MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e40093ff2134c0c7ab3cbdb58575c8e892ed7e0af9fa9721c2777fbbe7e216fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 16

Intelligence 16 IOCs YARA 38 File information Comments

SHA256 hash:	e40093ff2134c0c7ab3cbdb58575c8e892ed7e0af9fa9721c2777fbbe7e216fe
SHA3-384 hash:	654442186fbe2b6db162ceeaf27dfaa0f762a155851137bce36fb8dc7481eaae0059a7ca922229a528d6e6145c5a5133
SHA1 hash:	ed61ad0cb3a346b469a07cd20763d3f28a750102
MD5 hash:	e11f714458bb37d1110164c28a5796f1
humanhash:	nevada-freddie-sad-nineteen
File name:	Fast-Tron-Miner.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	2'280'960 bytes
First seen:	2023-01-11 19:20:10 UTC
Last seen:	2023-01-11 20:29:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	49152:TzeEP61UdA1RtpDlgwG20lx7xV+59phiYBF1h3tfK2ek0jg:y1UoRtpJg/lx7xY9phBF1ptC2ekM
Threatray	2'597 similar samples on MalwareBazaar
TLSH	T19AB523D5B76788D3D1AD0231601108B9532A9E1214F0E3AEB1DF1B4B4EFFBAD914BB85
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	80acaeacacaeac80 (2 x AveMariaRAT)
Reporter	0xToxin
Tags:	AveMariaRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

193

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Fast-Tron-Miner.exe

Verdict:

Malicious activity

Analysis date:

2023-01-11 19:22:06 UTC

Tags:

stealer

Link:

https://app.any.run/tasks/3efd53de-2259-428e-a34c-e7f30a04ff27

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

WarzoneRAT

Link:

https://www.capesandbox.com/analysis/352047/

Detection(s):

PUA.Win.Packed.ConfuserEx-6391397-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Sending a custom TCP request

Creating a file

Creating a file in the %temp% directory

Creating a process from a recently created file

Modifying a system executable file

Forced shutdown of a system process

Unauthorized injection to a recently created process

Unauthorized injection to a system process

Changing the hosts file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/63bf0c1f0fdf1633326eb520/reports/5bcd0496-8808-43be-b213-f893d0cb2ce0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

BluStealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/77820512-2aa3-4117-a506-fd73267d23d2

Result

Threat name:

AveMaria, BabylonRAT, DarkComet, Paradox

Detection:

malicious

Classification:

troj.adwa.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1149859

Signature

.NET source code contains potential unpacker

Allocates memory in foreign processes

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Changes security center settings (notifications, updates, antivirus, firewall)

Contains functionality to hide user accounts

Creates a thread in another existing process (thread injection)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Disables the Windows registry editor (regedit)

Disables the Windows task manager (taskmgr)

Encrypted powershell cmdline option found

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies the hosts file

Modifies the windows firewall

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses powershell cmdlets to delay payload execution

Writes to foreign memory regions

Yara detected AveMaria stealer

Yara detected BabylonRAT

Yara detected DarkComet

Yara detected ParadoxRAT

Yara detected UACMe UAC Bypass tool

Yara Genericmalware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e40093ff2134c0c7ab3cbdb58575c8e892ed7e0af9fa9721c2777fbbe7e216fe/

Threat name:

Win32.Backdoor.AsyncRAT

Status:

Malicious

First seen:

2023-01-11 19:21:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 39 (53.85%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4qajh7zbgtampkz4xw2yk5oi5cjo27qk7h5joioco573xz7cc37a._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

0b941474949e423ac573fffd588bef49af4b4e52cd7730439728e33acc7ee3d1

AveMariaRAT

0d0be8ecc5e7c7d3fb48665b5860aa8eb97d367f58af0de01e8bcff3861f4c52

AveMariaRAT

6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

AveMariaRAT

9bc9e9a3db288348e68fbf59c43df4ed9cc72a029aa70a31e0d7f325bf05b381

AveMariaRAT

9c069b3043b757ab5e67889b9f2820758ddb92823bf91678182d6386a16fd5ea

AveMariaRAT

c7c7d3174d778b6ba5c42bc03fec75cf6dbf8a594823bc583ce3739d1598d50a

AveMariaRAT

+ 2'587 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:asyncrat family:darkcomet family:warzonerat botnet:new-july-july4-0 botnet:new-july-july4-01 infostealer persistence rat trojan upx

