704, 61014 WEBNXUS United States 29->135 161 Tries to harvest and steal browser information (history, passwords, etc) 29->161 file9 signatures10 process11 signatures12 41 Loader.exe 32->41         started        59 2 other processes 32->59 44 conhost.exe 34->44         started        46 schtasks.exe 34->46         started        48 Loaader.exe 36->48         started        51 conhost.exe 36->51         started        53 timeout.exe 36->53         started        153 Uses schtasks.exe or at.exe to add and modify task schedules 38->153 55 conhost.exe 38->55         started        57 schtasks.exe 38->57         started        process13 dnsIp14 163 Very long command line found 41->163 165 Found many strings related to Crypto-Wallets (likely being stolen) 41->165 167 Encrypted powershell cmdline option found 41->167 169 Installs a global keyboard hook 41->169 61 powershell.exe 41->61         started        64 powershell.exe 41->64         started        66 WerFault.exe 41->66         started        121 ip-api.com 208.95.112.1 TUT-ASUS United States 48->121 123 66.235.168.242, 3232, 4449, 61009 TIER-NETUS United States 48->123 125 2 other IPs or domains 48->125 171 Tries to harvest and steal browser information (history, passwords, etc) 48->171 173 Disables UAC (registry) 48->173 175 Binary or sample is protected by dotNetProtector 48->175 177 Disable UAC(promptonsecuredesktop) 48->177 signatures15 process16 signatures17 179 Suspicious powershell command line found 61->179 181 Uses whoami command line tool to query computer and username 61->181 68 powershell.exe 61->68         started        71 cmd.exe 61->71         started        73 conhost.exe 61->73         started        81 4 other processes 61->81 75 powershell.exe 64->75         started        77 cmd.exe 64->77         started        79 conhost.exe 64->79         started        83 3 other processes 64->83 process18 signatures19 147 Disable Windows Defender notifications (registry) 68->147 149 Disable Windows Defender real time protection (registry) 68->149 151 Uses whoami command line tool to query computer and username 68->151 85 cmd.exe 68->85         started        87 conhost.exe 68->87         started        99 3 other processes 68->99 89 conhost.exe 71->89         started        91 SecurityHealthSystray.exe 71->91         started        93 cmd.exe 75->93         started        101 3 other processes 75->101 95 conhost.exe 77->95         started        97 SecurityHealthSystray.exe 77->97         started        process20 process21 103 conhost.exe 85->103         started        105 SecurityHealthSystray.exe 85->105         started        107 conhost.exe 93->107         started        109 SecurityHealthSystray.exe 93->109         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944/
Threat name:
ByteCode-MSIL.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2024-05-11 13:07:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4pzekaqlz5v6vsrzxdgj5mdlhw37ecjvnz3f6qoygbvnkzzv5fca._file
Verdict:
malicious
Similar samples:
3df5b2d8fa12771d01180865d86b83385535794b18232cca17e5a7e3fac585fb
VenomRAT
560917a6881bc30c1436f8fb95705b00645773aa091c46083a6cea3b00a0949b
VenomRAT
798e0870efbf28e90fb48671e8ef55bb9b442602cc505522a991153d79f2bfaf
VenomRAT
bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b
VenomRAT
bc8b040947df20ec884ede4cc5ece724218056120ef75e54f581c594abbe2b92
VenomRAT
c61be8a80e413a855e38a6269b611f6c4b86718e0e0aea9964772ab11c836a74
VenomRAT
+ 565 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:stealerium family:stormkitty botnet:default collection discovery evasion persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/240523-qvnw6sdb82/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Runs net.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Launches sc.exe
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Windows security modification
Async RAT payload
AsyncRat
Modifies Windows Defender Real-time Protection settings
Stealerium
StormKitty
StormKitty payload
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Malware Config
C2 Extraction:
66.235.168.242:4449
66.235.168.242:3232
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4658f4b7-5490-4727-a16b-08064813a891
Unpacked files
SH256 hash:
de123f220f453bbc5503fb698cbf8e0b237941028c6e4a35963e3d999a727719
MD5 hash:
08088e29349802bd9fac9aa59c3704c6
SHA1 hash:
504dc16cf6066a56f07963af02021c3d8b7160db
Link:
https://www.unpac.me/results/14b82a10-ce48-47f3-91a4-581a24025c7f/
SH256 hash:
a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282
MD5 hash:
b8d455465260a845db35492fda5a8888
SHA1 hash:
287b0ba049ad8f3be802d2224efb86dba72d3221
Detections:
DCRat
Create hunting rule
AsyncRAT
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DcRatBy
Create hunting rule
Link:
https://www.unpac.me/results/14b82a10-ce48-47f3-91a4-581a24025c7f/
Parent samples :
a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282
e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944
SH256 hash:
64e4dedb36812766c522c79cae57b7f3b2694efaa396151d4117a70282166117
MD5 hash:
5fc6a541845fdafb597ddfb98fa28b54
SHA1 hash:
22e5dd50ddd71bc39c812db0f9b164ca10c556dd
Detections:
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/14b82a10-ce48-47f3-91a4-581a24025c7f/
SH256 hash:
3caa5f06008365fbecf46198744793c36c42309b49a6324bebe8123be10f87d5
MD5 hash:
7ac0adf482250172280defec7a7054da
SHA1 hash:
20a25f0da68c309d062c4628ead8b6f377ac7969
Detections:
VenomRat
Create hunting rule
AsyncRAT
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Link:
https://www.unpac.me/results/14b82a10-ce48-47f3-91a4-581a24025c7f/
SH256 hash:
e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944
MD5 hash:
144f1b1c4b9cdad97d8dd1a3a89e7ea1
SHA1 hash:
1a11d76a6ab646a0d699efa0e5fc71de6e5af92c
Link:
https://www.unpac.me/results/14b82a10-ce48-47f3-91a4-581a24025c7f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

VenomRAT

Executable exe e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2860519/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments