MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XpertRAT


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec
SHA3-384 hash: d34db05de4d3bdafd0f8a79aceb38f250c03803e2d0b9cac429c33b02ba51a6cd14212eeed7915ba716d9d75666502fc
SHA1 hash: 6ca1c47f85abaed4a3cc414b6200360ca658b2c5
MD5 hash: f801b47ec91f5f75b0f5804506665b14
humanhash: robert-purple-shade-eight
File name:first_payload.exe
Download: download sample
Signature XpertRAT
Create hunting rule
File size:515'584 bytes
First seen:2022-07-31 14:00:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9222d372923baed7aa9dfa28449a94ea (11 x AsyncRAT, 10 x RedLineStealer, 9 x NanoCore)
ssdeep 12288:P4M94zG8TzhIBISzyvK75jVtxrZY/NLYdT9FSDQEMF:Pf94D+BTyvqrZY/N8SDQF
Threatray 2'451 similar samples on MalwareBazaar
TLSH T197B4BF1A3BF88435E1FE463209B15354CBBAF8221626CE5F57C0A5591E79BC0CD26FA3
TrID 46.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
19.4% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
17.3% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
7.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
2.4% (.EXE) Win64 Executable (generic) (10523/12/4)
Reporter 0xToxin
Tags:avemaria exe SnakeKeylogger SRRBomber XpertRAT


Avatar
0xToxin
invoked from Bunifu.UI.dll:
https://bazaar.abuse.ch/sample/5e97ccd8dafcb36b3cb772f6a2fd425abcf221ab9ea1930e8c2618c95332f2c6/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
109.206.241.246:2442 https://threatfox.abuse.ch/ioc/840573/

Intelligence

File Origin
# of uploads :
1
# of downloads :
415
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
avemaria
Create hunting rule
ID:
1
File name:
first_payload.exe
Verdict:
Malicious activity
Analysis date:
2022-08-01 06:16:58 UTC
Tags:
snake warzone trojan stealer rat avemaria
Link:
https://app.any.run/tasks/f6af7ec0-4be5-4cd8-9c1b-fda3791c7dab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XpertRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/295362/
Detection(s):
Win.Malware.AveMaria-8799014-1
Create hunting rule

Win.Tool.Binder-9794371-0
Create hunting rule

Win.Malware.Snake-9953539-0
Create hunting rule

Win.Packed.Msilperseus-9956591-0
Create hunting rule

Win.Trojan.004be7cd-6760703-0
Create hunting rule

Win.Trojan.Generic-6760707-0
Create hunting rule

Win.Trojan.Binder-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Changing a file
Launching a process
Creating a file
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Running batch commands
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Using the Windows Management Instrumentation requests
Launching cmd.exe command interpreter
Setting a keyboard event handler
Launching the default Windows debugger (dwwin.exe)
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Blocking the User Account Control
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27902/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
cobalt stealer
Link:
https://www.filescan.io/uploads/62e68b975c07b66577e0f111/reports/fa4c29a7-a2d7-42de-9119-d49fa6a2b1f1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/17db9929-2d6b-4b81-a24b-59c8d9f9a2a3
Result
Threat name:
AveMaria, MailPassView, Snake Keylogger,
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1043774
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Disables UAC (registry)
Disables user account control notifications
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected Generic Downloader
Yara detected Generic Dropper
Yara detected MailPassView
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected WebBrowserPassView password recovery tool
Yara detected XpertRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 676268 Sample: first_payload.exe Startdate: 31/07/2022 Architecture: WINDOWS Score: 100 73 Snort IDS alert for network traffic 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Antivirus detection for dropped file 2->77 79 19 other signatures 2->79 9 first_payload.exe 4 2->9         started        12 Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4.exe 2->12         started        15 Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4.exe 1 2->15         started        17 4 other processes 2->17 process3 file4 59 C:\Users\user\AppData\...\WALL PAPER.EXE, PE32 9->59 dropped 61 C:\Users\user\AppData\Local\TempbehaviorgraphUM.EXE, PE32 9->61 dropped 63 C:\Users\user\AppData\Local\TempGGMM.EXE, PE32 9->63 dropped 19 WALL PAPER.EXE 4 4 9->19         started        23 GUM.EXE 1 1 9->23         started        25 EGGMM.EXE 15 2 9->25         started        99 Antivirus detection for dropped file 12->99 101 Multi AV Scanner detection for dropped file 12->101 103 Machine Learning detection for dropped file 12->103 signatures5 process6 dnsIp7 57 C:\ProgramData\images.exe, PE32 19->57 dropped 81 Increases the number of concurrent connection per server for Internet Explorer 19->81 83 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->83 28 images.exe 6 19->28         started        32 cmd.exe 1 19->32         started        85 Antivirus detection for dropped file 23->85 87 Multi AV Scanner detection for dropped file 23->87 89 Changes security center settings (notifications, updates, antivirus, firewall) 23->89 97 3 other signatures 23->97 34 iexplore.exe 3 8 23->34         started        65 checkip.dyndns.com 132.226.8.169, 49742, 80 UTMEMUS United States 25->65 67 checkip.dyndns.org 25->67 69 192.168.2.1 unknown unknown 25->69 91 Tries to steal Mail credentials (via file / registry access) 25->91 93 Machine Learning detection for dropped file 25->93 95 Tries to harvest and steal ftp login credentials 25->95 file8 signatures9 process10 dnsIp11 105 Antivirus detection for dropped file 28->105 107 Multi AV Scanner detection for dropped file 28->107 109 Tries to steal Mail credentials (via file / registry access) 28->109 115 6 other signatures 28->115 37 cmd.exe 1 28->37         started        39 conhost.exe 32->39         started        41 reg.exe 1 1 32->41         started        71 toomuchego.ydns.eu 109.206.241.246, 2442, 49744, 49745 AWMLTNL Germany 34->71 55 Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4.exe, PE32 34->55 dropped 111 Creates an undocumented autostart registry key 34->111 113 Creates autostart registry keys with suspicious names 34->113 43 iexplore.exe 34->43         started        45 iexplore.exe 1 34->45         started        47 iexplore.exe 34->47         started        49 3 other processes 34->49 file12 signatures13 process14 process15 51 conhost.exe 37->51         started        53 WerFault.exe 43->53         started       
Detection:
warzone
Create hunting rule
Link:
https://mwdb.cert.pl/sample/62ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-07-31 14:01:09 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
26 of 26 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mkxeruzz4uvbww7ifzydajpsxyinmas7s76xqtka6j4b23xiq3wa._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
36c35b4364b62c4d1ff2be1e1a043a10bc587625ad383dd2b4dacde157a952e4
XpertRAT
42d46ba1d5ccb8decfc1f10303c061ee7e1c9844d857de99a3ee862edd13dc28
XpertRAT
48a3b4c4a19c3edc85071280654e61f9396a2e7d486ac784a020769d0adc1ff9
XpertRAT
4b1532fa6483dfb4194a1f3fbf583f511caea6035f61e9ffad798bd58981f5a8
XpertRAT
9e2a3d4464636baff78628d870f39d1a9f3ba23da71f8c50ead2576479077702
XpertRAT
cc20314107f1e2d9f2952d28176893e1123dfa3f44bd1b089a9477b60dcf5b3f
XpertRAT
f6f9f7b0dda34e762db1c1d5362ad44638246bc1ff5832789177869d0e393203
XpertRAT
fb55340ef36d5bfae56dd84e51b9aff7996ab7428fd1fcbe53dfb8fdcda244e8
XpertRAT
fec53b388671f2f82fd8c743a3695f432037caffe5f2e04ea77c206809efd048
XpertRAT
+ 2'441 additional samples on MalwareBazaar
Result
Malware family:
xpertrat
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger family:warzonerat family:xpertrat collection evasion infostealer keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220731-rbjc1sgaa5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks whether UAC is enabled
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Adds policy Run key to start application
Executes dropped EXE
Snake Keylogger
Snake Keylogger payload
UAC bypass
WarzoneRat, AveMaria
Windows security bypass
XpertRAT
Malware Config
C2 Extraction:
toomuchego.ydns.eu:5200
Unpacked files
SH256 hash:
c32e5e42d788868447c4b65e2e99d57161ed62ac0ee34a1134371756b3a29bda
MD5 hash:
70a5e21750e11f4baaadf23972375241
SHA1 hash:
36b39170f384ac7f9a6c3b4f0192a42e7cd035ea
Detections:
win_xpertrat_a0
Create hunting rule
win_xpertrat_auto
Create hunting rule
Link:
https://www.unpac.me/results/d0bcca3a-4309-421e-b219-9fcd8fe83592/
Parent samples :
f6f9f7b0dda34e762db1c1d5362ad44638246bc1ff5832789177869d0e393203
fec53b388671f2f82fd8c743a3695f432037caffe5f2e04ea77c206809efd048
62ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec
e6da15aedc54f4b4faa8df84038a7172eb010fcaa4caeb3008e7fd371597f973
SH256 hash:
477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52
MD5 hash:
16a9ddc4b32981114fe4f069a4353105
SHA1 hash:
bf73849f57c150f9e2199c61427f631be2dfa595
Link:
https://www.unpac.me/results/d0bcca3a-4309-421e-b219-9fcd8fe83592/
SH256 hash:
c6e161181e3f246471f546f84655f3de28e86860db5c449293a56efc17024aac
MD5 hash:
d934bc77b8157ece0a3bbec1527cee9b
SHA1 hash:
841017a8d48040f1e0d593608c2506007ea9f997
Detections:
win_ave_maria_g0
Create hunting rule
win_ave_maria_auto
Create hunting rule
Link:
https://www.unpac.me/results/d0bcca3a-4309-421e-b219-9fcd8fe83592/
Parent samples :
f6f9f7b0dda34e762db1c1d5362ad44638246bc1ff5832789177869d0e393203
fec53b388671f2f82fd8c743a3695f432037caffe5f2e04ea77c206809efd048
62ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec
c6e161181e3f246471f546f84655f3de28e86860db5c449293a56efc17024aac
120423f71527bac958f92cfaf06203a082324bfdb0279896404058e2ff2fe763
e6da15aedc54f4b4faa8df84038a7172eb010fcaa4caeb3008e7fd371597f973
SH256 hash:
f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36
MD5 hash:
6c72218c48cd68cbcb654675053a0abb
SHA1 hash:
12207fa32070f99683648d87b44410e5d3cdf2de
Link:
https://www.unpac.me/results/d0bcca3a-4309-421e-b219-9fcd8fe83592/
SH256 hash:
34a752b9771250f512fc2528b9d019995072303504f5bb635a3247f247e0287e
MD5 hash:
ac0193fa48dee81dad73c8e4cd6ca85f
SHA1 hash:
3190a7381e43f79a96d8434b493e1d607e628547
Link:
https://www.unpac.me/results/d0bcca3a-4309-421e-b219-9fcd8fe83592/
SH256 hash:
62ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec
MD5 hash:
f801b47ec91f5f75b0f5804506665b14
SHA1 hash:
6ca1c47f85abaed4a3cc414b6200360ca658b2c5
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/d0bcca3a-4309-421e-b219-9fcd8fe83592/
Parent samples :
f6f9f7b0dda34e762db1c1d5362ad44638246bc1ff5832789177869d0e393203
fec53b388671f2f82fd8c743a3695f432037caffe5f2e04ea77c206809efd048
62ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/62ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding command execution via IExecuteCommand COM object
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:Malware_QA_update_RID2DAD
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MALWARE_Win_WarzoneRAT
Create hunting rule
Author:ditekSHen
Description:Detects AveMaria/WarzoneRAT
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/295362/

Comments