MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4813a5905b2003965fe10155c8daf3cdbb57017af02483a53a2d5ca11a9270f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4813a5905b2003965fe10155c8daf3cdbb57017af02483a53a2d5ca11a9270f7
SHA3-384 hash: 9597d1e6226c1433c61c9e3a2d22125f68e6f607e8fa086a81b27d5fec5a5206cf6e560c13185844685a82624ec27161
SHA1 hash: 53c469573725b764dfe5e262b9a0d67419a4df4c
MD5 hash: c6223c55914673031d7f7bbc5e7f081f
humanhash: magnesium-single-ink-uncle
File name:TBIG.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:14'545'920 bytes
First seen:2024-09-03 02:23:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'450 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 393216:LxhzkMxhzkaxhzk4xhzkuxhzkAxhzkOxhzkwxhzkuxhzkExhzk:Lxh1xhfxhhxhzxhhxh7xhJxhDxhtxh
TLSH T19CE623182305C913C2AA59F44562C675A3B85DD1A123E70BDED6FCFB3A9B3C3542268F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 928a8c8ea2868a92 (1 x AveMariaRAT)
Reporter adm1n_usa32
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
406
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TBIG.exe
Verdict:
Malicious activity
Analysis date:
2024-09-03 02:23:56 UTC
Tags:
netreactor warzone dyndns
Link:
https://app.any.run/tasks/27597013-110a-4507-88f1-539f3dcc3913

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Taskun-10034911-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66d67347f3d7ccf99f8fa5df
Tags:
Execution Generic Network Stealth Trojan Warzone Warzonerat
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Creating a process from a recently created file
Moving a recently created file
Searching for the window
DNS request
Connection attempt
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/4813a5905b2003965fe10155c8daf3cdbb57017af02483a53a2d5ca11a9270f7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MSIL Injector
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ad0b3479-5a2f-4a33-b3a5-12bbbaea4fea
Result
Threat name:
AveMaria, UACMe, XRed
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1503183
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if Internet connection is working
Contains functionality to detect sleep reduction / modifications
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Drops PE files to the document folder of the user
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Yara detected XRed
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1503183 Sample: TBIG.exe Startdate: 03/09/2024 Architecture: WINDOWS Score: 100 109 victorybelng.ddns.net 2->109 111 freedns.afraid.org 2->111 113 5 other IPs or domains 2->113 127 Multi AV Scanner detection for domain / URL 2->127 129 Suricata IDS alerts for network traffic 2->129 131 Found malware configuration 2->131 135 16 other signatures 2->135 10 TBIG.exe 7 2->10         started        14 qCqbTEC.exe 2->14         started        16 Synaptics.exe 2->16         started        18 EXCEL.EXE 2->18         started        signatures3 133 Uses dynamic DNS services 111->133 process4 dnsIp5 93 C:\Users\user\AppData\Roaming\qCqbTEC.exe, PE32 10->93 dropped 95 C:\Users\user\...\qCqbTEC.exe:Zone.Identifier, ASCII 10->95 dropped 97 C:\Users\user\AppData\Local\...\tmp264D.tmp, XML 10->97 dropped 99 C:\Users\user\AppData\Local\...\TBIG.exe.log, ASCII 10->99 dropped 173 Contains functionality to hide user accounts 10->173 175 Uses schtasks.exe or at.exe to add and modify task schedules 10->175 177 Adds a directory exclusion to Windows Defender 10->177 179 Contains functionality to detect sleep reduction / modifications 10->179 21 TBIG.exe 1 6 10->21         started        25 powershell.exe 23 10->25         started        27 powershell.exe 23 10->27         started        29 schtasks.exe 1 10->29         started        181 Multi AV Scanner detection for dropped file 14->181 183 Machine Learning detection for dropped file 14->183 185 Injects a PE file into a foreign processes 14->185 31 qCqbTEC.exe 14->31         started        33 schtasks.exe 14->33         started        35 Synaptics.exe 16->35         started        37 schtasks.exe 16->37         started        39 Synaptics.exe 16->39         started        115 s-part-0029.t-0009.t-msedge.net 13.107.246.57 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->115 file6 signatures7 process8 file9 81 C:\Users\user\Desktop\._cache_TBIG.exe, PE32 21->81 dropped 83 C:\ProgramData\Synaptics\Synaptics.exe, PE32 21->83 dropped 85 C:\ProgramData\Synaptics\RCX373.tmp, PE32 21->85 dropped 87 C:\...\Synaptics.exe:Zone.Identifier, ASCII 21->87 dropped 137 Contains functionality to hide user accounts 21->137 41 Synaptics.exe 5 21->41         started        44 ._cache_TBIG.exe 3 2 21->44         started        139 Loading BitLocker PowerShell Module 25->139 47 conhost.exe 25->47         started        49 conhost.exe 27->49         started        51 conhost.exe 29->51         started        89 C:\Users\user\AppData\...\._cache_qCqbTEC.exe, PE32 31->89 dropped 53 ._cache_qCqbTEC.exe 31->53         started        55 conhost.exe 33->55         started        91 C:\ProgramData\...\._cache_Synaptics.exe, PE32 35->91 dropped 57 ._cache_Synaptics.exe 35->57         started        59 conhost.exe 37->59         started        signatures10 process11 dnsIp12 149 Multi AV Scanner detection for dropped file 41->149 151 Drops PE files to the document folder of the user 41->151 153 Contains functionality to hide user accounts 41->153 169 2 other signatures 41->169 61 Synaptics.exe 41->61         started        65 powershell.exe 41->65         started        68 powershell.exe 41->68         started        70 4 other processes 41->70 117 victorybelng.ddns.net 80.85.153.10 CHELYABINSK-SIGNAL-ASRU Russian Federation 44->117 155 Antivirus detection for dropped file 44->155 157 Found evasive API chain (may stop execution after checking mutex) 44->157 159 Contains functionality to check if Internet connection is working 44->159 171 2 other signatures 44->171 161 Contains functionality to steal e-mail passwords 53->161 163 Machine Learning detection for dropped file 57->163 165 Contains functionality to inject threads in other processes 57->165 167 Contains functionality to steal Chrome passwords or cookies 57->167 signatures13 process14 dnsIp15 119 freedns.afraid.org 69.42.215.252 AWKNET-LLCUS United States 61->119 121 drive.usercontent.google.com 142.250.186.65 GOOGLEUS United States 61->121 123 docs.google.com 142.250.186.78 GOOGLEUS United States 61->123 101 C:\Users\user\Documents\~$cache1, PE32 61->101 dropped 103 C:\Users\user\Desktop\._cache_Synaptics.exe, PE32 61->103 dropped 105 C:\Users\user\AppData\Local\...\RCX1D26.tmp, PE32 61->105 dropped 107 2 other malicious files 61->107 dropped 72 ._cache_Synaptics.exe 61->72         started        125 Loading BitLocker PowerShell Module 65->125 75 conhost.exe 65->75         started        77 conhost.exe 68->77         started        79 conhost.exe 70->79         started        file16 signatures17 process18 signatures19 141 Antivirus detection for dropped file 72->141 143 Multi AV Scanner detection for dropped file 72->143 145 Found evasive API chain (may stop execution after checking mutex) 72->145 147 6 other signatures 72->147
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4813a5905b2003965fe10155c8daf3cdbb57017af02483a53a2d5ca11a9270f7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4813a5905b2003965fe10155c8daf3cdbb57017af02483a53a2d5ca11a9270f7/
Threat name:
ByteCode-MSIL.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2024-09-02 22:35:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
89
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jaj2lec3eabzmx7bafk4rwxtzw5voal26asihjj2fvokcgusod3q._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat discovery execution infostealer macro persistence rat
Link:
https://tria.ge/reports/240903-cvp8cawckd/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Suspicious Office macro
Warzone RAT payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
victorybelng.ddns.net:13900
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/dcac732e-9b78-4fde-ace6-592c91a64d4d
Unpacked files
SH256 hash:
c4eb4e78b43f7d778305eb8236a15eb16ca72688ad600cb7fe06a572dadc89a0
MD5 hash:
e3c41f68f31cae09f42e6cf8908fc53a
SHA1 hash:
d3e01340008ede725822e9de5c196ecc14bb6e47
Link:
https://www.unpac.me/results/60d9e7c5-2e71-4a72-9f4a-41b058b121db/
SH256 hash:
8ded42c9497f99dd8b747b8da9c7963e6fa3d6e7f3622ef1fbaa04b50efe9d17
MD5 hash:
7017a883e86a0e5bdc2ab2d18534cdf9
SHA1 hash:
b40fc9e21fa53ddc9b4ff6cafc7d0b591bfc34a8
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/60d9e7c5-2e71-4a72-9f4a-41b058b121db/
Parent samples :
8f81ed1c250530c6a24f60a8f0c39f48bd2c98f08e6100bc8f844fc3a53c6909
7534c32fa2dff5d752801f84545c23d8c09b7b8a698a61169a9e1a851699120c
