MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8caac829b55f23bf9ee8880342a529ae2af9f446f820fec1828645d6d15d9f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VenomRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8caac829b55f23bf9ee8880342a529ae2af9f446f820fec1828645d6d15d9f6
SHA3-384 hash: 57e64c812412275d660861ebe696d53375ed9f17353dbaad46df29e9e3fa2824c927f270e4d4b1598d85f7db8bedb580
SHA1 hash: 193ceecae1c0fb5312c3ee9217daee2d71135bea
MD5 hash: 0e77eec6449ae6d26e684f181d13563d
humanhash: asparagus-sixteen-neptune-hot
File name:lest_Install.exe
Download: download sample
Signature VenomRAT
Create hunting rule
File size:37'692'440 bytes
First seen:2025-10-17 19:06:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6d5e13c0269946a5a10390c178d8e9a5 (4 x ValleyRAT, 2 x CoinMiner, 1 x Rhadamanthys)
ssdeep 786432:mJqHlyDSs9JtOASirLOFw645Dbly+ZbVPxk67D/ZZSPbVxI:mJqHlyDSsLEBqym6qDblTZbVPxTNZWVe
TLSH T1E4871221329EC43BE16905B1562CAEAB913C6E360FB154C7B3EC7D5A17B54C21633E2B
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter aachum
Tags:108-187-0-52 CHN exe letsvpn-dev VenomRAT


Avatar
iamaachum
https://letsvpn.dev/download => https://letsvpn.dev/lest_Install.zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
lest_Install.exe
Verdict:
Malicious activity
Analysis date:
2025-10-17 18:53:54 UTC
Tags:
advancedinstaller
Link:
https://app.any.run/tasks/23c8673e-67b4-4f98-8fae-34c397f00644

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f290c00cffb3244298fb85
Tags:
dropper extens overt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Creating a file in the %temp% directory
Loading a suspicious library
Launching a process
Modifying a system file
Sending a custom TCP request
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Creating a file
Creating a process with a hidden window
Moving a recently created file
Searching for the window
Searching for analyzing tools
Enabling the 'hidden' option for recently created files
Using the Windows Management Instrumentation requests
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm cmd expand fingerprint installer lolbin microsoft_visual_cc msiexec obfuscated overlay packed packer_detected remote runonce threat
Link:
https://www.filescan.io/uploads/68f293fc057c46a471d1fe02/reports/8bf44fe8-f047-430b-9916-4f8cdc914a1e/overview
Verdict:
Malicious
Labled as:
Giant.Fragtor.Generic
Link:
https://www.hybrid-analysis.com/sample/e8caac829b55f23bf9ee8880342a529ae2af9f446f820fec1828645d6d15d9f6
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-17T17:20:00Z UTC
Last seen:
2025-10-18T00:44:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.RokRat.sb Trojan.Win32.Mansabo.sb Trojan.Win32.Gatak.sb Trojan.Win32.AntiAV.sb Backdoor.Win32.Zegost.sb Backdoor.NanoBot.TCP.C&C Backdoor.MSIL.Crysan.sb Trojan.Win32.AntiAV.dcbh Trojan.Win32.Agent.sb Trojan.Agent.TCP.C&C Backdoor.MSIL.Crysan.lnj Trojan.Win32.Shellcode.sb
Link:
https://opentip.kaspersky.com/e8caac829b55f23bf9ee8880342a529ae2af9f446f820fec1828645d6d15d9f6/results?tab=lookup
Result
Threat name:
DcRat, VenomRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
78 / 100
Link:
https://www.joesandbox.com/analysis/1797367
Signature
Accesses sensitive object manager directories (likely to detect virtual machines)
Bypasses PowerShell execution policy
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the DNS server
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via ARP
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Windows Binaries Write Suspicious Extensions
Suricata IDS alerts for network traffic
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Yara detected DcRat
Yara detected VenomRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1797367 Sample: lest_Install.exe Startdate: 17/10/2025 Architecture: WINDOWS Score: 78 165 yandex.com 2->165 167 www.yandex.com 2->167 169 8 other IPs or domains 2->169 181 Suricata IDS alerts for network traffic 2->181 183 Found malware configuration 2->183 185 Malicious sample detected (through community Yara rule) 2->185 187 10 other signatures 2->187 13 msiexec.exe 16 36 2->13         started        16 svchost.exe 2->16         started        18 svchost.exe 2->18         started        21 5 other processes 2->21 signatures3 process4 file5 145 C:\Program Files (x86)\...\letsvpn-latest.exe, PE32 13->145 dropped 147 C:\Windows\Installer\MSI7339.tmp, PE32 13->147 dropped 149 C:\Windows\Installer\MSI730A.tmp, PE32 13->149 dropped 157 5 other files (none is malicious) 13->157 dropped 23 letsvpn-latest.exe 10 304 13->23         started        27 CumulativeUpdate-KB9983553-x64.exe 2 13->27         started        29 msiexec.exe 13->29         started        31 msiexec.exe 13->31         started        33 drvinst.exe 16->33         started        35 drvinst.exe 16->35         started        179 Modifies the DNS server 18->179 151 C:\Users\user\AppData\Local\...\shi652B.tmp, PE32+ 21->151 dropped 153 C:\Users\user\AppData\Local\...\pre6C53.tmp, PE32 21->153 dropped 155 C:\Users\user\AppData\Local\...\MSI6C04.tmp, PE32 21->155 dropped 159 2 other files (none is malicious) 21->159 dropped 37 msiexec.exe 4 21->37         started        39 LetsPRO.exe 21->39         started        signatures6 process7 file8 127 C:\Program Files (x86)\...\tap0901.sys, PE32+ 23->127 dropped 129 C:\Program Files (x86)\...\LetsPRO.exe, PE32 23->129 dropped 131 C:\Program Files (x86)\...\LetsPRO.exe.config, XML 23->131 dropped 143 223 other files (1 malicious) 23->143 dropped 197 Sample is not signed and drops a device driver 23->197 41 LetsPRO.exe 23->41         started        43 cmd.exe 23->43         started        46 powershell.exe 23->46         started        51 8 other processes 23->51 133 C:\...\CumulativeUpdate-KB9983553-x64.tmp, PE32 27->133 dropped 48 CumulativeUpdate-KB9983553-x64.tmp 3 4 27->48         started        135 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 33->135 dropped 137 C:\Windows\System32\drivers\SET5298.tmp, PE32+ 33->137 dropped 199 Accesses sensitive object manager directories (likely to detect virtual machines) 33->199 139 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 35->139 dropped 141 C:\Windows\System32\...\SET49A1.tmp, PE32+ 35->141 dropped signatures9 process10 file11 53 LetsPRO.exe 41->53         started        205 Uses netsh to modify the Windows network and firewall settings 43->205 207 Uses ipconfig to lookup or modify the Windows network settings 43->207 209 Performs a network lookup / discovery via ARP 43->209 57 conhost.exe 43->57         started        59 netsh.exe 43->59         started        211 Loading BitLocker PowerShell Module 46->211 61 conhost.exe 46->61         started        113 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 48->113 dropped 63 CumulativeUpdate-KB9983553-x64.exe 2 48->63         started        115 C:\Users\user\AppData\...\tap0901.sys (copy), PE32+ 51->115 dropped 117 C:\Users\user\AppData\Local\...\SET459A.tmp, PE32+ 51->117 dropped 66 conhost.exe 51->66         started        68 conhost.exe 51->68         started        70 conhost.exe 51->70         started        72 9 other processes 51->72 signatures12 process13 dnsIp14 171 119.29.29.29, 49704, 53 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 53->171 173 23.98.101.63, 443, 49708, 49719 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 53->173 175 11 other IPs or domains 53->175 193 Loading BitLocker PowerShell Module 53->193 74 cmd.exe 53->74         started        77 WMIC.exe 53->77         started        79 cmd.exe 53->79         started        81 cmd.exe 53->81         started        163 C:\...\CumulativeUpdate-KB9983553-x64.tmp, PE32 63->163 dropped 83 CumulativeUpdate-KB9983553-x64.tmp 63->83         started        file15 signatures16 process17 file18 201 Performs a network lookup / discovery via ARP 74->201 86 conhost.exe 74->86         started        88 ARP.EXE 74->88         started        203 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 77->203 90 conhost.exe 77->90         started        92 conhost.exe 79->92         started        94 ipconfig.exe 79->94         started        96 conhost.exe 81->96         started        98 ROUTE.EXE 81->98         started        119 C:\ProgramData\904\ole32-4W6z.exe (copy), PE32+ 83->119 dropped 121 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 83->121 dropped 123 C:\ProgramData\904\unJH51iW_HNaB.dll (copy), PE32 83->123 dropped 125 6 other files (none is malicious) 83->125 dropped 100 ole32-4W6z.exe 83->100         started        signatures19 process20 signatures21 189 Maps a DLL or memory area into another process 100->189 191 Found direct / indirect Syscall (likely to bypass EDR) 100->191 103 svchost.exe 100->103 injected 106 conhost.exe 100->106         started        process22 signatures23 195 Maps a DLL or memory area into another process 103->195 108 RuntimeBroker.exe 103->108 injected process24 dnsIp25 177 108.187.0.52, 123, 49698, 49699 LEASEWEB-USA-LAX-11US United States 108->177 161 C:\Users\user\...\DataLogs_keylog_offline.txt, ASCII 108->161 dropped 213 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 108->213 file26 signatures27
Gathering data
Verdict:
Malicious
Threat:
NetworkReferences.Malware.Generic
Link:
https://tip.neiki.dev/file/e8caac829b55f23bf9ee8880342a529ae2af9f446f820fec1828645d6d15d9f6
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-10-17 18:53:55 UTC
File Type:
PE (Exe)
Extracted files:
856
AV detection:
8 of 24 (33.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5dfkzau3kxzdx6porcadiksstlrk7h2en6ba73ayfbsf23iv3h3a._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution persistence privilege_escalation ransomware spyware trojan
Link:
https://tria.ge/reports/251017-xsyf6ad13f/
Behaviour
Checks SCSI registry key(s)
Gathers network information
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Network Service Discovery
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Drops file in Drivers directory
Modifies Windows Firewall
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/557876f2-e956-4dba-9d7b-b94cef24e53f
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e8caac829b55/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e8caac829b55f23bf9ee8880342a529ae2af9f446f820fec1828645d6d15d9f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

VenomRAT

Executable exe e8caac829b55f23bf9ee8880342a529ae2af9f446f820fec1828645d6d15d9f6

(this sample)

  
Link
https://tria.ge/251017-xf2m2sgp61/behavioral2
  
Delivery method
Distributed via web download

Comments