Link:

https://tria.ge/reports/230111-x2ncjshh9x/

Behaviour

Creates scheduled task(s)

Delays execution with timeout.exe

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Checks computer location settings

Drops startup file

Loads dropped DLL

Drops file in Drivers directory

Executes dropped EXE

UPX packed file

Async RAT payload

Warzone RAT payload

AsyncRat

Darkcomet

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

dgorijan20785.hopto.org:35800
45.74.4.244:5199
dgorijan20785.hopto.org:5199
45.74.4.244:35800
45.74.4.244:6606
45.74.4.244:7707
45.74.4.244:8808

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f83f7498-a8cf-44c0-8db1-28ca48932e1d

Unpacked files

SH256 hash:

0055275596d853987ecc2c41b8eb09e70bcea2ca6fd8a11f42656cc033f0e96c

MD5 hash:

b8bb03dbd6180041aabf6ae33257ab5d

SHA1 hash:

940c1a29b1e618d24ff61b268eb71aaa95373f44

Detections:

win_darkcomet_a0

win_darkcomet_auto

win_darkcomet_g0

Link:

https://www.unpac.me/results/589a9519-0f7d-4667-bd49-a47edafadb02/

Parent samples :

4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532
e40093ff2134c0c7ab3cbdb58575c8e892ed7e0af9fa9721c2777fbbe7e216fe

SH256 hash:

5be99d65a93cb939da9095688fe75ef16bb8e1078cc79135b1057a9c6bbf7bf6

MD5 hash:

8e4b748f3b1fc20bbf5485550e82a255

SHA1 hash:

88e490a18d6cac7c2f5cbaa478676119d71d50f5

Detections:

win_blackshades_w0

win_babylon_rat_auto

Link:

https://www.unpac.me/results/589a9519-0f7d-4667-bd49-a47edafadb02/

Parent samples :

6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c
e40093ff2134c0c7ab3cbdb58575c8e892ed7e0af9fa9721c2777fbbe7e216fe

SH256 hash:

63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

MD5 hash:

f2f861cc0985546a748142eaca913cfb

SHA1 hash:

f26db0c99c531261780a9f2fc3584d50328ad9af

Link:

https://www.unpac.me/results/589a9519-0f7d-4667-bd49-a47edafadb02/

SH256 hash:

ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

MD5 hash:

91bb5739afce122ddea99a91758bde4a

SHA1 hash:

f61823897e81e3cc806de9a3dd9d949418bcad44

Link:

https://www.unpac.me/results/589a9519-0f7d-4667-bd49-a47edafadb02/

SH256 hash:

220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

MD5 hash:

080b40ab05695bbb8dc38e4918b0dc7e

SHA1 hash:

8203bcc0834811a1c29bfa719ca88259c982c803

Link:

https://www.unpac.me/results/589a9519-0f7d-4667-bd49-a47edafadb02/

SH256 hash:

5dea6b136c0f5e734ee917b791ca1ff9843b454c4be68c097654733ee1ea61e9

MD5 hash:

0c3e2c9706396af22366cf1372278454

SHA1 hash:

66e198ca896942812d10613ee54fbe3b55141c3c

Link:

https://www.unpac.me/results/589a9519-0f7d-4667-bd49-a47edafadb02/

SH256 hash:

a1c783f3cc0e4311db4d5ef2758804836ec7b0d00e2049b9b1891b5c5b407041

MD5 hash:

066b28da893629b51ca4c06b25fea246

SHA1 hash:

c61c486f6795ede3be01c9985f8adfbf04cb3c91

Link:

https://www.unpac.me/results/589a9519-0f7d-4667-bd49-a47edafadb02/

SH256 hash:

cfbec78fedb39b61d4642aefba7392ab7baaec2f59afff8de7872f31181919c0

MD5 hash:

c576cbf1ab5df206c3e76da21b88698b

SHA1 hash:

6f10dc715c7f12138d7ac3ba662dad1ccd52184c

Detections:

Warzone

win_ave_maria_auto

win_ave_maria_g0

Link:

https://www.unpac.me/results/589a9519-0f7d-4667-bd49-a47edafadb02/

Parent samples :

cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df
e40093ff2134c0c7ab3cbdb58575c8e892ed7e0af9fa9721c2777fbbe7e216fe
037165fd0435a477539e437c28f25a2e188d0da72b7573aa7d85b26eb34feef7

SH256 hash:

0470230cd9e0380cf503e5cad59ba4f4046e3a22f8bde31b5ffa2a5ef5eaf37a

MD5 hash:

03fd9c107222ee982b5fa560c550e3ae

SHA1 hash:

53a7afad34e453a398eac844914d3f092c515456

Link:

https://www.unpac.me/results/589a9519-0f7d-4667-bd49-a47edafadb02/

SH256 hash:

547c87e836777ae6459dfdaaec9723f3e2b66d185b224bc43542047e261c6e21

MD5 hash:

eefc98e954f9082d01f78b2d70907a89

SHA1 hash:

c7df599cb89bdad3aed66c93580e8e0a64773106

Link:

https://www.unpac.me/results/589a9519-0f7d-4667-bd49-a47edafadb02/

SH256 hash:

6e3d7b154ed740ab32975a71cf2c42f27da8c48b9f920cd3584652b38a9d8e42

MD5 hash:

f1a8158aec19309fb492ace7bf9440ba

SHA1 hash:

2b4d462ddd6eacee86925eea57049cec0dcc34ff

Link:

https://www.unpac.me/results/589a9519-0f7d-4667-bd49-a47edafadb02/

SH256 hash:

c8fd5f5b15681ea07caf037ce81ba8b2d94279683d3a7c488cb47ef8648925bc

MD5 hash:

e657c06446072ccf871ca0c3a4794f44

SHA1 hash:

819e536992cac95b440b11c346f116d4d0de5b32

Link:

https://www.unpac.me/results/589a9519-0f7d-4667-bd49-a47edafadb02/

SH256 hash:

fa7c9b7ece2b58cbcaab8b6277de92ee2c5c80c012d65047ee25ceb27c7b1c6f

MD5 hash:

b64c07237a45e5474d8c573d2844c030

SHA1 hash:

fed29f557541b3df8b8f48415b7add6c51d2e90e

Link:

https://www.unpac.me/results/589a9519-0f7d-4667-bd49-a47edafadb02/

SH256 hash:

8ffe38b26a91e67ac8a3e6a11acd199bd15d786bf8e967b42e7e3bff3714e49b

MD5 hash:

e7361382bcc4b6d81c57014f68bef531

SHA1 hash:

dafe669c4f7b703e91fe70072874caadc89209e2

Detections:

win_asyncrat_w0

Link:

https://www.unpac.me/results/589a9519-0f7d-4667-bd49-a47edafadb02/

Parent samples :

a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b
e40093ff2134c0c7ab3cbdb58575c8e892ed7e0af9fa9721c2777fbbe7e216fe
037165fd0435a477539e437c28f25a2e188d0da72b7573aa7d85b26eb34feef7

SH256 hash:

195ef65fd31a4d96429b5eb8c0573033a8b5681cbc71c50e4341dcd403e1d048

MD5 hash:

332bd07bebda347eeb67e08ddeee2a99

SHA1 hash:

4872d87016e8b9a343916fbe1f154a89dfdca5d6

Link:

https://www.unpac.me/results/589a9519-0f7d-4667-bd49-a47edafadb02/

SH256 hash:

6abb051e04fa4a71f2f6896bfe321285a9e2ca2a3f24ddf7b9efb4a53d556aa7

MD5 hash:

92f3340b78e45adac35ece4f94a40be0

SHA1 hash:

e8781329432905cf8603a1278516645321bf2646

Detections:

Warzone

win_ave_maria_g0

Link:

https://www.unpac.me/results/589a9519-0f7d-4667-bd49-a47edafadb02/

Parent samples :

ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b
069da9838ffd1b21d13c0a1952608e29e64e7b40847ab3fb67e16cfd797ab834
e40093ff2134c0c7ab3cbdb58575c8e892ed7e0af9fa9721c2777fbbe7e216fe
037165fd0435a477539e437c28f25a2e188d0da72b7573aa7d85b26eb34feef7

SH256 hash:

fc0c90044b94b080f307c16494369a0796ac1d4e74e7912ba79c15cca241801c

MD5 hash:

6b906764a35508a7fd266cdd512e46b1

SHA1 hash:

2a943b5868de4facf52d4f4c1b63f83eacd882a2

Link:

https://www.unpac.me/results/589a9519-0f7d-4667-bd49-a47edafadb02/

SH256 hash:

021d01fe3793879f57a2942664fc7c096710e94e87ad13dc21467c12edf61546

MD5 hash:

ad9fd1564dd1c6be54747e84444b8f55

SHA1 hash:

001495af4af443265200340a08b5e07dc2a32553

Link:

https://www.unpac.me/results/589a9519-0f7d-4667-bd49-a47edafadb02/

Parent samples :

41b6843f504506bfe5a47155873b5e8d4a10382e6bcbbaadf069bc5d216c8b53
273c7d66a2746646c43e4c870ea99def6bfb8d7210cafac4eeda64c50b2f8e83
0105bafb9a326de3ee23e8d01a0b0bd3216a3de3906e28c10c3cfa4825939161
426bb510c18d37da520b953e633c1dca9d950b2d8fc06e550cd9cbd1e08d7b2c
4df8c432a1d5153c687b60c3031648c6ac198cf96b44cb15f1d28f758aa213e5
57bcf0394886e8bd03578d317aebab8af7195e007dd1636b266073b282b43848
95a91cc096986a40b10a03f3376eb7de4b3c83e7742b667f7c2f6bef13ccdeb9
661435185812c66992daa150269ffbd8661c06a6d0847cf8b5e49dbdcffb677f
9fc23786a7059b7e7bfb19582fd5f96b91c86812ccc32aa9c7722e85e16590f8
d18059bfd5e9a4d0e07a953fb8c86101ecdf77f9b7e9e80cf6099fb40506bea9
a579e6d169f7af0c31de4c24bd4a8d3e05f46145a5d219850124fd1e11628349
9b550290b925e68da43d0254e187f3bd53d73778e2fec286ebe66db8da1a5dd5
4966546ac0b90d093d0e2ef5666566b76cebae4b6e02f5a6b9f24a56b7ab049f
963750cdc4a1d1586b16d85a4853a5a48d64b5a79d740895ed8aa33afe95f5c4
000dd50b2f3df84aa499e38e8a88994b92c14556c517cd26237eacede1130c3b
c5a55dd1ecb98f43122a554288baa4e7e0ecdb81e30557db4c19fd833f145107
9b91ef0fbd1439f0e7b13a7d234d0574c6db6a07ea1e2842fbe7d2e4ab4042a9
f4e31d0e6efa4955d4023413ce6658406decbb31b954e822b92d31e3c12956de
447263ca2619e641d0a52b475b2de64ae9c852048415e31897bccbcb615c4927
a3980c5f653e99fe53dc88f60a9ca1b4954b8cee932085ea57b1f46b9c7ab4c1
3c36d574e4005d919706e2945a25f6704d48ea69b5960bdc544e59cc4e3295cc
59ee15056c8ca8f240ba10fe20a523e3dc315cc0304f1f1abcb2913d701d4f23
01dbf52c9a79ce268fa7b5ab876ab6c8a8e6d5d5de70ccfacd11ca169e83908a
46a870926fb693596e4fea1ff6ed4bd228d8cc63a9e285997ded48b1484ab3f5
89e0d97c3f6b79962f97e02152cff003f17d940f973d762874576dab2bc3a312
c8731f7db8cff30881c306796850704a66edb90501fad4952822bb09624db618
d2d549d6dd5d017ce1b853932513ec389de11e6443fe466487b2ed2e1528b857
31b26582627d2978052cdce87ae338c2e78a029f7676365e1583c05528afada0
80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66
913377afa6c3d7afb49a491f830d52a33353349819f0e91157a01dc8336ac5b3
7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c
198c5a845975abb97bec91f98df18522db41489cf5b972445600b2c0e3faa828
13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310
2eefb5dc5aae0ca14290ded3490ec8ae44c88fafdac0b062bacd8b9bd1497eb3
32d376bc206926ca6f299e97d04644b68e6a863ac4975bf4a804bd120e82aeab
decfb2acfa48419eb5c32541e8b99aa142ed856a2969012374c2a30f8bd7db70
dd1fa6cb67aa97468e62afeec6bfa9c1cb52f5acf029ab77a0fdd2e34cd50a21
19dba570adb979d9063882d8dd6d880d1f37f25e600cc07097646946ebc947a2
de492c6384df2afd8c36f3f8ca910d93a21a2981b3c3a80e8a858d643122d488
0246d4eb99473ba449b98548167d0767b68b075749a8962d0573851f505689b5
bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a
3e4da5132877e955fb455e58e300b56033c07a6d2709b386fdc5c43a88e1c499
d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e
7c6c180635f5329b270bfa6fd56ec15604cca270687d0a0bc2fc5edd78dc4c9c
90f4e7731fc41021b7ce9f9d15704c9849cf3215161585721a370745f7392e71
61a8d6678098ddfa8d1b418cc5d851823d6b09bd5bb4fcf68f0f0797abe61873
6f00f39f32bb3556f024b6e877337a8e6ba5a2feda5d1187e85684de23471ff7
037165fd0435a477539e437c28f25a2e188d0da72b7573aa7d85b26eb34feef7
dbf293d123fe98900bda70549ce336f08f5ff99372d5f8dca4869376bf068416
d677958e05d8e8a3424225fd62da4a68c9401aa13658ecb9d6dbff18372aca85
2e5f3807db334c44e20f17624cfa529304327387e4795c561374379725acde6c
a6c7f1f1e73b612bf2c34e4b6193dd41f75ec0298c694e3600756a79da348152
f9ce9a047b096cb954193ac49049ccb28a476aa8c202f09aea38eae3cb283387
6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4
44337a866f639a40a3730a29a44dfebc9f6828148b409c057969c27987c84dbd
e9d0af516a8d65649c6850b69ff15e65cba280f8d44dbc505882dd16cf922320
f9ebef99fedb86176dafbdecb67a9f600be7f6acb1299deeeb40d4a689018f1c
f901f4b9437419d09352abcdec1a1e7bb1b511adbee059c42695753575b2b77c
91d4c54eb5e24448922894a73d0a3ca2b0a84caa3d2a5526e57098791ad75f73
2769012a5682a98b6f68e4e50157077fef4dc0853654c68986837f17b1c6451b
7ebbd7733c41e5d8d4071ac4bccca6f76577d8dda2ef2a6723b90414f444454a
e492ab74db73fb05a78112868596383e27ad49d8a2aa82a34611eea44a23a1ef
9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b
e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6
4813a5905b2003965fe10155c8daf3cdbb57017af02483a53a2d5ca11a9270f7
f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d
5483462ebe9bc5efca3315a9f2ce6a82f0469980e164aa16afecac9ebf13b57d
ea48def5335b8e664304ae54ff020858a1cb8a804d21f1c474c21e4ef2213073
3e90bab5c79be10c283f3752091122910f7c5b9f35428a37eb0250d244d01f94
5f51bf583798f714b2c84e3b6ba30b32b15a12ac308a52efbc950ae406216ad8
e797bb75f04bcac68e688769585623a306a0442a5614f28cb1a38d4232f525ec
066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40
325be1d623422763b0e16bc3c294cc5c006f6fb2ff8ddbf9eb0e45f8d8ac6853
3790861e8c62040dbb2dd3c290d1a2738cef6b04fd38de2d37ba58708838ddab
2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242
f3165a426e73b3dce639c5f44c0c6dca403a363fa07abf4458e61f7a61d7d880
cc0fdb6946afd11917588ce448b752e3f49debcd09d2e4d6c6d04cc1dc774e92
eb2ecf9b7aaa6a3d36d66aac6cc107c09c0518a06272f27ae17f2430c1d7a70f
8711c0444e0e2869118f577b3e28776c75d0845691bac42cb92005cc97c62b8a
99257e66c5904573be6b6316fbace99d9cb4ac2806b88c6e1e1c04787a2f4bd3
1f6feae633a783cf6ef08eee6b65049fe5b692c8a743af8967984e2e212a06b5
4fbea9806312eece3dd8523cf6c9509cedda1abe14fdc55bf793606dffe6c053
044ff15e8d3c9534c11c3719bd88a8302611c697ae888b23c768cec52f1970b6
aaae2a95d3c2054414d9b4cd55405563c1059ac881d9252ce338ecef1a25f857
bd2104c458f1c7197b830efb636df4741232585d55334fcdb6e37e8657571c24
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
c3dc5d9c25e3ef368835ad761bc9b0650170a018d70f93869608105375b73019
b20f2f7de684b2b10149825c4b86e14fadc7e19d5d41cb7b180bee28a1def030
bfb1b045ee5fc2bc3e4ca29683d695c36cc033ed43c0071385907400bc09c7f6
4f52022aa6286c18573e79cb079d5c9a01382bf1b4685a5a0dcc72cd6307b277
ce69de794ef8654455e9323c8dd184a507c39bb319b9c1b34fce460deca631bf
e784a1f8667b80617e5e26ab23f4b101286dd5bddb9629ca59d272ee3267e3ca
37aad7dc61ea841a62ed160802b822c35a0110f3e0be393b0c43a7fae8e96c65
1b9e1710ba83325c36ba9496bb3ff924a69326d07f62afec79ef74adbfcf27f2
3e3fc0ee150a9b3e97a1306c1929076d637f3c6ce3dbddcf30570330e40bf609
efed6ec2f8d3190bbf49a8c62a73c80878a4b7968baabfcff38cd0c3b06d4cff
d14140f160c6659a0848ec2b808bd37739af9b8a28d6d8cd7fc607ab845ab026
7f7089400087e55dbe741b1b137a6712f22d80b67c28215000b8f15787322dc2
429aed088fe3b2dc4cf969687d3eb7412bc387a9f6a7c68b832613630e8c527f
93fbcce3b23629eef2b3ed15e67b61cd5ba82f6a4cf4933b05ee3a1cb17b0523
ba63290ef5e3c1d1e2881879708f9fc793792f1f8ad36bcc8d2cdda9dc3e7ec8
7d784959adbb08754d954aee02c959a1a7318c54d04bccee906952cdbf090ea6
89389da3d32117ac9a495120372591cd36bff66f55ffc0e2e53ed8d64458d433
52c5297a7066438d5ec5ce3e897b7fe3eb642dca0b30aba3cc28866cbb05d96d
21ab6c559c1f1c445e9450f180e252e78799374ebd5d3b0e6384afd3eeeee20e
796364acf14011fa3902103655be7328eef8e3c5bd8635cac4820b5757ec9d13
c8f5d3f153fab81b07f3e666e13bcbd01d696a7efa4ae0c8dc81c054443e5b67
a3d362e58a6aa1b9d9d9ff542c65dccef0423e52dc8d11df2a515be8258ff3ac
090d906fa847c480583c96b467272b407e6c820d0d64b454e6e53dd51d113b03
90da1d87ebf79eefc2a035cc6311b9a26ff17804d6561c9f8253f4189d1c1f57
c33a5d3fd76760bd1657a2007d5ae2ba55155c0fd3ef9bb7e771e41c084158e5
237358a60a6aeaf9e2f5247fdf1c2cc04e3e3c0ff57e2c03b799d10b770361f7
cd4b8eb7fa51767c3cc1942e3523e99026062f95dfcb0428033dd7b706db8481
c90e5c5f118bfc7417e1a43d8ec7a1d6e91a730f336a47799b81f16a0fd6d69c
614f6326a378a9c583fc7de320ea6a60a78706283ec087afcb349ca75c083807
f19253d1e2423e2613b27354b1d8670fc63ffbb2d194ebf00e2323f712141648
93ddcee5487885a9825538b723ba30214b827617f85aef5558d232545171e8f6
2921a0fa40963ad342875ba6fc57c1629caa800f834ebf516a6cf6a59f467212
d371d9409cca4b22d1e90df46524f7112e06bf74a90f65f236957b63fdad2c1b
4822c68976983fb6be04a489ecb0ee85233585040f94599ae1f40e91a815d3d3
12a6b979da40489d768e28882836de2434009bcb436c2901772bed7633d88770

SH256 hash:

e40093ff2134c0c7ab3cbdb58575c8e892ed7e0af9fa9721c2777fbbe7e216fe

MD5 hash:

e11f714458bb37d1110164c28a5796f1

SHA1 hash:

ed61ad0cb3a346b469a07cd20763d3f28a750102

Link:

https://www.unpac.me/results/589a9519-0f7d-4667-bd49-a47edafadb02/

Malware family:

DarkComet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e40093ff2134/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

DarkComet

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e40093ff2134c0c7ab3cbdb58575c8e892ed7e0af9fa9721c2777fbbe7e216fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AsyncRat Create hunting rule
Author:	kevoreilly, JPCERT/CC Incident Response Group
Description:	AsyncRat Payload

Rule name:	AsyncRat_Detection_Dec_2022 Create hunting rule
Author:	Potatech
Description:	AsyncRat

Rule name:	AveMaria Create hunting rule
Author:	@bartblaze
Description:	Identifies AveMaria aka WarZone RAT.

Rule name:	ave_maria_warzone_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_1_RID2C2D Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse Create hunting rule
Author:	ditekSHen
Description:	Detects file containing reversed ASEP Autorun registry keys

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding command execution via IExecuteCommand COM object

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	Intezer_Vaccine_DarkComet Create hunting rule
Author:	Intezer Labs
Description:	Automatic YARA vaccination rule created based on the file's genes
Reference:	https://analyze.intezer.com

Rule name:	malware_asyncrat Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect AsyncRat in memory
Reference:	internal research

Rule name:	Malware_QA_update Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	Malware_QA_update_RID2DAD Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_BabylonRAT Create hunting rule
Author:	ditekSHen
Description:	Detects BabylonRAT / CollectorStealer / ParadoxRAT

Rule name:	MALWARE_Win_DarkComet Create hunting rule
Author:	ditekSHen
Description:	Detects DarkComet

Rule name:	MALWARE_Win_EXEPWSH_DLAgent Create hunting rule
Author:	ditekSHen
Description:	Detects SystemBC

Rule name:	MALWARE_Win_WarzoneRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AveMaria/WarzoneRAT

Rule name:	MAL_AsnycRAT Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects AsnycRAT based on it's config decryption routine

Rule name:	MAL_AsyncRAT_Config_Decryption Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects AsnycRAT based on it's config decryption routine

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	pe_imphash Create hunting rule

Rule name:	RAT_DarkComet Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>
Description:	Detects DarkComet RAT
Reference:	http://malwareconfig.com/stats/DarkComet

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_DOTNET_PE_List_AV Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detecs .NET Binary that lists installed AVs

Rule name:	SUSP_Reverse_Run_Key Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects a Reversed Run Key

Rule name:	Windows_Trojan_AveMaria_31d2bce9 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Babylonrat_0f66e73b Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Darkcomet_1df27bcc Create hunting rule
Author:	Elastic Security

Rule name:	win_asyncrat_j1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects AsyncRAT

Rule name:	win_asyncrat_w0 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect AsyncRat in memory
Reference:	internal research

Rule name:	win_babylon_rat_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.babylon_rat.

Rule name:	win_blackshades_w0 Create hunting rule
Author:	Jean-Philippe Teissier / @Jipe_

Rule name:	win_darkcomet_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/352047/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample