MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 defe5a24ac909cc14b06b49ea8574ee1bc964569bf1d18d56d3dd4398daffcde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OzoneRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: defe5a24ac909cc14b06b49ea8574ee1bc964569bf1d18d56d3dd4398daffcde
SHA3-384 hash: d8792238d6e3133e2c425ac315ea0e6a02c7199a9ecf91719f853c0306814226308ae3f70d63980ee9de44b232f46e6b
SHA1 hash: 543f4046f7baf2b26f91ed7478dfac8e8ec160a2
MD5 hash: 357e95c47c4b8666b0fe33277a37f376
humanhash: enemy-earth-jersey-rugby
File name:357e95c47c4b8666b0fe33277a37f376
Download: download sample
Signature OzoneRAT
Create hunting rule
File size:516'096 bytes
First seen:2021-06-22 07:42:00 UTC
Last seen:2021-06-22 10:39:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ae1ab9eab27f58657ef80ff5383533d0 (1 x OzoneRAT)
ssdeep 6144:N2qZ9/jctn4K2dp2d7kw2Wzoajo0vSbSbBAhl5VoTeJHOKlcUNc+eB:N1JcBafw2IjX6+A5VCCHOK9O+e
Threatray 5'172 similar samples on MalwareBazaar
TLSH 8AB49D11BAB1E901E5E916701CAAD1FC9223BD2ADE43465B31CC376F3B32F219D64752
Reporter zbetcheckin
Tags:32 exe OzoneRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
357e95c47c4b8666b0fe33277a37f376
Verdict:
Malicious activity
Analysis date:
2021-06-22 07:42:30 UTC
Tags:
trojan rat netwire ozone
Link:
https://app.any.run/tasks/a111fb20-e24b-4f87-8f3e-cdc96b4b0d7e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Netwire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167485/
Detection(s):
SecuriteInfo.com.Variant.Symmi.15273.29740.31526.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Morphine
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cb2e49a3-fbbb-486a-974d-05140bce353d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/805803
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/defe5a24ac909cc14b06b49ea8574ee1bc964569bf1d18d56d3dd4398daffcde/
Threat name:
Win32.Trojan.Staser
Create hunting rule
Status:
Malicious
First seen:
2021-06-22 03:39:22 UTC
AV detection:
9 of 46 (19.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=337fujfmscomcsygwspkqv2o4g6jmrljx4orrvlnhxkdtdnp7tpa._file
Verdict:
malicious
Similar samples:
3738a4a5fc512d44852ab90f7fe37e91159117e484176a06506f41e0db70eae3
OzoneRAT
3a8891a9fd3e0a3cc62286f2c9fcda0bdfb802aba61560103811140cae528983
OzoneRAT
4eb165d0adad5be9d9a4470eb3760a991c4ae1ae52ee2fe349851d1b50aaff53
OzoneRAT
99e8e8f1ec69e184c986d1c35deb49f85df828936c933120edf58906c814ca53
OzoneRAT
a8a98322ac04825ae3dac08e12ed29383d966fec2033a8002e9d75e71b57d406
OzoneRAT
b54d47e30a02cae210dd2eb88b5e9fee71a7283295424742e2a332994f30b026
OzoneRAT
c726918d5afcc226a3bfd4eb2be5ec8e347b7d56d66182046ca775a3f57f9cd4
OzoneRAT
e547adb4f5efdb9519e101e98c54321ef565a0382940c4dd3c5f70ded3581af9
OzoneRAT
e939047540fd58d605f6e259e9be2e2370f51e79246b34c2d01acc94cb19b4dc
OzoneRAT
eca9894179ef698c8568b19123c1cea81607e5523804827c91fb12d228faf34a
OzoneRAT
+ 5'162 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210622-sr3yjdnbk2/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
defe5a24ac909cc14b06b49ea8574ee1bc964569bf1d18d56d3dd4398daffcde
MD5 hash:
357e95c47c4b8666b0fe33277a37f376
SHA1 hash:
543f4046f7baf2b26f91ed7478dfac8e8ec160a2
Link:
https://www.unpac.me/results/81f0c060-5b44-4816-86ca-943c939f194f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
netwire
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/defe5a24ac909cc14b06b49ea8574ee1bc964569bf1d18d56d3dd4398daffcde

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_ozone_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

OzoneRAT

Executable exe defe5a24ac909cc14b06b49ea8574ee1bc964569bf1d18d56d3dd4398daffcde

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1387578/
Cape
Cape
https://www.capesandbox.com/analysis/167485/
  
URLhaus
https://urlhaus.abuse.ch/url/1336838/
  
URLhaus
https://urlhaus.abuse.ch/url/1390691/

Comments