File name:

db11e583944ddefc276fd302c0eecf39

Full analysis: https://app.any.run/tasks/a7edca23-0651-4369-9749-c43703b63b6a
Verdict: Malicious activity
Threats:

Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.

Analysis date: December 05, 2022, 20:21:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
stealer
rat
avemaria
warzone
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

DB11E583944DDEFC276FD302C0EECF39

SHA1:

662C88E0753E7D006AB7CC43297613A7CB5D811D

SHA256:

80E28FCC8B571C2C8FE075896D03ED473E825BB56296563F3D5DFFAA22FE0CCB

SSDEEP:

6144:LBnmyK4O/ekC2y6gPXoYBIy1yNUwEghE9fWYJK6:Q7e6gPYYBDy6wEghE9fWYD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • zgoqp.exe (PID: 4048)
    • Application was dropped or rewritten from another process

      • zgoqp.exe (PID: 652)
      • zgoqp.exe (PID: 4048)
    • AVEMARIA was detected

      • zgoqp.exe (PID: 652)
    • WARZONE detected by memory dumps

      • zgoqp.exe (PID: 652)
    • Connects to the CnC server

      • zgoqp.exe (PID: 652)
  • SUSPICIOUS

    • Application launched itself

      • zgoqp.exe (PID: 4048)
    • Connects to unusual port

      • zgoqp.exe (PID: 652)
  • INFO

    • Reads the computer name

      • db11e583944ddefc276fd302c0eecf39.exe (PID: 892)
      • zgoqp.exe (PID: 652)
    • Checks supported languages

      • zgoqp.exe (PID: 4048)
      • db11e583944ddefc276fd302c0eecf39.exe (PID: 892)
      • zgoqp.exe (PID: 652)
    • Creates a file in a temporary directory

      • db11e583944ddefc276fd302c0eecf39.exe (PID: 892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

WarZone

(PID) Process(652) zgoqp.exe
Options
Use ADSFalse
Defender bypassFalse
UAC bypassTrue
PersistanceFalse
Offline logTrue
Reverse Proxy local port5000
Startup FlagFalse
Install FlagFalse
BuildID82PMPE2D
C2 (1)baramac.duckdns.org:6269
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2015-Dec-27 05:38:52
Detected languages:
  • English - United States

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 216

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2015-Dec-27 05:38:52
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
23626
24064
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.41076
.rdata
28672
4446
4608
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.14255
.data
36864
110712
1536
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.22522
.ndata
151552
32768
0
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc
184320
206648
206848
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.67313

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.6686
67624
UNKNOWN
English - United States
RT_ICON
2
4.20636
38056
UNKNOWN
English - United States
RT_ICON
3
4.21554
26600
UNKNOWN
English - United States
RT_ICON
4
4.24892
21640
UNKNOWN
English - United States
RT_ICON
5
4.08716
16936
UNKNOWN
English - United States
RT_ICON
6
7.95631
15974
UNKNOWN
English - United States
RT_ICON
7
4.49335
9640
UNKNOWN
English - United States
RT_ICON
8
4.55083
4264
UNKNOWN
English - United States
RT_ICON
9
5.02221
2440
UNKNOWN
English - United States
RT_ICON
10
4.96191
1128
UNKNOWN
English - United States
RT_ICON

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start db11e583944ddefc276fd302c0eecf39.exe no specs zgoqp.exe #WARZONE zgoqp.exe

Process information

PID
CMD
Path
Indicators
Parent process
892"C:\Users\admin\AppData\Local\Temp\db11e583944ddefc276fd302c0eecf39.exe" C:\Users\admin\AppData\Local\Temp\db11e583944ddefc276fd302c0eecf39.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
2
Modules
Images
c:\users\admin\appdata\local\temp\db11e583944ddefc276fd302c0eecf39.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
4048"C:\Users\admin\AppData\Local\Temp\zgoqp.exe" C:\Users\admin\AppData\Local\Temp\beujeu.oxzC:\Users\admin\AppData\Local\Temp\zgoqp.exe
db11e583944ddefc276fd302c0eecf39.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\zgoqp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvfw32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
652"C:\Users\admin\AppData\Local\Temp\zgoqp.exe"C:\Users\admin\AppData\Local\Temp\zgoqp.exe
zgoqp.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\zgoqp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
WarZone
(PID) Process(652) zgoqp.exe
Options
Use ADSFalse
Defender bypassFalse
UAC bypassTrue
PersistanceFalse
Offline logTrue
Reverse Proxy local port5000
Startup FlagFalse
Install FlagFalse
BuildID82PMPE2D
C2 (1)baramac.duckdns.org:6269
Total events
869
Read events
866
Write events
3
Delete events
0

Modification events

(PID) Process:(4048) zgoqp.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:osoudspt
Value:
C:\Users\admin\AppData\Roaming\tdvtqndxxhl\kiflb.exe "C:\Users\admin\AppData\Local\Temp\zgoqp.exe" C:\Users\admin\AppData\Local\T
(PID) Process:(652) zgoqp.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:MaxConnectionsPer1_0Server
Value:
10
(PID) Process:(652) zgoqp.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:MaxConnectionsPerServer
Value:
10
Executable files
2
Suspicious files
3
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
892db11e583944ddefc276fd302c0eecf39.exeC:\Users\admin\AppData\Local\Temp\kddzn.fulbinary
MD5:8B00AF25E4733D969D9E2432FC68F7DB
SHA256:5B5AD23FDE48EEFA5E559987F77A6277F529AA770E2E4FE57AC9873786EB8343
4048zgoqp.exeC:\Users\admin\AppData\Roaming\tdvtqndxxhl\kiflb.exeexecutable
MD5:FBB51E866CC83F4D5C255D5C6494AC99
SHA256:022AEB46CBF0FB7D446F7846A8B2EA3684D62DE7B7068F695A43428E410D6C07
892db11e583944ddefc276fd302c0eecf39.exeC:\Users\admin\AppData\Local\Temp\beujeu.oxzbinary
MD5:8317DA4368F4DDEAEB4A823BD6DCD2C6
SHA256:FC5C555C516DFE2057EDDBFF5055D837BE131707566B2879E23C99D3A4B909FD
892db11e583944ddefc276fd302c0eecf39.exeC:\Users\admin\AppData\Local\Temp\nsf978E.tmpbinary
MD5:D00E5F2AC1D95785F36EF5E8D87A8FA4
SHA256:490322A4DF248EF749348C3353943DB682CF0C2AB98C615B097FA8DD98EDC2F5
892db11e583944ddefc276fd302c0eecf39.exeC:\Users\admin\AppData\Local\Temp\zgoqp.exeexecutable
MD5:FBB51E866CC83F4D5C255D5C6494AC99
SHA256:022AEB46CBF0FB7D446F7846A8B2EA3684D62DE7B7068F695A43428E410D6C07
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
4

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
652
zgoqp.exe
185.219.80.143:6269
baramac.duckdns.org
Zomro B.V.
NL
malicious

DNS requests

Domain
IP
Reputation
baramac.duckdns.org
  • 185.219.80.143
malicious

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
652
zgoqp.exe
A Network Trojan was detected
ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
652
zgoqp.exe
A Network Trojan was detected
AV TROJAN Ave Maria RAT CnC Response
652
zgoqp.exe
A Network Trojan was detected
ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin
No debug info