7e9e2285a304449495c336285f1f7f0153c175ab2cd5c35492d6565d89c8c137
6cc066c3a33644d8a54496de97374b7a8804b490f7d3ca66c62c1bc6cb695fa5
72e7a39bce46e45402cbb4ae13053d57e87a62b06b53164acbe8c18ccf7dc696
db87b7e683d92aa8d013663c6bc6ba116023af2cb7f9ec6c2ad88694235f2b12
d6cbd0b24b82cebe1a66094b0678d66c5f508f5a1c98d7143de9d1871daeffc3
72e3890b8af3c836705f640704aa03680b1092e5c021a2bfff35d931062bfd89
13f0a05e86fdf85e8891b494574421ff3da0be5e7a71e48f7e32f6c9f35eb2f7
7d50338fe1feeb6944bfd552e44f266d764dafc089b853a6ee24f67ef322c124
9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8
943d44f043396e794716c4d82c4345e749eead0807592339cdde186a7bd83c51
a76d6e19ac59db6afea91b625c29f06f25316ccb74e1b7bdd59c68cb0aefac34
b9996528bea4f182b005ba60e72f604602f0749e5b083a013d6096a3960052d2
00082a148e8eb6745164c0cbf7c142539ada8fb4004deb8b3ae028b7181c552b
053c940f835b1c6624b6b0421b680da5c984b056734db107a7d6c8dfbe1837fd
8e3db35284b6e1ea560c14a69ea4dfd6ef8e27fe9974a609116d00f2d764bfeb
e7573cb6869df680fa42552e27b1a6bd2cd5a76c48b1660a41897dc30a0e53ba
f8353eb981e7fce8af5663a30b6ad844d44d7eda87ff717f85f0046e3c065985
ee6a1171d804498d93b3877e1649a3f0075ffad676875c875e4778823323692e
35a9609805bde63b4e22255d365fc6a61724fcb9f8456899bb085b76f0160d5d
d00af7d1aa35864537045299a782f3b010d5fe3a7e40bbe04846a2baa07a93a3
75a2f037e46961ac9e70ac8a8d52f06b4b20786ac7ac596abbb039c6a2715430
d3c4f42060fe5520553f915832b413f6f8f0f55307646f86b44b150389069463
40cebb630f935210e93b1e5569a1181a0c19cee3c4c129550dece7add29f27b6
f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d
013f695b5ec6d00214cc5835bb446a73382871e90cb17c6d8922c3b3ef7484c5
8b9ed7cbe84b68a9b190a2cfc34c605bc1e2f3851f8eeeb84d4313d8b42431ff
c9f0c595e62ee31b17e1b62cc7be551a1cd46c3395a282fead293a5033674328
046735ced511c1064c2ea51fe6fd55ea1dc5a2d19e608bea4c8df9f8f376a78d
29fc4ec2272e265faf58a71365d463e953c20dcfa192b6208a1fd6ddd25a7f11
4da4d8e83255158a09663b9da8faaecae3a0a9175571aee37567f224cb34e694
d100685c3e62fde73e33854186142c68d4fdab117a4c2eb11a1c73dc362a1277
81ed143389ad903c7669aa1da459fbda5b0d93a157ddddb7ddc1ff8e22b97e96
e762546dc786deba408a71f5cb8369a84e56e07c21e75ac56a4a7dad522b28af
878f318722d59f4bf5e617bf4daef2f12f539170f16d5b263d816a03b9d5107c
1ee774ec1cf70a9cbb1a383d7c7c61156308d936e070a0b8e726b9892dde2ca9
ae284655948354c6ed48e95cf2aaa058d376ed19d2aa69aa38eecea72ee2f576
6fce035d54888d7895091ecee886b64043cbcb5cdb410457411ae156a822973c
576f4658c5c58273967350871dfd6d60e64d54d772c812f8507de67d4784f6ff
03bc82a58bda7eff17320728048c0d37fa376a64f08504e7c0454b743790d5ac
1fb620b3a5fef04e16e34e800f05b3cb7cbad920b33c66d799d305ad15801224
dcb417103bd0f315ba7cd30f1eadfca56a56122caec7ce4afe96b410931f43e6
7bc7edf2f2fafaa8457fb596cbbcdedafd23544d75e739e777b73790965df6bb
584022a11fa25bc77ada9ec361c791001f8d8da848930b386f42841d9e0be7d6
93af04866fe94141664174864c6965777d7f78897a27ca858d6f79b653ca943a
23b9b4a46c15c5fa3b7445e8041852f3dc831547903250209ca738b1a17fb7c2
ae082792bb09ee973564e6e71c92f547fcbef3fd5d6c3b4f8e2172044cf2591e
