Windows Analysis Report gmAszjZqKD.exe

Overview

General Information

Sample Name:	gmAszjZqKD.exe
Analysis ID:	435329
MD5:	a8fcf9f01f6ac912a38cb17e59eb1ed0
SHA1:	40072436d5bd265261bcf0bfd5cfbb046e70a97a
SHA256:	9d56ad7e390d35d3fcf2bc03ac7b38e5efeee12e8bbc2917a375e6cf8c65d69f
Tags:	AveMariaRATexeRAT
Infos:
Errors Nothing to analyse, Joe Sandbox has not found any analysis process or sample Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

AveMaria UACMe

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AveMaria stealer

Yara detected UACMe UAC Bypass tool

Contains functionality to hide user accounts

Machine Learning detection for sample

Installs a raw input device (often for capturing keystrokes)

PE file contains executable resources (Code or Archives)

PE file overlay found

Uses 32bit PE files

Yara detected Credential Stealer

Yara signature match

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: gmAszjZqKD.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: gmAszjZqKD.exe	Virustotal: Detection: 72%			Perma Link
Source: gmAszjZqKD.exe	ReversingLabs: Detection: 89%

Yara detected AveMaria stealer

Source: Yara match

File source: gmAszjZqKD.exe, type: SAMPLE

Machine Learning detection for sample

Source: gmAszjZqKD.exe

Joe Sandbox ML: detected

Exploits:

Yara detected UACMe UAC Bypass tool

Source: Yara match

File source: gmAszjZqKD.exe, type: SAMPLE

Compliance:

Uses 32bit PE files

Source: gmAszjZqKD.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: gmAszjZqKD.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: gmAszjZqKD.exe

String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a raw input device (often for capturing keystrokes)

Source: gmAszjZqKD.exe

Binary or memory string: GetRawInputData

E-Banking Fraud:

Yara detected AveMaria stealer

Source: Yara match

File source: gmAszjZqKD.exe, type: SAMPLE

System Summary:

Malicious sample detected (through community Yara rule)

Source: gmAszjZqKD.exe, type: SAMPLE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: gmAszjZqKD.exe, type: SAMPLE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: gmAszjZqKD.exe, type: SAMPLE	Matched rule: AveMaria_WarZone Author: unknown

PE file contains executable resources (Code or Archives)

Source: gmAszjZqKD.exe

Static PE information: Resource name: WM_DSP type: PE32 executable (GUI) Intel 80386, for MS Windows

PE file overlay found

Source: gmAszjZqKD.exe

Static PE information: Data appended to the last section found

Uses 32bit PE files

Source: gmAszjZqKD.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: gmAszjZqKD.exe, type: SAMPLE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: gmAszjZqKD.exe, type: SAMPLE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: gmAszjZqKD.exe, type: SAMPLE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: gmAszjZqKD.exe, type: SAMPLE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda

Source: classification engine

Classification label: mal88.troj.expl.winEXE@0/0@0/0

Source: gmAszjZqKD.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: gmAszjZqKD.exe	Virustotal: Detection: 72%
Source: gmAszjZqKD.exe	ReversingLabs: Detection: 89%

Source: gmAszjZqKD.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: gmAszjZqKD.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Hooking and other Techniques for Hiding and Protection:

Contains functionality to hide user accounts

Source: gmAszjZqKD.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: gmAszjZqKD.exe	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType

Stealing of Sensitive Information:

Yara detected AveMaria stealer

Source: Yara match

File source: gmAszjZqKD.exe, type: SAMPLE

Yara detected Credential Stealer

Source: Yara match

File source: gmAszjZqKD.exe, type: SAMPLE

Remote Access Functionality:

Yara detected AveMaria stealer

Source: Yara match

File source: gmAszjZqKD.exe, type: SAMPLE

Screenshots

No Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	435329
Product:	CloudBasic
Start time:	12:28:08
Start date:	16.06.2021
Sample:	gmAszjZqKD.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	a8fcf9f01f6ac912a38cb17e59eb1ed0
SHA1:	40072436d5bd265261bcf0bfd5cfbb046e70a97a
SHA256:	9d56ad7e390d35d3fcf2bc03ac7b38e5efeee12e8bbc2917a375e6cf8c65d69f
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report gmAszjZqKD.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map