MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40
SHA3-384 hash: ce93044162c358e4e1d21e7356fd4eded00c498e71f6a575981dd6c1b1ef24fa030b9be1ecca035b7f98d3b5fa89dc85
SHA1 hash: 7b559b7160fa1f0de211afd3dcb81a41a2a7fd89
MD5 hash: 32bbe58d2336cd18c22d221a3836bd50
humanhash: arkansas-helium-uniform-friend
File name:SecuriteInfo.com.Win32.PWSX-gen.28365.916
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:735'744 bytes
First seen:2024-10-28 06:16:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:9qbjoMfzukYwBZ+DPWeGHutARp7ubVoSYOKe5KkohFISCX/B:sos2+HutANuprIiroJCP
Threatray 479 similar samples on MalwareBazaar
TLSH T146F40298332DCF19E5BD0BFE0862304047B127657161D7EF4EC625DB8AA2B814B1EE97
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon d0d052929284b494 (3 x Formbook, 1 x AveMariaRAT)
Reporter SecuriteInfoCom
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
2'727
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.28365.916
Verdict:
Suspicious activity
Analysis date:
2024-10-28 09:16:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/28f117bc-f3be-48db-b3e9-29575a066b7f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.28365.916.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=671f2c6ba75e41aa6722855d
Tags:
Powershell Micro Remo Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a file
DNS request
Connection attempt
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Launching the process to change the firewall settings
Sending a UDP request
Launching a service
Enabling autorun for a service
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/671f2c63ae830d48b5dbcd46/reports/c80855e8-5680-43d1-82dc-42548cead925/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0e8d8377-f134-4a53-b2de-c49207f3becd
Result
Threat name:
AveMaria, UACMe
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1543577
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Found malware configuration
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543577 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 28/10/2024 Architecture: WINDOWS Score: 100 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Sigma detected: Scheduled temp file as task from temp location 2->52 54 9 other signatures 2->54 7 SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe 7 2->7         started        11 rRQnnfB.exe 5 2->11         started        process3 file4 40 C:\Users\user\AppData\Roaming\rRQnnfB.exe, PE32 7->40 dropped 42 C:\Users\user\...\rRQnnfB.exe:Zone.Identifier, ASCII 7->42 dropped 44 C:\Users\user\AppData\Local\...\tmpE51C.tmp, XML 7->44 dropped 46 SecuriteInfo.com.W...n.28365.916.exe.log, ASCII 7->46 dropped 56 Contains functionality to hide user accounts 7->56 58 Uses schtasks.exe or at.exe to add and modify task schedules 7->58 60 Adds a directory exclusion to Windows Defender 7->60 13 powershell.exe 23 7->13         started        16 powershell.exe 23 7->16         started        18 schtasks.exe 1 7->18         started        26 5 other processes 7->26 62 Multi AV Scanner detection for dropped file 11->62 64 Machine Learning detection for dropped file 11->64 20 schtasks.exe 11->20         started        22 vbc.exe 11->22         started        24 vbc.exe 11->24         started        28 3 other processes 11->28 signatures5 process6 signatures7 66 Loading BitLocker PowerShell Module 13->66 30 WmiPrvSE.exe 13->30         started        32 conhost.exe 13->32         started        34 conhost.exe 16->34         started        36 conhost.exe 18->36         started        38 conhost.exe 20->38         started        process8
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40
Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-10-28 04:30:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
42
AV detection:
25 of 38 (65.79%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=azxjqwdh2vrhc53kwykraibp7xi35qsg7qk52og5c6ryei6vbvaa._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
avemaria
Create hunting rule
Similar samples:
4813a5905b2003965fe10155c8daf3cdbb57017af02483a53a2d5ca11a9270f7
AveMariaRAT
5483462ebe9bc5efca3315a9f2ce6a82f0469980e164aa16afecac9ebf13b57d
AveMariaRAT
6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4
AveMariaRAT
7ebbd7733c41e5d8d4071ac4bccca6f76577d8dda2ef2a6723b90414f444454a
AveMariaRAT
d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e
AveMariaRAT
+ 469 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat collection defense_evasion discovery evasion execution infostealer persistence privilege_escalation rat upx
Link:
https://tria.ge/reports/241028-g1191ssgnl/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in System32 directory
Hide Artifacts: Hidden Users
Suspicious use of SetThreadContext
UPX packed file
Accesses Microsoft Outlook profiles
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Command and Scripting Interpreter: PowerShell
Modifies Windows Firewall
Server Software Component: Terminal Services DLL
Warzone RAT payload
WarzoneRat, AveMaria
Warzonerat family
Malware Config
C2 Extraction:
wznne1.duckdns.org:63196
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/57582cf2-3e9d-4c62-b8cd-e3f921b6d7d3
Unpacked files
SH256 hash:
5d258a3b1698d4ff6939c3158679a6f1d0782ca21d43f665702c7f9e1e91e3e5
MD5 hash:
fd1553515b5992184ada874165a7d53c
SHA1 hash:
1eb8f4f83185281fee03a88ff494e0462c0a0f50
Link:
https://www.unpac.me/results/7ac1234c-112d-4f0d-b1d2-089f6723faae/
SH256 hash:
820b870b04799ecaa37c81672094e9da9b8a9f9cd63cfe7dfb8a9298aea895cc
MD5 hash:
f27160b06cd94c1ba4afe896c64912f8
SHA1 hash:
72ff1c9b90a67ab80e4cc93d6653050cb2de9491
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/7ac1234c-112d-4f0d-b1d2-089f6723faae/