496ba3f23ddaf5c1514228f1ca90b1de4392a159eaac3ecbd5fbe3fbb28f819f
bd0e1cfd8ac5fef73e78b0a784c11682ed8d3120e6293d7d87425e5cd65d91eb
e0b9c05954186f5d54bcaf95e425448540d4a0fdc6cac1a12899bda66e38ac37
3a4cfc46e94f08076d2ada85e0d51cf06695bfb54ad5f37c316c70d582839d15
94338a235c9207ba31032496ba04d39ae887a3155c15d57347307df2dfa16242
7ebbd7733c41e5d8d4071ac4bccca6f76577d8dda2ef2a6723b90414f444454a
d613473068f000318d1015b85a0f49f9191263041ae8debcc7250876ae146304
4813a5905b2003965fe10155c8daf3cdbb57017af02483a53a2d5ca11a9270f7
cda34c7ddc45a0ac67f0f3745b91686c285bc86f108c5c2deb36c1c3a0fb5a4f
0876a062221ba67194143bb2b1fc83d87b22860cf5e8cff64239b4b9dc251d11
7fb1caac122f0f3640e234a54256f2a97b44bdd0881124191c352c7e797b7dc2
SH256 hash:
6acc5d6df27e7a7c84a02305b36188873a3fc0c9cefcbecb82af0c6a1609047c
MD5 hash:
20d04d15be1f8344803d537c208844a4
SHA1 hash:
965b5b2bad3428cb11b1988247b6c593d64e6a3e
Link:
https://www.unpac.me/results/60d9e7c5-2e71-4a72-9f4a-41b058b121db/
SH256 hash:
f8ec93f6f96db34a65e4c2826a9ef3e74d7b5b6323111c178d4376d3512c9ff5
MD5 hash:
9d07df4f2ba3990894350c829586a0ee
SHA1 hash:
358172b41f8508694c2aea49a3d92d2233da6629
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/60d9e7c5-2e71-4a72-9f4a-41b058b121db/
Parent samples :
7ebbd7733c41e5d8d4071ac4bccca6f76577d8dda2ef2a6723b90414f444454a
4813a5905b2003965fe10155c8daf3cdbb57017af02483a53a2d5ca11a9270f7
SH256 hash:
e1b446694d8ba35f4a97238530273bacfb0ac80fc0afa3a6670a2c11408fa359
MD5 hash:
9fff575f3471d0303283ce67a430d4b2
SHA1 hash:
35508541bdb0d9afaa997acc1b7808d0f2238012
Detections:
Warzone
Create hunting rule
win_ave_maria_g0
Create hunting rule
AveMaria
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
Codoso_Gh0st_1
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Link:
https://www.unpac.me/results/60d9e7c5-2e71-4a72-9f4a-41b058b121db/
Parent samples :
7ebbd7733c41e5d8d4071ac4bccca6f76577d8dda2ef2a6723b90414f444454a
e492ab74db73fb05a78112868596383e27ad49d8a2aa82a34611eea44a23a1ef
9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b
e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6
4813a5905b2003965fe10155c8daf3cdbb57017af02483a53a2d5ca11a9270f7
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/60d9e7c5-2e71-4a72-9f4a-41b058b121db/
SH256 hash:
fc0c90044b94b080f307c16494369a0796ac1d4e74e7912ba79c15cca241801c
MD5 hash:
6b906764a35508a7fd266cdd512e46b1
SHA1 hash:
2a943b5868de4facf52d4f4c1b63f83eacd882a2
Link:
https://www.unpac.me/results/60d9e7c5-2e71-4a72-9f4a-41b058b121db/
SH256 hash:
a1364f6fcb74ff76b1038e6c8871b23c1d5e2e28324bc365af512c04d791003c
MD5 hash:
b7d1a9faf64911bc6429be983d82668f
SHA1 hash:
09b5f838d19a2e82b86ec751bfe726e3d89b1017
Detections:
Warzone
Create hunting rule
win_ave_maria_g0
Create hunting rule
AveMaria
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
Codoso_Gh0st_1
Create hunting rule
Codoso_Gh0st_2
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Link:
https://www.unpac.me/results/60d9e7c5-2e71-4a72-9f4a-41b058b121db/
Parent samples :
7ebbd7733c41e5d8d4071ac4bccca6f76577d8dda2ef2a6723b90414f444454a
4813a5905b2003965fe10155c8daf3cdbb57017af02483a53a2d5ca11a9270f7
SH256 hash:
021d01fe3793879f57a2942664fc7c096710e94e87ad13dc21467c12edf61546
MD5 hash:
ad9fd1564dd1c6be54747e84444b8f55
SHA1 hash:
001495af4af443265200340a08b5e07dc2a32553
Detections:
Codoso_Gh0st_1
Create hunting rule
Codoso_Gh0st_2
Create hunting rule
Link:
https://www.unpac.me/results/60d9e7c5-2e71-4a72-9f4a-41b058b121db/
Parent samples :
41b6843f504506bfe5a47155873b5e8d4a10382e6bcbbaadf069bc5d216c8b53
273c7d66a2746646c43e4c870ea99def6bfb8d7210cafac4eeda64c50b2f8e83
0105bafb9a326de3ee23e8d01a0b0bd3216a3de3906e28c10c3cfa4825939161
426bb510c18d37da520b953e633c1dca9d950b2d8fc06e550cd9cbd1e08d7b2c
4df8c432a1d5153c687b60c3031648c6ac198cf96b44cb15f1d28f758aa213e5
57bcf0394886e8bd03578d317aebab8af7195e007dd1636b266073b282b43848
95a91cc096986a40b10a03f3376eb7de4b3c83e7742b667f7c2f6bef13ccdeb9
661435185812c66992daa150269ffbd8661c06a6d0847cf8b5e49dbdcffb677f
9fc23786a7059b7e7bfb19582fd5f96b91c86812ccc32aa9c7722e85e16590f8
d18059bfd5e9a4d0e07a953fb8c86101ecdf77f9b7e9e80cf6099fb40506bea9
a579e6d169f7af0c31de4c24bd4a8d3e05f46145a5d219850124fd1e11628349
9b550290b925e68da43d0254e187f3bd53d73778e2fec286ebe66db8da1a5dd5
4966546ac0b90d093d0e2ef5666566b76cebae4b6e02f5a6b9f24a56b7ab049f
963750cdc4a1d1586b16d85a4853a5a48d64b5a79d740895ed8aa33afe95f5c4
000dd50b2f3df84aa499e38e8a88994b92c14556c517cd26237eacede1130c3b
c5a55dd1ecb98f43122a554288baa4e7e0ecdb81e30557db4c19fd833f145107
9b91ef0fbd1439f0e7b13a7d234d0574c6db6a07ea1e2842fbe7d2e4ab4042a9
f4e31d0e6efa4955d4023413ce6658406decbb31b954e822b92d31e3c12956de
447263ca2619e641d0a52b475b2de64ae9c852048415e31897bccbcb615c4927
a3980c5f653e99fe53dc88f60a9ca1b4954b8cee932085ea57b1f46b9c7ab4c1
3c36d574e4005d919706e2945a25f6704d48ea69b5960bdc544e59cc4e3295cc
59ee15056c8ca8f240ba10fe20a523e3dc315cc0304f1f1abcb2913d701d4f23
01dbf52c9a79ce268fa7b5ab876ab6c8a8e6d5d5de70ccfacd11ca169e83908a
46a870926fb693596e4fea1ff6ed4bd228d8cc63a9e285997ded48b1484ab3f5
89e0d97c3f6b79962f97e02152cff003f17d940f973d762874576dab2bc3a312
c8731f7db8cff30881c306796850704a66edb90501fad4952822bb09624db618
d2d549d6dd5d017ce1b853932513ec389de11e6443fe466487b2ed2e1528b857
31b26582627d2978052cdce87ae338c2e78a029f7676365e1583c05528afada0
80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66
913377afa6c3d7afb49a491f830d52a33353349819f0e91157a01dc8336ac5b3
7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c
198c5a845975abb97bec91f98df18522db41489cf5b972445600b2c0e3faa828
13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310
2eefb5dc5aae0ca14290ded3490ec8ae44c88fafdac0b062bacd8b9bd1497eb3
32d376bc206926ca6f299e97d04644b68e6a863ac4975bf4a804bd120e82aeab
decfb2acfa48419eb5c32541e8b99aa142ed856a2969012374c2a30f8bd7db70
dd1fa6cb67aa97468e62afeec6bfa9c1cb52f5acf029ab77a0fdd2e34cd50a21
19dba570adb979d9063882d8dd6d880d1f37f25e600cc07097646946ebc947a2
de492c6384df2afd8c36f3f8ca910d93a21a2981b3c3a80e8a858d643122d488
0246d4eb99473ba449b98548167d0767b68b075749a8962d0573851f505689b5
bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a
3e4da5132877e955fb455e58e300b56033c07a6d2709b386fdc5c43a88e1c499
d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e
7c6c180635f5329b270bfa6fd56ec15604cca270687d0a0bc2fc5edd78dc4c9c
90f4e7731fc41021b7ce9f9d15704c9849cf3215161585721a370745f7392e71
61a8d6678098ddfa8d1b418cc5d851823d6b09bd5bb4fcf68f0f0797abe61873
6f00f39f32bb3556f024b6e877337a8e6ba5a2feda5d1187e85684de23471ff7
037165fd0435a477539e437c28f25a2e188d0da72b7573aa7d85b26eb34feef7
dbf293d123fe98900bda70549ce336f08f5ff99372d5f8dca4869376bf068416
d677958e05d8e8a3424225fd62da4a68c9401aa13658ecb9d6dbff18372aca85
2e5f3807db334c44e20f17624cfa529304327387e4795c561374379725acde6c
a6c7f1f1e73b612bf2c34e4b6193dd41f75ec0298c694e3600756a79da348152
f9ce9a047b096cb954193ac49049ccb28a476aa8c202f09aea38eae3cb283387
6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4
44337a866f639a40a3730a29a44dfebc9f6828148b409c057969c27987c84dbd
e9d0af516a8d65649c6850b69ff15e65cba280f8d44dbc505882dd16cf922320
f9ebef99fedb86176dafbdecb67a9f600be7f6acb1299deeeb40d4a689018f1c
f901f4b9437419d09352abcdec1a1e7bb1b511adbee059c42695753575b2b77c
91d4c54eb5e24448922894a73d0a3ca2b0a84caa3d2a5526e57098791ad75f73
2769012a5682a98b6f68e4e50157077fef4dc0853654c68986837f17b1c6451b
7ebbd7733c41e5d8d4071ac4bccca6f76577d8dda2ef2a6723b90414f444454a
e492ab74db73fb05a78112868596383e27ad49d8a2aa82a34611eea44a23a1ef
9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b
e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6
4813a5905b2003965fe10155c8daf3cdbb57017af02483a53a2d5ca11a9270f7
f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d
5483462ebe9bc5efca3315a9f2ce6a82f0469980e164aa16afecac9ebf13b57d
ea48def5335b8e664304ae54ff020858a1cb8a804d21f1c474c21e4ef2213073
3e90bab5c79be10c283f3752091122910f7c5b9f35428a37eb0250d244d01f94
5f51bf583798f714b2c84e3b6ba30b32b15a12ac308a52efbc950ae406216ad8
e797bb75f04bcac68e688769585623a306a0442a5614f28cb1a38d4232f525ec
066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40
325be1d623422763b0e16bc3c294cc5c006f6fb2ff8ddbf9eb0e45f8d8ac6853
3790861e8c62040dbb2dd3c290d1a2738cef6b04fd38de2d37ba58708838ddab
2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242
f3165a426e73b3dce639c5f44c0c6dca403a363fa07abf4458e61f7a61d7d880
cc0fdb6946afd11917588ce448b752e3f49debcd09d2e4d6c6d04cc1dc774e92
eb2ecf9b7aaa6a3d36d66aac6cc107c09c0518a06272f27ae17f2430c1d7a70f
8711c0444e0e2869118f577b3e28776c75d0845691bac42cb92005cc97c62b8a
99257e66c5904573be6b6316fbace99d9cb4ac2806b88c6e1e1c04787a2f4bd3
1f6feae633a783cf6ef08eee6b65049fe5b692c8a743af8967984e2e212a06b5
4fbea9806312eece3dd8523cf6c9509cedda1abe14fdc55bf793606dffe6c053
044ff15e8d3c9534c11c3719bd88a8302611c697ae888b23c768cec52f1970b6
aaae2a95d3c2054414d9b4cd55405563c1059ac881d9252ce338ecef1a25f857
bd2104c458f1c7197b830efb636df4741232585d55334fcdb6e37e8657571c24
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
c3dc5d9c25e3ef368835ad761bc9b0650170a018d70f93869608105375b73019
b20f2f7de684b2b10149825c4b86e14fadc7e19d5d41cb7b180bee28a1def030
bfb1b045ee5fc2bc3e4ca29683d695c36cc033ed43c0071385907400bc09c7f6
4f52022aa6286c18573e79cb079d5c9a01382bf1b4685a5a0dcc72cd6307b277
ce69de794ef8654455e9323c8dd184a507c39bb319b9c1b34fce460deca631bf
e784a1f8667b80617e5e26ab23f4b101286dd5bddb9629ca59d272ee3267e3ca
37aad7dc61ea841a62ed160802b822c35a0110f3e0be393b0c43a7fae8e96c65
1b9e1710ba83325c36ba9496bb3ff924a69326d07f62afec79ef74adbfcf27f2
3e3fc0ee150a9b3e97a1306c1929076d637f3c6ce3dbddcf30570330e40bf609
efed6ec2f8d3190bbf49a8c62a73c80878a4b7968baabfcff38cd0c3b06d4cff
d14140f160c6659a0848ec2b808bd37739af9b8a28d6d8cd7fc607ab845ab026
7f7089400087e55dbe741b1b137a6712f22d80b67c28215000b8f15787322dc2
429aed088fe3b2dc4cf969687d3eb7412bc387a9f6a7c68b832613630e8c527f
93fbcce3b23629eef2b3ed15e67b61cd5ba82f6a4cf4933b05ee3a1cb17b0523
ba63290ef5e3c1d1e2881879708f9fc793792f1f8ad36bcc8d2cdda9dc3e7ec8
7d784959adbb08754d954aee02c959a1a7318c54d04bccee906952cdbf090ea6
89389da3d32117ac9a495120372591cd36bff66f55ffc0e2e53ed8d64458d433
52c5297a7066438d5ec5ce3e897b7fe3eb642dca0b30aba3cc28866cbb05d96d
21ab6c559c1f1c445e9450f180e252e78799374ebd5d3b0e6384afd3eeeee20e
796364acf14011fa3902103655be7328eef8e3c5bd8635cac4820b5757ec9d13
c8f5d3f153fab81b07f3e666e13bcbd01d696a7efa4ae0c8dc81c054443e5b67
a3d362e58a6aa1b9d9d9ff542c65dccef0423e52dc8d11df2a515be8258ff3ac
090d906fa847c480583c96b467272b407e6c820d0d64b454e6e53dd51d113b03
90da1d87ebf79eefc2a035cc6311b9a26ff17804d6561c9f8253f4189d1c1f57
c33a5d3fd76760bd1657a2007d5ae2ba55155c0fd3ef9bb7e771e41c084158e5
237358a60a6aeaf9e2f5247fdf1c2cc04e3e3c0ff57e2c03b799d10b770361f7
cd4b8eb7fa51767c3cc1942e3523e99026062f95dfcb0428033dd7b706db8481
c90e5c5f118bfc7417e1a43d8ec7a1d6e91a730f336a47799b81f16a0fd6d69c
614f6326a378a9c583fc7de320ea6a60a78706283ec087afcb349ca75c083807
f19253d1e2423e2613b27354b1d8670fc63ffbb2d194ebf00e2323f712141648
93ddcee5487885a9825538b723ba30214b827617f85aef5558d232545171e8f6
2921a0fa40963ad342875ba6fc57c1629caa800f834ebf516a6cf6a59f467212
d371d9409cca4b22d1e90df46524f7112e06bf74a90f65f236957b63fdad2c1b
4822c68976983fb6be04a489ecb0ee85233585040f94599ae1f40e91a815d3d3
12a6b979da40489d768e28882836de2434009bcb436c2901772bed7633d88770
SH256 hash:
4813a5905b2003965fe10155c8daf3cdbb57017af02483a53a2d5ca11a9270f7
MD5 hash:
c6223c55914673031d7f7bbc5e7f081f
SHA1 hash:
53c469573725b764dfe5e262b9a0d67419a4df4c
Link:
https://www.unpac.me/results/60d9e7c5-2e71-4a72-9f4a-41b058b121db/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4813a5905b20/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Ave Maria
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4813a5905b2003965fe10155c8daf3cdbb57017af02483a53a2d5ca11a9270f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments