analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3

Full analysis: https://app.any.run/tasks/6e379fad-b141-4d58-bf02-7c6d7710e401
Verdict: Malicious activity
Threats:

WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.

Analysis date: June 12, 2019, 09:49:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
rat
avemaria
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

392C87B581107348948F3B6E2EA183C3

SHA1:

F58C3A08845E4E6C32FFAFD567AFD607A7EC805F

SHA256:

40DF001082D1A4EC3075C690060CC01F7D35F07640FC12F9AF4BBE83DC8B2FF3

SSDEEP:

12288:efSLOk2p0JffgQBJJhTG51/7s408W5btbrB7BpwHkuPm5fkGf:efSOk2atfgatSv/A408ebz4HkuO55

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Runs injected code in another process

      • 40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exe (PID: 388)
    • AVEMARIA was detected

      • 40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exe (PID: 388)
    • Application was injected by another process

      • explorer.exe (PID: 2044)
    • Connects to CnC server

      • 40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exe (PID: 388)
  • SUSPICIOUS

    • Application launched itself

      • 40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exe (PID: 1412)
    • Reads the machine GUID from the registry

      • 40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exe (PID: 388)
  • INFO

    • Application was crashed

      • 40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exe (PID: 388)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Microsoft Visual Basic 6 (90.6)
.exe | Win32 Executable (generic) (4.9)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

OriginalFileName: CollapseSindepreciated5.exe
InternalName: CollapseSindepreciated5
ProductVersion: 3.07.0002
FileVersion: 3.07.0002
ProductName: CollapseSinErgatandry
FileDescription: CollapseSinUlnad2
CompanyName: CollapseSinPlicative
Comments: CollapseSinLAPAROTOMIES3
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 3.7.0.2
FileVersionNumber: 3.7.0.2
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 3.7
OSVersion: 4
EntryPoint: 0x1460
UninitializedDataSize: -
InitializedDataSize: 376832
CodeSize: 1142784
LinkerVersion: 6
PEType: PE32
TimeStamp: 2010:07:24 18:55:44+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 24-Jul-2010 16:55:44
Detected languages:
  • English - United States
Comments: CollapseSinLAPAROTOMIES3
CompanyName: CollapseSinPlicative
FileDescription: CollapseSinUlnad2
ProductName: CollapseSinErgatandry
FileVersion: 3.07.0002
ProductVersion: 3.07.0002
InternalName: CollapseSindepreciated5
OriginalFilename: CollapseSindepreciated5.exe

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000B8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 24-Jul-2010 16:55:44
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00116C9C
0x00117000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
4.56666
.data
0x00118000
0x00000AF0
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00119000
0x0005AA8C
0x0005B000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.30909

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.33778
808
Unicode (UTF 16LE)
English - United States
RT_VERSION
2
4.98201
1128
UNKNOWN
UNKNOWN
RT_ICON
3
4.0491
9640
UNKNOWN
UNKNOWN
RT_ICON
4
4.40078
4264
UNKNOWN
UNKNOWN
RT_ICON
5
3.40341
67624
UNKNOWN
UNKNOWN
RT_ICON
6
3.80959
16936
UNKNOWN
UNKNOWN
RT_ICON

Imports

MSVBVM60.DLL
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start inject 40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exe no specs #AVEMARIA 40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exe 40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exe 40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exe no specs explorer.exe 40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1412"C:\Users\admin\AppData\Local\Temp\40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exe" C:\Users\admin\AppData\Local\Temp\40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exeexplorer.exe
User:
admin
Company:
CollapseSinPlicative
Integrity Level:
MEDIUM
Description:
CollapseSinUlnad2
Exit code:
0
Version:
3.07.0002
388C:\Users\admin\AppData\Local\Temp\40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exe" C:\Users\admin\AppData\Local\Temp\40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exe
40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exe
User:
admin
Company:
CollapseSinPlicative
Integrity Level:
MEDIUM
Description:
CollapseSinUlnad2
Exit code:
3221225477
Version:
3.07.0002
3976C:\Users\admin\AppData\Local\Temp\40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exe" C:\Users\admin\AppData\Local\Temp\40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exe
40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exe
User:
admin
Company:
CollapseSinPlicative
Integrity Level:
MEDIUM
Description:
CollapseSinUlnad2
Version:
3.07.0002
2468C:\Users\admin\AppData\Local\Temp\40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exe" C:\Users\admin\AppData\Local\Temp\40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exe40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exe
User:
admin
Company:
CollapseSinPlicative
Integrity Level:
MEDIUM
Description:
CollapseSinUlnad2
Exit code:
0
Version:
3.07.0002
2044C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2052"C:\Users\admin\AppData\Local\Temp\40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exe"C:\Users\admin\AppData\Local\Temp\40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exeexplorer.exe
User:
admin
Company:
CollapseSinPlicative
Integrity Level:
MEDIUM
Description:
CollapseSinUlnad2
Version:
3.07.0002
Total events
18
Read events
16
Write events
2
Delete events
0

Modification events

(PID) Process:(388) 40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:MaxConnectionsPer1_0Server
Value:
10
(PID) Process:(388) 40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:MaxConnectionsPerServer
Value:
10
Executable files
0
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
141240df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exeC:\Users\admin\AppData\Local\Temp\~DF084FE770CF2D9D87.TMPbinary
MD5:693B1CAC057392C2186184F75F5E8AA1
SHA256:D3BAB86F6DA95F1FFF368BF51C595E57AB45D91E07D1D41CDA11662619711620
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3976
40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exe
145.239.202.109:1018
OVH SAS
FR
malicious
388
40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exe
145.239.202.109:1013
OVH SAS
FR
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
388
40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exe
A Network Trojan was detected
MALWARE [PTsecurity] AveMaria.RAT Encrypted Checkin
388
40df001082d1a4ec3075c690060cc01f7d35f07640fc12f9af4bbe83dc8b2ff3.exe
A Network Trojan was detected
MALWARE [PTsecurity] AveMaria.RAT Connection
1 ETPRO signatures available at the full report
No debug info