SH256 hash:
af3660f059a7ea6f935563d1ec619461f8de1cf1189bacb7010e66b723c03fab
MD5 hash:
1c42ad13aba4650a55162d7b0ef0b00d
SHA1 hash:
6f57910b12e5190596f98314ebd4d0abe909d6a7
Detections:
Warzone
Create hunting rule
win_ave_maria_g0
Create hunting rule
AveMaria
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
Codoso_Gh0st_1
Create hunting rule
MALWARE_Win_EXEPWSH_DLAgent
Create hunting rule
MALWARE_Win_AveMaria
Create hunting rule
MALWARE_Win_WarzoneRAT
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Codoso_Gh0st_2
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Link:
https://www.unpac.me/results/7ac1234c-112d-4f0d-b1d2-089f6723faae/
SH256 hash:
fc0c90044b94b080f307c16494369a0796ac1d4e74e7912ba79c15cca241801c
MD5 hash:
6b906764a35508a7fd266cdd512e46b1
SHA1 hash:
2a943b5868de4facf52d4f4c1b63f83eacd882a2
Link:
https://www.unpac.me/results/7ac1234c-112d-4f0d-b1d2-089f6723faae/
SH256 hash:
69e80e2053b50c69801f775539c165df6854ce1a322ec13b7e33b88891f33d50
MD5 hash:
8ebd65076ae14cdecd88fb251687c1b4
SHA1 hash:
0984e199c4f3b2564502bf0829f460d4d6a239be
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/7ac1234c-112d-4f0d-b1d2-089f6723faae/
Parent samples :
0e451ce1db9f82077de2d8f16f2010e3273795cff50c64ca515e7f9f0401022d
0004912ccca96809295d0383d2febcd100a386ed262d9912f1a02e886ae460c0
79d9270edbf86a9503b71bb27d04a88c1f8506fadad7b702adf97c5893f6cb14
326d05c29c46e6ca7f2f1a9b534d8a2ffb98a13f74f8f26fff2057ad1f8e0ca8
b782f1817e1e9918f16bf709f776a67f826e3bce5d6d4a24fb35591e93c368d8
ba8e5ccc4ac917a1879ef845414426b2488839f73ef5686a164fa4844cc5ad25
2b845ff4c5ee973861ccb905e73fed0bbd46ce5e311fc8910d188ec839226f58
1a9b0e1d73f7686b25b45d271edba4eaf6c93ae114e6805d5e39440a7e927353
8ef601ca3c9f083d30e8c32c00ebe899cdf8129b5e9c7e6a38c28c84aeddc19e
5e5f01b0156a414f1c7679f6251f8fbbe756af69be174d5db6ddc2b119f80d2d
9c28e36405c311ffb063f1afa6f478d18923101078d042d3bfc6148475b34969
7485c7b439341ddefbc3a27c36fd79acd5bad67aed05e9ccdaf7689a6d71ab23
9f7da651412232824c868086dd48a7d63af0dbb007cef4db8c24edda9b2fcdbb
0b729e5930396c075dbabdbcc27a8bb8ce84f64da23c9eb4eddb8996793064f4
195ee9a9f96abb146c2c217c659c7cd66093d607b9a64a1ffe976a32eee81b2c
c9f499071a2c316423ddf925f9a2e2a77dbe95f7cfc078b89413525b8adaca70
9586ec674a0e4b7558bcb9df6a8bcde244d05658f818aec5eb86328fc9d14ffd
6a92c0e725d1b223168728cd7be319783abbfcc1f61c941bfdff7eb6a51ddeb6
a99f8a264c968ef7d4815a0bf6d53854d7c26da69adba84750c48c58bfea7384
f68c0c40aa651d080967ea4ea3c389fc1e3dbafcd097ac10f01374d0f6ae52d3
5bf41f92b016c6c045f3b10573788b4c7cc6b11e20b2a57ae5d4943c1b160da4
7b57e6494bb05f09e8a09a69b3c9f28239fe18cb469d223826c95bee2d650197
5994cf17202884f994b3e294fca7cd9c2847b6c98a0bdb5e65cf164f830197a9
1ca6029a90c9b8fcda0505d239c484552125ba7c4c5b761893f8e39360313212
9e5177707ef7c11e094da7ecf785ac2e7c2839238f9380d9730c96d77646905a
7b70d479034f458a6b695cc3c8aefd50c771ec183b749276aa66d18a6a33466c
f52a93f8fb6a1b20bd591f6bf9f7d68acfc0e8dd6ea5413faf3619017a3b8166
fea39de44dd9f6382637a9a218d2d5002627ce79a37f2dfe0d6bacb51a2de873
c51201337af75df4850b5392117e54eedfa2f1ac133e891947ece8102cdda0d0
4978a378806fd5d68c08ad4602f80d3f5f1f870cb072475bd32b7a8ca32a3d88
d4dc6255180dddc7a357859b31436c86163985754f3d1aeaae7a0d226c2f0c50
3c5eb265426debe4db238f71aa5b259e175577a7d41d72294a1fc5d9252a302e
e93171125e897ba3a556f1b0171629d2a9aaa3298510f97b5d7cda44b9c3c313
066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40
4ed108b6fefaf7195648ba17ba194f04e8db13cec7e1adeb56ecaafa970f8d21
bcca185afcdcd92fde60a3d4676f7efd40126e9ce50d9971f7e725bd04b8bfb4
a27e29b26b25a83e2d17a66ba98e51c93915364d03998cdad25965c3fc2104a4
96e41c2d613926361afebfc693537919269ae11f3ff721eb4f60bf823258e154
509813e832b9659b8ca77e515e23dcae3da52d4f9118588f5c853cb87e1ee0fc
57c6eacd0d42af3c215de528aee004f67a74097b8844ec110f56e60039fa9dfc
88bb9bed8031190a16d24e5e26de559fb3ba8f7cda489b8f09cb40e2e1f2df9a
44ab353624b9e867ae31a0523437ed8e321f361d248b471c15bd2902255280f3
481d35dd2f799eae40ecf9965a7c41b2aec41770260870199f2188fb728e49c6
53ef40005eacaaf2c37175d6f38dfa8d9efe91d4513dc545cd7176924d9e64ef
dc1efbd6c77a9b2318630d1f67eace04e80c13bdb5b60e5ec217ea79c6c0b29a
736b209eebf951e82c1854a0149aa159f609e6bf202225ba58793108cc26ed33
b9cd08fa3f2928d85b9261a6ad4a877cb9fc2ed58f4bc28fcd00aac48aefc4b4
862a367b1e130dc47d08a2d4ce26bec8d85196f00c1a3f6c0df4fc5f099139cd
70494a9ed1d509c12c48aa4dc68f06f73bee77a18a625b576dd515e9f4e0d6c3
548c158482e4cc2f2b6c931c92f66dc70a0e35c8a8031709249f8634e10e0108
50bcb2857ce3d005fad3479253fa1c7a8cf0cd667c16d9d7c292d9307011dadf
5dd4ecebe78e332ed6cd0a8b0dc67e50ec8582c5fdcd19451f6ebcf4eaffe236
4aa7d5055d37293efea2b6d715e655f07f3b153f31651278c7576575e7247769
e4e6cabfbbd9b6fb09181e531f3d73a8ff2482d2d6aab08e27f65d9955388e1b
cc97cd2834a545c6f4e89aea88a758f9fd880586f55d21dda5c8dd2017ed689b
d36e2205185dc5e60a4036f2f7ab73952ee57b9936ff4c7241f4f50bdd615390
04dab42e8f694a3fac6b3ea2532462e89e9118c928545710a872d34874376a49
e64bf07778d6213ab62a2e94e764053d4378192b836715aa6552405de1e15832
e3247719d50e98ed0c802eb40efcf7f30d45de6ad0c09efb201505bc52a95869
2a8b2b69971d0be12c21d4117e3068c8c69b10cdaccec97225fa318eb2040cfb
c808c0c3fa3065742e408db2529ec659ccfc81c4bcff0b58020b3387d292e362
08591ed45402ad065bab1aaf06a05a2d7c9264695b00299f5059ebaf26584a59
ec66f68731b1c186ac1c87c2520106f85e2a25951303014b9163f51c476846be
c42c5e19c13ff40e49a51fb71208e781b24e116527260e2620ad7f665892962b
0751a8aa6a5a7b05bca94d02f3b5d7907455db416f6d7caa2e79a55f51033f98
26031e5d2026ed2a718c80fbbfa8e7c86b2d8b7e35a28e02b6bedd7ba63393cd
a1777be6284799cc06a9d9072f4f3d2181287fb7770cbd7dbfb5bbd7d031dc30
4054be2fdb0bf34a0eefaab9863357ed3fdf5b8884f8861cee60a8cd4e054019
b648506a859a6eecb51355d7cf78e6233c99e51d190a5fa068706f1fe511b209
03207279845f2d90be8cd6b3b525c4a236838c52def79c0afffbdf7216a03b7c
