MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 325be1d623422763b0e16bc3c294cc5c006f6fb2ff8ddbf9eb0e45f8d8ac6853. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 20


Intelligence 20 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 325be1d623422763b0e16bc3c294cc5c006f6fb2ff8ddbf9eb0e45f8d8ac6853
SHA3-384 hash: f7480ef2ffddc1dd3be109b185a23ed4503350bad63f0b10c0578fe7f6051f6c1c9aadf67805beeea00931d23015cf82
SHA1 hash: cbb20d9ad86fa8374553203efff7d6baadfaeaa7
MD5 hash: 76a9764d18535113e206f661a70764a3
humanhash: lithium-enemy-twelve-blossom
File name:Purchase#Order630080.pdf.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:891'392 bytes
First seen:2024-11-01 16:10:13 UTC
Last seen:2024-11-11 10:46:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:GvfVhpeMc5IFhtCIUQvihNEJYcxoWUgL82DsijKZF61:GvfVs5oEIUTE9ygAzijKZs
Threatray 4'199 similar samples on MalwareBazaar
TLSH T1DE154AE036A2E736DD5D2670705CCDBC92601E2870D479926EE93FAB3DBD2918938F11
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon c9c9c1d4d4e8d4d4 (5 x Formbook, 1 x VIPKeylogger, 1 x AveMariaRAT)
Reporter abuse_ch
Tags:AveMariaRAT exe RAT


Avatar
abuse_ch
AveMariaRAT C2:
185.29.8.102:3312

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.29.8.102:3312 https://threatfox.abuse.ch/ioc/1340477/

Intelligence

File Origin
# of uploads :
3
# of downloads :
211
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
avemaria
Create hunting rule
ID:
1
File name:
Purchase#Order630080.pdf.exe
Verdict:
Malicious activity
Analysis date:
2024-11-01 16:16:40 UTC
Tags:
rat avemaria remote warzone
Link:
https://app.any.run/tasks/53ec3f79-9ad7-43ed-af6f-0eb14ffa8406

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Pwsx-10036928-0
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6724fd998d23d9049132829f
Tags:
powershell underscore
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade vbnet
Link:
https://www.filescan.io/uploads/6724fd9a2734cb737d910c3a/reports/28b97817-d1e6-4ae6-ae77-ba1d9ddb5fb0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/325be1d623422763b0e16bc3c294cc5c006f6fb2ff8ddbf9eb0e45f8d8ac6853
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d7f93575-d20b-4674-8dcd-a7f9b6d81bbd
Result
Threat name:
AveMaria, PrivateLoader, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1546886
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to check if Internet connection is working
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected PrivateLoader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546886 Sample: Purchase#Order630080.pdf.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 100 52 Suricata IDS alerts for network traffic 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 16 other signatures 2->58 7 Purchase#Order630080.pdf.exe 7 2->7         started        11 gQTqITyyTQFHV.exe 5 2->11         started        process3 file4 34 C:\Users\user\AppData\...\gQTqITyyTQFHV.exe, PE32 7->34 dropped 36 C:\...\gQTqITyyTQFHV.exe:Zone.Identifier, ASCII 7->36 dropped 38 C:\Users\user\AppData\Local\...\tmp7989.tmp, XML 7->38 dropped 40 C:\Users\...\Purchase#Order630080.pdf.exe.log, ASCII 7->40 dropped 60 Contains functionality to hide user accounts 7->60 62 Uses schtasks.exe or at.exe to add and modify task schedules 7->62 64 Writes to foreign memory regions 7->64 72 3 other signatures 7->72 13 MSBuild.exe 3 18 7->13         started        18 powershell.exe 23 7->18         started        20 schtasks.exe 1 7->20         started        66 Antivirus detection for dropped file 11->66 68 Multi AV Scanner detection for dropped file 11->68 70 Machine Learning detection for dropped file 11->70 22 MSBuild.exe 1 11->22         started        24 schtasks.exe 1 11->24         started        signatures5 process6 dnsIp7 50 185.29.8.102, 3312, 49733 DATACLUB-SE European Union 13->50 42 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 13->42 dropped 44 C:\Users\user\AppData\Local\Temp\nss3.dll, PE32 13->44 dropped 46 C:\Users\user\AppData\Local\...\mozglue.dll, PE32 13->46 dropped 48 3 other files (1 malicious) 13->48 dropped 74 Found evasive API chain (may stop execution after checking mutex) 13->74 76 Contains functionality to check if Internet connection is working 13->76 78 Contains functionality to inject threads in other processes 13->78 84 5 other signatures 13->84 80 Loading BitLocker PowerShell Module 18->80 26 WmiPrvSE.exe 18->26         started        28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        82 Contains functionality to hide user accounts 22->82 32 conhost.exe 24->32         started        file8 signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/325be1d623422763b0e16bc3c294cc5c006f6fb2ff8ddbf9eb0e45f8d8ac6853
Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/325be1d623422763b0e16bc3c294cc5c006f6fb2ff8ddbf9eb0e45f8d8ac6853/
Threat name:
ByteCode-MSIL.Trojan.Spynoon
Create hunting rule
Status:
Malicious
First seen:
2024-11-01 14:19:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gjn6dvrdiitwhmhbnpb4ffgmlqag635s76g5x6plbzc7rwfmnbjq._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
avemaria
Create hunting rule
Similar samples:
23fd85e7d0e1f372bd11f594fc1a64ac020f4a8c5adce87a70f5e9f81a66da44
AveMariaRAT
325be1d623422763b0e16bc3c294cc5c006f6fb2ff8ddbf9eb0e45f8d8ac6853
AveMariaRAT
481d35dd2f799eae40ecf9965a7c41b2aec41770260870199f2188fb728e49c6
AveMariaRAT
dc9e448e51f4504726d8fdccfce805dfb4c228091f12a194fef40b2a86aa5eb2
AveMariaRAT
e4e6cabfbbd9b6fb09181e531f3d73a8ff2482d2d6aab08e27f65d9955388e1b
AveMariaRAT
error
AveMariaRAT
+ 4'189 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat collection discovery execution infostealer rat
Link:
https://tria.ge/reports/241101-t2dlka1ley/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Warzone RAT payload
WarzoneRat, AveMaria
Warzonerat family
Malware Config
C2 Extraction:
185.29.8.102:3312
Verdict:
Malicious
Tags:
ave_maria
YARA:
n/a
Link:
https://app.threat.zone/submission/dd1ea918-052c-46bd-aa7a-465964c2a3e6
Unpacked files
SH256 hash:
77f40a5b957f9cd4ec858fda1e559372df8f7688cff656051c3e7668560ce0ff
MD5 hash:
606189fc0633b10674eda2b2ad7f3a6d
SHA1 hash:
e3caa412034fdbb749cba64bdabc3dac5de0ced4
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/a060a3b7-e678-4875-96fd-5825ae566a93/
Parent samples :
2fd41cfb7c7d0653a396e538166b91db7ddc56cb008701a437e8cd92d63156b6
cfbea36edccb76c40ccc6f01d8cbf2d467533ecb1f3e7c7c709532998518b8d9
4db566fcdc413fe50153dc8431ae86192241f0e1e86071f80d42eb6e0fb5baca
b8d4c86463b945f866e0396ecf65af0e67e55224eecce97b033e25e816eca01e
29ce0132efcb5e1aad146065672d83b6b4ced076f1c91a851c8b34a30e7e08eb
b07790927beaf1cc2d81cf76f0081c7c264c3133fe71437ca4bd26e220800d43
4add5ca245ca6982f07f757d4f72086c45b831f6fecc1e3e4bb122b515ffc027
e19cb4af6c2d4eb1ea729a345b50c2fe5a902f7f55f79ced44da366da44471bf
9909337f624a1c2eb7aef7670b4ee0aff10baf7cae381b373c9463d68caa5a06
ba22a1fd5ccbbc56dd6c30c556637865c156a5e332e6a718c336b9d591b86a9c
c68ac751c2b84e31bd64a9d318fd5cde9c1fa7f9f9090940808fef7989b3ade9
2d84e1e52b7502a8704c99e4a3f0e48ed31904c885ab2577a2b8cbcaff1c3620
2e83d1ac06f006f6e7cc461eb6a8098d5cabfa6caa4f5af55737690a47c1f47d
a66fd780dafe112e8ee95dd63b7d6138fea1e5273b961b2774e3be95a677990d
96bfa7096fb76234a5774f70dc444d719c7553ac83db00fdbb04c1eec318d4c4
dc9e448e51f4504726d8fdccfce805dfb4c228091f12a194fef40b2a86aa5eb2
058e2c02b8cfb93b480ea8cfac08e967b39631a579256ebee27fb7472194c1ea
2d34439b88bca48219791ac13393ba7a2a7c7b3d80d6ad25fa7fb1967ae4fd44
1682ee7703dd036cbdf6ad6daa38ddb7a4e7ab567b273f9ee209672f339feb2d
23fd85e7d0e1f372bd11f594fc1a64ac020f4a8c5adce87a70f5e9f81a66da44
325be1d623422763b0e16bc3c294cc5c006f6fb2ff8ddbf9eb0e45f8d8ac6853
63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b
0b0b2ba32fb5312ed77ae6925fbbdc872810de0e3566d5b04dbaace7e2f0dc68
dd9e683eba0236ad1ab942e817163a69ed449c17086613b69f5baad174d2c0c5
8e19bbaa0d533f50d2b7c9013955c07772e752b0751ec30e73a36b792bdf4adc
b3ffba5da1500b5a2645ef162fbfa00f4fb4020d539022daef7b9c49e81531c0
f5de23b1693c6872f53f4925775cfeac355a619a0813c603929221aa69513b38
ad1ef89e6394ebc77be2471679667ee5119f451dac3134d98f80a922e9bc51c8
11cab98b080d59753d1be6cb00fd03e1d575a2c9b2632c66df888cb3143b52f5
f6b09208c3523be3a490af2fc305d4574b38d95a435c8a55402fca38597e6dac
66c525114240093bc408138d4c93c51e7c09a235e183fca73ee66ebd150e4fe1
b207c12c675b8a8186617610cdaf2dc63e655f40662ee174d9a4d9c637c890ab
b4809d12158679aa7f01db86c54fa984305c8521a499b405ee130c5d91ed6540
a920dfb486d57b7d60d6bad4643d4f425802ce9ac8c520f9771d6689b65ffe80
59cbe4e681c4371b18a5f6d457369560ce9e4f0eda5a39de1acab8b5bdf73bda
2634af4fb7d0c056e1f96809592bfcd3ee9f3fedf0ad52f9340b67d3b67d9f0a
c51ca12f5158ea6d07f3def983ae49f6127696f23244cf0a857da46a6d640b25
5aec55bf10e81eaddb865b7a91339e137b25b681a768caa914c608d3cdf51449
3aad3c90b2113bf011c93db7987cce596fd1b0a94a3c36a9bad8d058effc33f5
aa02aef2c851348c873186b8f6648dec854ba7d84b9ea9119a80fc4b9df2acc2
7602098a6b2a95ca014488ce7c67b273a6189d7cc4daa09fb639c32fc21afa99
63ac85fa66152f936244088e40eb124a6888336a4508f8d3d63d818ad30e4280
67605bfe77b822b7256723089082b0f15b23bb69e6de86191750b660c0a438e3
426c094d1d8f9823b46ea2ef18e052c6363608290a4b98eb84e5ffe01d81ccbc
7c67cb0dd0e62da4a84525b91f583e7e433a3c1c6e9404a2927cd32b0d5096a9
5975fc05d280bfb5071a38f28a7925f709f5323f609256a138d700afdd793880
680c2a3691dc7babcf16daad934a2fe8efabb3214bf36f60825b708c7f736015
90df3fa2c8b6470115f4f8a4ac955bfa35b07ac6d4d796da6f99c89dbb1820a0
f5a51a5492d785c8e485251c34b7ccef2f676bc507794c219403e750c788fbe9
e897fbdf22b9f02edf6bd659f74cae0dfbe79245a58ddb7ca40be5c44f50ad33
d682eeadb7f5d9c10016bbe8ee8f8f16938d3f7c7b33b9703225efd552df6d5b
cf7cce1b83e67375808a6c3732f6894e263b12dcd6954c4b67f1af5508d05986
25d5929f0ef894bf532d5c21e03474a7f7db7cc0be168a2d618a40bb47de9643
248ffbd7ceb70f0a8fc98a93dfde21283489b926a757cc499191d2f43931a093
3dddfdfb08f93a00401bacc404b23826232436b872231ab1fb5596ec224efae7
6dd0bde064dfa14d38008052b9f3121565f86d97f6992d10720225192ee57f99
5e04b80012352f7c3a13f013d39a25aff09413f895217784859ba424dacea181
2986e457399c8f73e94332ba214f9e1a9a562a9932f4196f85036f63d673213b
aad2ef87a40be1648de42e22dd1b492526e3c64183034c72efde4d0e5a350c88
c80986ae29269ced5ae5d3c62833734693c71efbc0dc760aa4ae807f76ef7461
2bcd91a51b87daface2c741fe568e3f8356598ad50a5d4c423be36a5836c2f72
a2c0537782a8c28077337a873813db9211330a95725e641db956183db3252241
8311884c536e402615c44c0010553cb85718a79a82fa59f90bbdc79321cc60c5
bd749917837b3e6a48c15277cb0d5b39fd0c89e4f52be26a72e30b11816fc895
9e49f5122ac42ba8a4619dd7ba2252da4118b9fd1755d2bdf17e2d179a3f5128
7ba7fe2d75fe74beedef97bee52008c4cf99e84313750b821c5202856d944e04
9f3e9756a14a38c92ac520ba9a1e74e8eae13cc8b59797d20b261f3a0add4cc9
49917f413cbf883715a5f6e5a30cb13abafc693ec296751ba8b1bdbc3142e8c5
2c34e04c20abbe2a2879ebf8360bdc8f4acbbc6b966859d312ebee520a019b8c
79ec5e64332e4f22497d2299b42a2f8b49d13820144ed6921274fecbae5acfe9
9e29fdeaf847390ef0ac52a24dca3803eb3b7527e3ecb8c2c18bc337c7425a5e
bbea0c056d01b506a9a6d37b6aca9147466e65a962f4b140887334e6f4a23b6c
db404ec3f27d0e9173f55db560ff6777560226f3a52bfde901897f637a24d89b
97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64
07888aca315d288cf934104bbee91f5a2d6cec258f9e8052adfb496cc7ea1f16
519e372bb8026c5aea93a6d44aefb4b08eb23731f2f902ae35866c5d6cc3dd97
5f87ddc2603dd15acf16958efa6dd40b484fc483f4a496714fab4adfd1ad1318
5a8467ab773f458f57d5942d6fe612c5048c50b19e7d63c82ff1eac99a324e2b
4624ef5fa24a2459eb8c1504e9bdee4e61e762680ee5bc5f2f52c77f197648fe
e49189557147abb38b584bb167b436947cde7bcea7ab44815ebc44c4f21e1870
ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f
4c325803ce0762bebcec3327635377a360e221480c99e1a95b708ed224b22cea
d7e680c7e06ca19deae4e677096a243daedbb0fe6d04e02deb3955f7326086a9
d9dc8cf4f0c34bff044cc82267d7480d8c565c5299f1e5c35547f7eb866fc49b
e3aec20d29a2691e607ad989939708b9f30f2c94ecf07d6502f432f8ced2b44c
668deef3724b32f255013a251ec96a2b18e6dc48031ae1138fae82cac04d0231
35ab0d5f86d42c280b4d85b71900392d2d7ba817c59f55d902a4c33cce689567
e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebf
6a1c2df0bd6aacd1b69d3ab82b88b71f5552beaec7c452c36af1a3fed04c5bf2
af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c
94f858ec5529f4f52ae1bed542d9a38b2ab7e4be0446c4d9252f0de3d7cf2dce
4d45f8bd3b436a2ea84ea90bfeb028603b8118933688d07ecd3f7bc1d518da66
78c64fae4e08a3d998cdc688338437dff344b49e9a8509116640dabbd156299b
9a24b197698ebde37702b2993ea2d1d4b7d2ad327605af58a4b8b266d7d9e827
19870017af38aa7315ac6e67d6254aa0946c8264a9828f20627eac76297879c1
24229a62ebbc2cac8ac3a7e7a6da78b179d05541dc7ffc9aac472775e2e6cd11
4bec8930b1157e64e7d785c62f4fcc4d5d144daeb954144ee3f3a5648820a9a2
69dec355a88f71f9880052143f091580cecd4c6f301c1c6fefe931d44bf8c77d
bcd2af5fd6fdac5f0bdfcc38acbaa7d941a30cc75004c1f10731d6ad9efa7632
871768e4f3d4bc1e473bc694b4d5b39a52b1d3b9aa74a580083f3162ef425441
a1ba76a8c187d43080d95acfb939a54d1b1c83546bbb4547990bbfcafd88c307
e42abe36559b21170e153807df0fb9cf9191d45fecfa496363932168b096976f
c43f4d0f453155a1a2b83f793bcaf83429cc7c6452f430a1763eec9a31fd70a0
9cd7438958ebc2fd54b69944e111165a98002937ada73d4969cf1a5b914dcb43
056604624998c531cc1a7cc40a64527e55875eb18fa47f59ad6c3678778956ba
955cb8de75d1143a7094743387ce5f52afecef4a07b22040d1da54050fed13cd
5de328c7851881e333be2850a1bd9760b94f8a5f300ac745603816da405b14a5
a2bcf903e2e35f9d43de040568e1bd0312dd0943a29f8b87861ccf50e66e9957
d8a9180da33ecaa39821ee77065c78cdf428a2c83afdbfa923e4db651b859961
8fd7b8dd8031bba418ae41089854aeba5cf9ee3a171d2cc8db05d95b692b83c8
1091372b812b70532f2d29f18f41f1618a0d72ec9e03caa5bc02dda877ff04f9
9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6
5c5722b380bf669c5d2fda7000c77a46513f5d107bc3e2f2508321df17313774
b6ad170d197d557e308b9356d0f87653eb463cf74a48cbb50ce74c7260c315c2
SH256 hash:
8acae0a22167687fd9984e1a384e12fbdeba48bd609b502ce7b216e5dc3cf012
MD5 hash:
78a4e204c083380f892cd536414d9eb5
SHA1 hash:
af5a1ee4cb1386b004644be9ebf587961aaf2a7b
Detections:
Warzone
Create hunting rule
win_ave_maria_g0
Create hunting rule
AveMaria
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
Codoso_Gh0st_1
Create hunting rule
MALWARE_Win_EXEPWSH_DLAgent
Create hunting rule
MALWARE_Win_AveMaria
Create hunting rule
MALWARE_Win_WarzoneRAT
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Codoso_Gh0st_2
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Link:
https://www.unpac.me/results/a060a3b7-e678-4875-96fd-5825ae566a93/
SH256 hash:
ef1de579e2d562d9773d3213f8db59d4a7d15476267f15528d748c5e96eedd25
MD5 hash:
8d5275d09f9e5d9a0eba8a7127378e48
SHA1 hash:
762fbf5980ee18823666179cf57ac36ae83faf28
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/a060a3b7-e678-4875-96fd-5825ae566a93/
SH256 hash:
fc0c90044b94b080f307c16494369a0796ac1d4e74e7912ba79c15cca241801c
MD5 hash:
6b906764a35508a7fd266cdd512e46b1
SHA1 hash:
2a943b5868de4facf52d4f4c1b63f83eacd882a2
Link:
https://www.unpac.me/results/a060a3b7-e678-4875-96fd-5825ae566a93/
SH256 hash:
021d01fe3793879f57a2942664fc7c096710e94e87ad13dc21467c12edf61546
MD5 hash:
ad9fd1564dd1c6be54747e84444b8f55
SHA1 hash:
001495af4af443265200340a08b5e07dc2a32553
Detections:
Codoso_Gh0st_1
Create hunting rule
Codoso_Gh0st_2
Create hunting rule
Link:
https://www.unpac.me/results/a060a3b7-e678-4875-96fd-5825ae566a93/
Parent samples :
41b6843f504506bfe5a47155873b5e8d4a10382e6bcbbaadf069bc5d216c8b53
273c7d66a2746646c43e4c870ea99def6bfb8d7210cafac4eeda64c50b2f8e83
0105bafb9a326de3ee23e8d01a0b0bd3216a3de3906e28c10c3cfa4825939161
426bb510c18d37da520b953e633c1dca9d950b2d8fc06e550cd9cbd1e08d7b2c
4df8c432a1d5153c687b60c3031648c6ac198cf96b44cb15f1d28f758aa213e5
57bcf0394886e8bd03578d317aebab8af7195e007dd1636b266073b282b43848
95a91cc096986a40b10a03f3376eb7de4b3c83e7742b667f7c2f6bef13ccdeb9
661435185812c66992daa150269ffbd8661c06a6d0847cf8b5e49dbdcffb677f
9fc23786a7059b7e7bfb19582fd5f96b91c86812ccc32aa9c7722e85e16590f8
d18059bfd5e9a4d0e07a953fb8c86101ecdf77f9b7e9e80cf6099fb40506bea9
a579e6d169f7af0c31de4c24bd4a8d3e05f46145a5d219850124fd1e11628349
9b550290b925e68da43d0254e187f3bd53d73778e2fec286ebe66db8da1a5dd5
4966546ac0b90d093d0e2ef5666566b76cebae4b6e02f5a6b9f24a56b7ab049f
963750cdc4a1d1586b16d85a4853a5a48d64b5a79d740895ed8aa33afe95f5c4
000dd50b2f3df84aa499e38e8a88994b92c14556c517cd26237eacede1130c3b
c5a55dd1ecb98f43122a554288baa4e7e0ecdb81e30557db4c19fd833f145107
9b91ef0fbd1439f0e7b13a7d234d0574c6db6a07ea1e2842fbe7d2e4ab4042a9
f4e31d0e6efa4955d4023413ce6658406decbb31b954e822b92d31e3c12956de
447263ca2619e641d0a52b475b2de64ae9c852048415e31897bccbcb615c4927
a3980c5f653e99fe53dc88f60a9ca1b4954b8cee932085ea57b1f46b9c7ab4c1
3c36d574e4005d919706e2945a25f6704d48ea69b5960bdc544e59cc4e3295cc
59ee15056c8ca8f240ba10fe20a523e3dc315cc0304f1f1abcb2913d701d4f23
01dbf52c9a79ce268fa7b5ab876ab6c8a8e6d5d5de70ccfacd11ca169e83908a
46a870926fb693596e4fea1ff6ed4bd228d8cc63a9e285997ded48b1484ab3f5
89e0d97c3f6b79962f97e02152cff003f17d940f973d762874576dab2bc3a312
c8731f7db8cff30881c306796850704a66edb90501fad4952822bb09624db618
d2d549d6dd5d017ce1b853932513ec389de11e6443fe466487b2ed2e1528b857
31b26582627d2978052cdce87ae338c2e78a029f7676365e1583c05528afada0
80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66
913377afa6c3d7afb49a491f830d52a33353349819f0e91157a01dc8336ac5b3
7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c
198c5a845975abb97bec91f98df18522db41489cf5b972445600b2c0e3faa828
13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310
2eefb5dc5aae0ca14290ded3490ec8ae44c88fafdac0b062bacd8b9bd1497eb3
32d376bc206926ca6f299e97d04644b68e6a863ac4975bf4a804bd120e82aeab
decfb2acfa48419eb5c32541e8b99aa142ed856a2969012374c2a30f8bd7db70
dd1fa6cb67aa97468e62afeec6bfa9c1cb52f5acf029ab77a0fdd2e34cd50a21
19dba570adb979d9063882d8dd6d880d1f37f25e600cc07097646946ebc947a2
de492c6384df2afd8c36f3f8ca910d93a21a2981b3c3a80e8a858d643122d488
0246d4eb99473ba449b98548167d0767b68b075749a8962d0573851f505689b5
bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a
3e4da5132877e955fb455e58e300b56033c07a6d2709b386fdc5c43a88e1c499
d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e
7c6c180635f5329b270bfa6fd56ec15604cca270687d0a0bc2fc5edd78dc4c9c
90f4e7731fc41021b7ce9f9d15704c9849cf3215161585721a370745f7392e71
61a8d6678098ddfa8d1b418cc5d851823d6b09bd5bb4fcf68f0f0797abe61873
6f00f39f32bb3556f024b6e877337a8e6ba5a2feda5d1187e85684de23471ff7
037165fd0435a477539e437c28f25a2e188d0da72b7573aa7d85b26eb34feef7
dbf293d123fe98900bda70549ce336f08f5ff99372d5f8dca4869376bf068416
d677958e05d8e8a3424225fd62da4a68c9401aa13658ecb9d6dbff18372aca85
2e5f3807db334c44e20f17624cfa529304327387e4795c561374379725acde6c
a6c7f1f1e73b612bf2c34e4b6193dd41f75ec0298c694e3600756a79da348152
f9ce9a047b096cb954193ac49049ccb28a476aa8c202f09aea38eae3cb283387
6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4
44337a866f639a40a3730a29a44dfebc9f6828148b409c057969c27987c84dbd
e9d0af516a8d65649c6850b69ff15e65cba280f8d44dbc505882dd16cf922320
f9ebef99fedb86176dafbdecb67a9f600be7f6acb1299deeeb40d4a689018f1c
f901f4b9437419d09352abcdec1a1e7bb1b511adbee059c42695753575b2b77c
91d4c54eb5e24448922894a73d0a3ca2b0a84caa3d2a5526e57098791ad75f73
2769012a5682a98b6f68e4e50157077fef4dc0853654c68986837f17b1c6451b
7ebbd7733c41e5d8d4071ac4bccca6f76577d8dda2ef2a6723b90414f444454a
e492ab74db73fb05a78112868596383e27ad49d8a2aa82a34611eea44a23a1ef
9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b
e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6
4813a5905b2003965fe10155c8daf3cdbb57017af02483a53a2d5ca11a9270f7
f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d
5483462ebe9bc5efca3315a9f2ce6a82f0469980e164aa16afecac9ebf13b57d
ea48def5335b8e664304ae54ff020858a1cb8a804d21f1c474c21e4ef2213073
3e90bab5c79be10c283f3752091122910f7c5b9f35428a37eb0250d244d01f94
5f51bf583798f714b2c84e3b6ba30b32b15a12ac308a52efbc950ae406216ad8
e797bb75f04bcac68e688769585623a306a0442a5614f28cb1a38d4232f525ec
066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40
325be1d623422763b0e16bc3c294cc5c006f6fb2ff8ddbf9eb0e45f8d8ac6853
3790861e8c62040dbb2dd3c290d1a2738cef6b04fd38de2d37ba58708838ddab
2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242
f3165a426e73b3dce639c5f44c0c6dca403a363fa07abf4458e61f7a61d7d880
cc0fdb6946afd11917588ce448b752e3f49debcd09d2e4d6c6d04cc1dc774e92
eb2ecf9b7aaa6a3d36d66aac6cc107c09c0518a06272f27ae17f2430c1d7a70f
8711c0444e0e2869118f577b3e28776c75d0845691bac42cb92005cc97c62b8a
99257e66c5904573be6b6316fbace99d9cb4ac2806b88c6e1e1c04787a2f4bd3
1f6feae633a783cf6ef08eee6b65049fe5b692c8a743af8967984e2e212a06b5
4fbea9806312eece3dd8523cf6c9509cedda1abe14fdc55bf793606dffe6c053
044ff15e8d3c9534c11c3719bd88a8302611c697ae888b23c768cec52f1970b6
aaae2a95d3c2054414d9b4cd55405563c1059ac881d9252ce338ecef1a25f857
bd2104c458f1c7197b830efb636df4741232585d55334fcdb6e37e8657571c24
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
c3dc5d9c25e3ef368835ad761bc9b0650170a018d70f93869608105375b73019
b20f2f7de684b2b10149825c4b86e14fadc7e19d5d41cb7b180bee28a1def030
bfb1b045ee5fc2bc3e4ca29683d695c36cc033ed43c0071385907400bc09c7f6
4f52022aa6286c18573e79cb079d5c9a01382bf1b4685a5a0dcc72cd6307b277
ce69de794ef8654455e9323c8dd184a507c39bb319b9c1b34fce460deca631bf
e784a1f8667b80617e5e26ab23f4b101286dd5bddb9629ca59d272ee3267e3ca
37aad7dc61ea841a62ed160802b822c35a0110f3e0be393b0c43a7fae8e96c65
1b9e1710ba83325c36ba9496bb3ff924a69326d07f62afec79ef74adbfcf27f2
3e3fc0ee150a9b3e97a1306c1929076d637f3c6ce3dbddcf30570330e40bf609
efed6ec2f8d3190bbf49a8c62a73c80878a4b7968baabfcff38cd0c3b06d4cff
d14140f160c6659a0848ec2b808bd37739af9b8a28d6d8cd7fc607ab845ab026
7f7089400087e55dbe741b1b137a6712f22d80b67c28215000b8f15787322dc2
429aed088fe3b2dc4cf969687d3eb7412bc387a9f6a7c68b832613630e8c527f
93fbcce3b23629eef2b3ed15e67b61cd5ba82f6a4cf4933b05ee3a1cb17b0523
ba63290ef5e3c1d1e2881879708f9fc793792f1f8ad36bcc8d2cdda9dc3e7ec8
7d784959adbb08754d954aee02c959a1a7318c54d04bccee906952cdbf090ea6
89389da3d32117ac9a495120372591cd36bff66f55ffc0e2e53ed8d64458d433
52c5297a7066438d5ec5ce3e897b7fe3eb642dca0b30aba3cc28866cbb05d96d
21ab6c559c1f1c445e9450f180e252e78799374ebd5d3b0e6384afd3eeeee20e
796364acf14011fa3902103655be7328eef8e3c5bd8635cac4820b5757ec9d13
c8f5d3f153fab81b07f3e666e13bcbd01d696a7efa4ae0c8dc81c054443e5b67
a3d362e58a6aa1b9d9d9ff542c65dccef0423e52dc8d11df2a515be8258ff3ac
090d906fa847c480583c96b467272b407e6c820d0d64b454e6e53dd51d113b03
90da1d87ebf79eefc2a035cc6311b9a26ff17804d6561c9f8253f4189d1c1f57
c33a5d3fd76760bd1657a2007d5ae2ba55155c0fd3ef9bb7e771e41c084158e5
237358a60a6aeaf9e2f5247fdf1c2cc04e3e3c0ff57e2c03b799d10b770361f7
cd4b8eb7fa51767c3cc1942e3523e99026062f95dfcb0428033dd7b706db8481
c90e5c5f118bfc7417e1a43d8ec7a1d6e91a730f336a47799b81f16a0fd6d69c
614f6326a378a9c583fc7de320ea6a60a78706283ec087afcb349ca75c083807
f19253d1e2423e2613b27354b1d8670fc63ffbb2d194ebf00e2323f712141648
93ddcee5487885a9825538b723ba30214b827617f85aef5558d232545171e8f6
2921a0fa40963ad342875ba6fc57c1629caa800f834ebf516a6cf6a59f467212
d371d9409cca4b22d1e90df46524f7112e06bf74a90f65f236957b63fdad2c1b
4822c68976983fb6be04a489ecb0ee85233585040f94599ae1f40e91a815d3d3
12a6b979da40489d768e28882836de2434009bcb436c2901772bed7633d88770
SH256 hash:
325be1d623422763b0e16bc3c294cc5c006f6fb2ff8ddbf9eb0e45f8d8ac6853
MD5 hash:
76a9764d18535113e206f661a70764a3
SHA1 hash:
cbb20d9ad86fa8374553203efff7d6baadfaeaa7
Link:
https://www.unpac.me/results/a060a3b7-e678-4875-96fd-5825ae566a93/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/325be1d62342/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/325be1d623422763b0e16bc3c294cc5c006f6fb2ff8ddbf9eb0e45f8d8ac6853

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments