MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea8f901364586b8fb6827e53a85564d53103b35d2e0109dacd3a6f713af89f5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VENON


Vendor detections: 10


Intelligence 10 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea8f901364586b8fb6827e53a85564d53103b35d2e0109dacd3a6f713af89f5e
SHA3-384 hash: e2195f15c1366f087ea6f70c637bf7de5011ab14128f0ab11f8e2cc92c1094bd0149aa133378745af506b8312a096add
SHA1 hash: e61dccc160816c0b32ce6938b3999cf2e3ce3e4e
MD5 hash: ec2536feb3f29cf9a00c5ca8de9a7eaa
humanhash: emma-golf-cardinal-vegan
File name:document_vBZcJo.cmd
Download: download sample
Signature VENON
Create hunting rule
File size:2'300'430 bytes
First seen:2026-04-14 13:11:40 UTC
Last seen:2026-04-15 16:33:31 UTC
File type:cmd cmd
MIME type:text/x-msdos-batch
ssdeep 24576:WZoLe7/PzzvZZEnRvSLS9IoghyOYM00Pah+UUUUdXHbIi7cDCCCCC3iiQDEw+UNW:AoLEonJsJhy2PLrFYuii0Ew+U7o
TLSH T1CFB59D56B9501C2A28F827E0A9F21446D3CCC3F71B4DEBDDA0F54196349F38BE525AE8
Magika batch
Reporter johnk3r
Tags:cmd photgridyelow-site pre-planolocal-store VENON

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
BatchScript
Details
Link:
https://research.acce.ciphertechsolutions.com/results/72ba8eb4-77e0-4b49-b119-b940ce874a06/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69de3d4df68adfe10039b5d0
Tags:
infosteal dropper spawn micro
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint lolbin net powershell schtasks zero-day
Link:
https://www.filescan.io/uploads/69de3d485ea31bc68a2998e5/reports/ff1f5312-097f-4959-b530-84b214d6d523/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/ea8f901364586b8fb6827e53a85564d53103b35d2e0109dacd3a6f713af89f5e
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-04-14T10:16:00Z UTC
Last seen:
2026-04-15T10:45:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.BAT.Setter.gen
Link:
https://opentip.kaspersky.com/ea8f901364586b8fb6827e53a85564d53103b35d2e0109dacd3a6f713af89f5e/results?tab=lookup
Result
Threat name:
VENON
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1898085
Signature
Adds a directory exclusion to Windows Defender
Found evasive API chain (exiting after language check)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Ping/Del Command Combination
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Uses shutdown.exe to shutdown or reboot the system
Yara detected VENON
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1898085 Sample: document_vBZcJo.cmd Startdate: 14/04/2026 Architecture: WINDOWS Score: 88 35 photgridyelow.site 2->35 37 is.gd 2->37 45 Yara detected VENON 2->45 47 Joe Sandbox ML detected suspicious sample 2->47 49 Sigma detected: Suspicious Ping/Del Command Combination 2->49 51 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->51 8 cmd.exe 3 2->8         started        12 TextInputHostafUi.exe 2->12         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\...\t.xml, XML 8->33 dropped 53 Uses ping.exe to sleep 8->53 55 Uses shutdown.exe to shutdown or reboot the system 8->55 57 Uses schtasks.exe or at.exe to add and modify task schedules 8->57 61 2 other signatures 8->61 14 cmd.exe 1 8->14         started        17 powershell.exe 23 8->17         started        19 powershell.exe 21 8->19         started        21 6 other processes 8->21 59 Found evasive API chain (exiting after language check) 12->59 signatures6 process7 dnsIp8 63 Uses ping.exe to sleep 14->63 25 PING.EXE 1 14->25         started        65 Loading BitLocker PowerShell Module 17->65 39 127.0.0.1 unknown unknown 21->39 41 photgridyelow.site 104.21.19.31, 443, 49724 CLOUDFLARENETUS United States 21->41 43 is.gd 104.25.233.53, 443, 49721 CLOUDFLARENETUS United States 21->43 29 C:\Users\user\AppData\Local\...\SSEdevice.dll, PE32+ 21->29 dropped 31 C:\Users\user\...\SteelSeriesEngine.exe, PE32+ 21->31 dropped 27 net1.exe 1 21->27         started        file9 signatures10 process11
Score:
67%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/ea8f901364586b8fb6827e53a85564d53103b35d2e0109dacd3a6f713af89f5e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea8f901364586b8fb6827e53a85564d53103b35d2e0109dacd3a6f713af89f5e/
Verdict:
Malicious
Threat:
Trojan.BAT.Setter
Link:
https://tip.neiki.dev/file/ea8f901364586b8fb6827e53a85564d53103b35d2e0109dacd3a6f713af89f5e
Threat name:
Script-BAT.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-04-14 13:12:46 UTC
File Type:
Text (Batch)
AV detection:
5 of 24 (20.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5khzae3elbvy7nucpzj2qvle2uyqhm25fyaqtwwnhjxxcoxyt5pa._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/260414-qfvfeaey6s/
Behaviour
Modifies data under HKEY_USERS
Runs net.exe
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
System Network Configuration Discovery: Internet Connection Discovery
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ea8f901364586b8fb6827e53a85564d53103b35d2e0109dacd3a6f713af89f5e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:CMD_Shutdown
Create hunting rule
Author:adm1n_usa32
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

VENON

cmd cmd ea8f901364586b8fb6827e53a85564d53103b35d2e0109dacd3a6f713af89f5e

(this sample)

VENON

Executable exe 055bdccb6e76c198400455552b8f4ea09414f6710d3857122a532dd5530adafd

  
Dropping
SHA256 055bdccb6e76c198400455552b8f4ea09414f6710d3857122a532dd5530adafd
  
Dropping
MD5 b77129f1f2de5cbac7e6d03d6c7f0804

Comments