2cabc41b8e44e0101ceca0923c6abbd2459aabeff1831d700f2cfd1e3487dc20
ebe2099ee35888eaaff59d9fbcf780687a6c9cf9c87511aae8ce959c7e1fc193
cc3fe65f9d8dc99dd62570dbc56059d89d93676f54ec85b40e4f7f109469a2a7
f2f155e13e62cba6ebe8140f53d774bb25688af67f1f1146b53d6739e4e4d551
cf18af34e360f0f773f774ce7231f28f6b471fa1b1739e91df0d4cfb943774e5
45def37a33ac8c66332d64929636aa908916c5a4c4b17ff5724de5564d066105
46b9f240c30b0d9df9d6663ab317f0fe20f7b5ebc3b2479ed8e00926f672e065
c12fea808ada9c7021f276abee33046f80815d426a8ebb8376603d5272828106
7a67d110bc1f15c95d420969b5ac6a78ae1d3c6d0f7d4e913af4a7db142a461e
80198d34743fba1b648e8d5d4cc500b7f1a5a1d0b960d7ff36cb9ab24ef8f4be
d85f1308c23e3f9e3cefcf98c1c091b2dafa3891bd6161077bf45b637fe5eba8
3a52334a83d46e6cb089b679a46ba9c139f784899f6f93866ebb92d74d3f7419
7c16b7255a7868abab3dd01209c76b10dc02d60896464f31150e5865d8597a4c
0bc8eae9fe2dc6af83e1b798f9a6b5ef27117c5b8462664a944fca34a4e1e464
3b7cfe74a6a990cbe6aefdba86c66a82f6db333fcb30f1ff7ee04e2c7db492f3
c55ad029c3701a693dd7bebefc90a13766f75972819faacc93fd1b57039f26b6
46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93
3500bbffeb19a0e63ba255abcbc2f7c3a5985aa6f4eda3490dd7a795bc546540
1eef3c00ea6fe6b3e757e7ee213f2cf19a76cb290ceb108b5dc63fe7eb86012c
d7bfea7d65bd99597f52daaf771da4b372cd9426a6b082d3917f4b90a5294411
e6c445aaa12dbccdf507ee868b1525f444593fcc630320cc26dcef3a9e8ed9ee
2ac0f7676c93f8e7dd280d66275db67df90e921a17c4e04a3e30dcef51220f94
a016acf58927fad6824f4d8b2c0426b5819d37d3b7c8e83d5cce6aad5c169b42
7fef9fc48835f5ad1c726a78a1feac7e7f9049267155bb452a476af6d2694fbf
e8d95180d71d9274ab398824ffe6d3ffe95c885fc371d1c39d27c7d956615c4a
e153c301755ec01f846fb4b2af474a4835687f1682e2b1937d756c6fd3842ea7
5262b9de957b7f13968eac9cad2b977457ae86b84a455544871af143177865ff
07e7e02b535db6f43ff43945aa322faf362d8925918e70aee11c8057cf4dff9b
b01331115c8c947787895d377575f97633ea4dc4b274efb60d1fcc4ecf7647d4
f7ed62ff74c9d1adef3366e1db59511d6963804b3e73b0dcf3a4ce31c9bad83a
0c8bef54254904fc28a79b54a7935b5611828397c78fd949440cf57a59038406
f5af8baf6ef16bf20764cd701bd86369b52f5d554c8b1eca44b7515ebda6fa02
8feed4062b93ff232c8d624baf73699d1e25e2a745717d73ec648d498c44bc45
493218a40cbf407847bbec867d10d27b58af8c60b75c1ff157a17c0feddb375d
e6490ebeca6cebf5d93f9a70d60f3284d85588cb4f699821ba23a7a68127e7e4
6e13fc43be80b7d70a78e5d768e87459d04d291fe229cf07f7aa5e6a55c64514
52a2b314fa79c70585a563940acc08acb53f22a15d44314c46b5490cf1b181be
593995d24730f261cde9c772b7fddbbc57b02d36418905ba7a95b78609d4a258
8835d6d5566c121cb4fd76ef710de856b803636037b510524d3de684071cd1ad
9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d
be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6
d1b74631302b5c504591567f870ce97e2b449e9172da6bf07a24d12923b9366c
3f1a1db52a4fc4fcdcf257626740eb9662546e6a17592d575e4ad2bac6a3748b
20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79
ddca7740e832942313e7bd03a5670bc03cb09d8113433826e252666eeda046ab
SH256 hash:
021d01fe3793879f57a2942664fc7c096710e94e87ad13dc21467c12edf61546
MD5 hash:
ad9fd1564dd1c6be54747e84444b8f55
SHA1 hash:
001495af4af443265200340a08b5e07dc2a32553
Detections:
Codoso_Gh0st_1
Create hunting rule
Codoso_Gh0st_2
Create hunting rule
Link:
https://www.unpac.me/results/7ac1234c-112d-4f0d-b1d2-089f6723faae/
Parent samples :
41b6843f504506bfe5a47155873b5e8d4a10382e6bcbbaadf069bc5d216c8b53
273c7d66a2746646c43e4c870ea99def6bfb8d7210cafac4eeda64c50b2f8e83
0105bafb9a326de3ee23e8d01a0b0bd3216a3de3906e28c10c3cfa4825939161
426bb510c18d37da520b953e633c1dca9d950b2d8fc06e550cd9cbd1e08d7b2c
4df8c432a1d5153c687b60c3031648c6ac198cf96b44cb15f1d28f758aa213e5
57bcf0394886e8bd03578d317aebab8af7195e007dd1636b266073b282b43848
95a91cc096986a40b10a03f3376eb7de4b3c83e7742b667f7c2f6bef13ccdeb9
661435185812c66992daa150269ffbd8661c06a6d0847cf8b5e49dbdcffb677f
9fc23786a7059b7e7bfb19582fd5f96b91c86812ccc32aa9c7722e85e16590f8
d18059bfd5e9a4d0e07a953fb8c86101ecdf77f9b7e9e80cf6099fb40506bea9
a579e6d169f7af0c31de4c24bd4a8d3e05f46145a5d219850124fd1e11628349
9b550290b925e68da43d0254e187f3bd53d73778e2fec286ebe66db8da1a5dd5
4966546ac0b90d093d0e2ef5666566b76cebae4b6e02f5a6b9f24a56b7ab049f
963750cdc4a1d1586b16d85a4853a5a48d64b5a79d740895ed8aa33afe95f5c4
000dd50b2f3df84aa499e38e8a88994b92c14556c517cd26237eacede1130c3b
c5a55dd1ecb98f43122a554288baa4e7e0ecdb81e30557db4c19fd833f145107
9b91ef0fbd1439f0e7b13a7d234d0574c6db6a07ea1e2842fbe7d2e4ab4042a9
f4e31d0e6efa4955d4023413ce6658406decbb31b954e822b92d31e3c12956de
447263ca2619e641d0a52b475b2de64ae9c852048415e31897bccbcb615c4927
a3980c5f653e99fe53dc88f60a9ca1b4954b8cee932085ea57b1f46b9c7ab4c1
3c36d574e4005d919706e2945a25f6704d48ea69b5960bdc544e59cc4e3295cc
59ee15056c8ca8f240ba10fe20a523e3dc315cc0304f1f1abcb2913d701d4f23
01dbf52c9a79ce268fa7b5ab876ab6c8a8e6d5d5de70ccfacd11ca169e83908a
46a870926fb693596e4fea1ff6ed4bd228d8cc63a9e285997ded48b1484ab3f5
89e0d97c3f6b79962f97e02152cff003f17d940f973d762874576dab2bc3a312
c8731f7db8cff30881c306796850704a66edb90501fad4952822bb09624db618
d2d549d6dd5d017ce1b853932513ec389de11e6443fe466487b2ed2e1528b857
31b26582627d2978052cdce87ae338c2e78a029f7676365e1583c05528afada0
80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66
913377afa6c3d7afb49a491f830d52a33353349819f0e91157a01dc8336ac5b3
7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c
198c5a845975abb97bec91f98df18522db41489cf5b972445600b2c0e3faa828
13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310
2eefb5dc5aae0ca14290ded3490ec8ae44c88fafdac0b062bacd8b9bd1497eb3
32d376bc206926ca6f299e97d04644b68e6a863ac4975bf4a804bd120e82aeab
decfb2acfa48419eb5c32541e8b99aa142ed856a2969012374c2a30f8bd7db70
dd1fa6cb67aa97468e62afeec6bfa9c1cb52f5acf029ab77a0fdd2e34cd50a21
19dba570adb979d9063882d8dd6d880d1f37f25e600cc07097646946ebc947a2
de492c6384df2afd8c36f3f8ca910d93a21a2981b3c3a80e8a858d643122d488
0246d4eb99473ba449b98548167d0767b68b075749a8962d0573851f505689b5
bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a
3e4da5132877e955fb455e58e300b56033c07a6d2709b386fdc5c43a88e1c499
d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e
7c6c180635f5329b270bfa6fd56ec15604cca270687d0a0bc2fc5edd78dc4c9c
90f4e7731fc41021b7ce9f9d15704c9849cf3215161585721a370745f7392e71
61a8d6678098ddfa8d1b418cc5d851823d6b09bd5bb4fcf68f0f0797abe61873
6f00f39f32bb3556f024b6e877337a8e6ba5a2feda5d1187e85684de23471ff7
037165fd0435a477539e437c28f25a2e188d0da72b7573aa7d85b26eb34feef7
dbf293d123fe98900bda70549ce336f08f5ff99372d5f8dca4869376bf068416
d677958e05d8e8a3424225fd62da4a68c9401aa13658ecb9d6dbff18372aca85
2e5f3807db334c44e20f17624cfa529304327387e4795c561374379725acde6c
a6c7f1f1e73b612bf2c34e4b6193dd41f75ec0298c694e3600756a79da348152
f9ce9a047b096cb954193ac49049ccb28a476aa8c202f09aea38eae3cb283387
6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4
44337a866f639a40a3730a29a44dfebc9f6828148b409c057969c27987c84dbd
e9d0af516a8d65649c6850b69ff15e65cba280f8d44dbc505882dd16cf922320
f9ebef99fedb86176dafbdecb67a9f600be7f6acb1299deeeb40d4a689018f1c
f901f4b9437419d09352abcdec1a1e7bb1b511adbee059c42695753575b2b77c
91d4c54eb5e24448922894a73d0a3ca2b0a84caa3d2a5526e57098791ad75f73
2769012a5682a98b6f68e4e50157077fef4dc0853654c68986837f17b1c6451b
7ebbd7733c41e5d8d4071ac4bccca6f76577d8dda2ef2a6723b90414f444454a
e492ab74db73fb05a78112868596383e27ad49d8a2aa82a34611eea44a23a1ef
9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b
e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6
4813a5905b2003965fe10155c8daf3cdbb57017af02483a53a2d5ca11a9270f7
f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d
5483462ebe9bc5efca3315a9f2ce6a82f0469980e164aa16afecac9ebf13b57d
ea48def5335b8e664304ae54ff020858a1cb8a804d21f1c474c21e4ef2213073
3e90bab5c79be10c283f3752091122910f7c5b9f35428a37eb0250d244d01f94
5f51bf583798f714b2c84e3b6ba30b32b15a12ac308a52efbc950ae406216ad8
e797bb75f04bcac68e688769585623a306a0442a5614f28cb1a38d4232f525ec
066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40
325be1d623422763b0e16bc3c294cc5c006f6fb2ff8ddbf9eb0e45f8d8ac6853
3790861e8c62040dbb2dd3c290d1a2738cef6b04fd38de2d37ba58708838ddab
2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242
f3165a426e73b3dce639c5f44c0c6dca403a363fa07abf4458e61f7a61d7d880
cc0fdb6946afd11917588ce448b752e3f49debcd09d2e4d6c6d04cc1dc774e92
eb2ecf9b7aaa6a3d36d66aac6cc107c09c0518a06272f27ae17f2430c1d7a70f
8711c0444e0e2869118f577b3e28776c75d0845691bac42cb92005cc97c62b8a
99257e66c5904573be6b6316fbace99d9cb4ac2806b88c6e1e1c04787a2f4bd3
1f6feae633a783cf6ef08eee6b65049fe5b692c8a743af8967984e2e212a06b5
4fbea9806312eece3dd8523cf6c9509cedda1abe14fdc55bf793606dffe6c053
044ff15e8d3c9534c11c3719bd88a8302611c697ae888b23c768cec52f1970b6
aaae2a95d3c2054414d9b4cd55405563c1059ac881d9252ce338ecef1a25f857
bd2104c458f1c7197b830efb636df4741232585d55334fcdb6e37e8657571c24
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
c3dc5d9c25e3ef368835ad761bc9b0650170a018d70f93869608105375b73019
b20f2f7de684b2b10149825c4b86e14fadc7e19d5d41cb7b180bee28a1def030
bfb1b045ee5fc2bc3e4ca29683d695c36cc033ed43c0071385907400bc09c7f6
4f52022aa6286c18573e79cb079d5c9a01382bf1b4685a5a0dcc72cd6307b277
ce69de794ef8654455e9323c8dd184a507c39bb319b9c1b34fce460deca631bf
e784a1f8667b80617e5e26ab23f4b101286dd5bddb9629ca59d272ee3267e3ca
37aad7dc61ea841a62ed160802b822c35a0110f3e0be393b0c43a7fae8e96c65
1b9e1710ba83325c36ba9496bb3ff924a69326d07f62afec79ef74adbfcf27f2
3e3fc0ee150a9b3e97a1306c1929076d637f3c6ce3dbddcf30570330e40bf609
efed6ec2f8d3190bbf49a8c62a73c80878a4b7968baabfcff38cd0c3b06d4cff
d14140f160c6659a0848ec2b808bd37739af9b8a28d6d8cd7fc607ab845ab026
7f7089400087e55dbe741b1b137a6712f22d80b67c28215000b8f15787322dc2
429aed088fe3b2dc4cf969687d3eb7412bc387a9f6a7c68b832613630e8c527f
93fbcce3b23629eef2b3ed15e67b61cd5ba82f6a4cf4933b05ee3a1cb17b0523
ba63290ef5e3c1d1e2881879708f9fc793792f1f8ad36bcc8d2cdda9dc3e7ec8
7d784959adbb08754d954aee02c959a1a7318c54d04bccee906952cdbf090ea6
89389da3d32117ac9a495120372591cd36bff66f55ffc0e2e53ed8d64458d433
52c5297a7066438d5ec5ce3e897b7fe3eb642dca0b30aba3cc28866cbb05d96d
21ab6c559c1f1c445e9450f180e252e78799374ebd5d3b0e6384afd3eeeee20e
796364acf14011fa3902103655be7328eef8e3c5bd8635cac4820b5757ec9d13
c8f5d3f153fab81b07f3e666e13bcbd01d696a7efa4ae0c8dc81c054443e5b67
a3d362e58a6aa1b9d9d9ff542c65dccef0423e52dc8d11df2a515be8258ff3ac
090d906fa847c480583c96b467272b407e6c820d0d64b454e6e53dd51d113b03
90da1d87ebf79eefc2a035cc6311b9a26ff17804d6561c9f8253f4189d1c1f57
c33a5d3fd76760bd1657a2007d5ae2ba55155c0fd3ef9bb7e771e41c084158e5
237358a60a6aeaf9e2f5247fdf1c2cc04e3e3c0ff57e2c03b799d10b770361f7
cd4b8eb7fa51767c3cc1942e3523e99026062f95dfcb0428033dd7b706db8481
c90e5c5f118bfc7417e1a43d8ec7a1d6e91a730f336a47799b81f16a0fd6d69c
614f6326a378a9c583fc7de320ea6a60a78706283ec087afcb349ca75c083807
f19253d1e2423e2613b27354b1d8670fc63ffbb2d194ebf00e2323f712141648
93ddcee5487885a9825538b723ba30214b827617f85aef5558d232545171e8f6
2921a0fa40963ad342875ba6fc57c1629caa800f834ebf516a6cf6a59f467212
d371d9409cca4b22d1e90df46524f7112e06bf74a90f65f236957b63fdad2c1b
4822c68976983fb6be04a489ecb0ee85233585040f94599ae1f40e91a815d3d3
12a6b979da40489d768e28882836de2434009bcb436c2901772bed7633d88770
SH256 hash:
066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40
MD5 hash:
32bbe58d2336cd18c22d221a3836bd50
SHA1 hash:
7b559b7160fa1f0de211afd3dcb81a41a2a7fd89
Link:
https://www.unpac.me/results/7ac1234c-112d-4f0d-b1d2-089f6723faae/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/066e985867d5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments