Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe
Analysis ID:	753413
MD5:	2015410bb46bda0bd98be49f2ca03e00
SHA1:	f500da9df562378cd0565485489321d59fa1699c
SHA256:	c36284bc37b2aaf39d2e911ef97aac1fa583ca30d90f2cd006635f8f5bf0d7e1
Tags:	AveMariaRATexe
Infos:

Detection

AveMaria, UACMe

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Sigma detected: Scheduled temp file as task from temp location

Yara detected UACMe UAC Bypass tool

Yara detected AveMaria stealer

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Increases the number of concurrent connection per server for Internet Explorer

Contains functionality to hide user accounts

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe (PID: 5264 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe MD5: 2015410BB46BDA0BD98BE49F2CA03E00)

powershell.exe (PID: 5208 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hAwKqJPm.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5220 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hAwKqJPm" /XML "C:\Users\user\AppData\Local\Temp\tmp58FB.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe (PID: 5584 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe MD5: 2015410BB46BDA0BD98BE49F2CA03E00)

hAwKqJPm.exe (PID: 868 cmdline: C:\Users\user\AppData\Roaming\hAwKqJPm.exe MD5: 2015410BB46BDA0BD98BE49F2CA03E00)

schtasks.exe (PID: 3600 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hAwKqJPm" /XML "C:\Users\user\AppData\Local\Temp\tmp9691.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

hAwKqJPm.exe (PID: 1976 cmdline: C:\Users\user\AppData\Roaming\hAwKqJPm.exe MD5: 2015410BB46BDA0BD98BE49F2CA03E00)

cleanup

Malware Configuration

Threatname: AveMaria

{"C2 url": "leekong.duckdns.org", "port": 6640}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x97f20:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x97f20:$c1: Elevation:Administrator!new:
00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x94678:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x92edc:$a2: SMTP Password 0x91aa8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x97f20:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x94568:$a5: for /F "usebackq tokens=*" %%A in (" 0x92768:$a6: \Torch\User Data\Default\Login Data 0x98040:$a7: /n:%temp%\ellocnak.xml 0x98070:$a9: Hey I'm Admin 0x92cb4:$a10: \logins.json 0x92dbc:$a10: \logins.json 0x936a0:$a11: Accounts\Account.rec0 0x94330:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000006.00000003.278810963.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000003.278810963.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000006.00000003.278810963.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0xb138:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x999c:$a2: SMTP Password 0x8568:$a3: select signon_realm, origin_url, username_value, password_value from logins 0xb028:$a5: for /F "usebackq tokens=*" %%A in (" 0x9228:$a6: \Torch\User Data\Default\Login Data 0x9774:$a10: \logins.json 0x987c:$a10: \logins.json 0xa160:$a11: Accounts\Account.rec0 0xadf0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000006.00000000.268659603.0000000000426000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000000.268659603.0000000000426000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000006.00000000.268659603.0000000000426000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x3d48:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x25ac:$a2: SMTP Password 0x1178:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x3c38:$a5: for /F "usebackq tokens=*" %%A in (" 0x1e38:$a6: \Torch\User Data\Default\Login Data 0x2384:$a10: \logins.json 0x248c:$a10: \logins.json 0x2d70:$a11: Accounts\Account.rec0 0x3a00:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x10f8b4:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x10f8b4:$c1: Elevation:Administrator!new:
00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x10bff4:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x10a858:$a2: SMTP Password 0x109424:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x10f8b4:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x10bee4:$a5: for /F "usebackq tokens=*" %%A in (" 0x10a0e4:$a6: \Torch\User Data\Default\Login Data 0x10f9d4:$a7: /n:%temp%\ellocnak.xml 0x10fa04:$a9: Hey I'm Admin 0x10a630:$a10: \logins.json 0x10a738:$a10: \logins.json 0x10b01c:$a11: Accounts\Account.rec0 0x10bcac:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000006.00000003.278763102.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000003.278763102.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000006.00000003.278763102.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x3c60:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x24c4:$a2: SMTP Password 0x1090:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x3b50:$a5: for /F "usebackq tokens=*" %%A in (" 0x1d50:$a6: \Torch\User Data\Default\Login Data 0x229c:$a10: \logins.json 0x23a4:$a10: \logins.json 0x2c88:$a11: Accounts\Account.rec0 0x3918:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000006.00000000.268913110.0000000000562000.00000040.00000400.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
00000006.00000000.268913110.0000000000562000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000006.00000003.279119713.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x3b10:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x6918:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x3b10:$c1: Elevation:Administrator!new: 0x6918:$c1: Elevation:Administrator!new:
00000006.00000003.279119713.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000006.00000003.279160265.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000003.279160265.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000006.00000003.279160265.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x4d40:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x35a4:$a2: SMTP Password 0x2170:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x4c30:$a5: for /F "usebackq tokens=*" %%A in (" 0x2e30:$a6: \Torch\User Data\Default\Login Data 0x337c:$a10: \logins.json 0x3484:$a10: \logins.json 0x3d68:$a11: Accounts\Account.rec0 0x49f8:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x145048:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x145048:$c1: Elevation:Administrator!new:
00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x141788:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x13ffec:$a2: SMTP Password 0x13ebb8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x145048:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x141678:$a5: for /F "usebackq tokens=*" %%A in (" 0x13f878:$a6: \Torch\User Data\Default\Login Data 0x145168:$a7: /n:%temp%\ellocnak.xml 0x145198:$a9: Hey I'm Admin 0x13fdc4:$a10: \logins.json 0x13fecc:$a10: \logins.json 0x1407b0:$a11: Accounts\Account.rec0 0x141440:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x7cd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x7cd80:$c1: Elevation:Administrator!new:
00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x794d8:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x77d3c:$a2: SMTP Password 0x76908:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x7cd80:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x793c8:$a5: for /F "usebackq tokens=*" %%A in (" 0x775c8:$a6: \Torch\User Data\Default\Login Data 0x7cea0:$a7: /n:%temp%\ellocnak.xml 0x7ced0:$a9: Hey I'm Admin 0x77b14:$a10: \logins.json 0x77c1c:$a10: \logins.json 0x78500:$a11: Accounts\Account.rec0 0x79190:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe PID: 5264	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe PID: 5264	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe PID: 5264	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe PID: 5264	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
Process Memory Space: hAwKqJPm.exe PID: 868	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: hAwKqJPm.exe PID: 868	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: hAwKqJPm.exe PID: 868	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: hAwKqJPm.exe PID: 868	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe PID: 5584	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe PID: 5584	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe PID: 5584	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
Click to see the 44 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x2c1f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x2c1f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2c1f0:$c1: Elevation:Administrator!new:
6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x266e0:$a1: \Opera Software\Opera Stable\Login Data 0x269e0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x261d8:$a3: \Google\Chrome\User Data\Default\Login Data
6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x28a55:$r1: Classes\Folder\shell\open\command 0x28ab9:$r1: Classes\Folder\shell\open\command 0x28b0d:$r1: Classes\Folder\shell\open\command 0x28b85:$r1: Classes\Folder\shell\open\command 0x28adc:$k1: DelegateExecute
6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x28014:$s1: RDPClip 0x28cf4:$s2: Grabber 0x28d04:$s2: Grabber 0x28600:$s3: Ave_Maria Stealer OpenSource 0x285b8:$s4: \MidgetPorn\workspace\MsgBox.exe 0x2c310:$s6: /n:%temp%\ellocnak.xml 0x2c340:$s7: Hey I'm Admin
6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x28d14:$pwsh: powershell 0x2553b:$s2: User-Agent: 0x2587c:$s4: LdrLoadDll 0x28508:$s4: LdrLoadDll 0x250c4:$v6: start
6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x28948:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x271ac:$a2: SMTP Password 0x25d78:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x2c1f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x28838:$a5: for /F "usebackq tokens=*" %%A in (" 0x26a38:$a6: \Torch\User Data\Default\Login Data 0x2c310:$a7: /n:%temp%\ellocnak.xml 0x2c340:$a9: Hey I'm Admin 0x26f84:$a10: \logins.json 0x2708c:$a10: \logins.json 0x27970:$a11: Accounts\Account.rec0 0x28600:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack	AveMaria_WarZone	unknown	unknown	0x28948:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x285e4:$str2: MsgBox.exe 0x28a24:$str4: \System32\cmd.exe 0x28600:$str6: Ave_Maria 0x27b98:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x271ac:$str8: SMTP Password 0x261d8:$str11: \Google\Chrome\User Data\Default\Login Data 0x27b44:$str12: \sqlmap.dll 0x27b5c:$str12: \sqlmap.dll 0x2c1f0:$str16: Elevation:Administrator!new 0x2c310:$str17: /n:%temp%
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de57f8.3.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x5120:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de57f8.3.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x2318:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x5120:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2318:$c1: Elevation:Administrator!new: 0x5120:$c1: Elevation:Administrator!new:
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df8cd0.5.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de57f8.3.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x2318:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2318:$c1: Elevation:Administrator!new:
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xb18:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xb18:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xb18:$c1: Elevation:Administrator!new:
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x5704c:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x5704c:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x5704c:$c1: Elevation:Administrator!new:
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x51524:$a1: \Opera Software\Opera Stable\Login Data 0x51824:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5101c:$a3: \Google\Chrome\User Data\Default\Login Data
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x53899:$r1: Classes\Folder\shell\open\command 0x538fd:$r1: Classes\Folder\shell\open\command 0x53951:$r1: Classes\Folder\shell\open\command 0x539c9:$r1: Classes\Folder\shell\open\command 0x53920:$k1: DelegateExecute
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x52e58:$s1: RDPClip 0x53b38:$s2: Grabber 0x53b48:$s2: Grabber 0x53444:$s3: Ave_Maria Stealer OpenSource 0x533fc:$s4: \MidgetPorn\workspace\MsgBox.exe 0x5716c:$s6: /n:%temp%\ellocnak.xml 0x5719c:$s7: Hey I'm Admin
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x53b58:$pwsh: powershell 0x5037f:$s2: User-Agent: 0x506c0:$s4: LdrLoadDll 0x5334c:$s4: LdrLoadDll 0x4ff08:$v6: start
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x5378c:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x51ff0:$a2: SMTP Password 0x50bbc:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x5704c:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x5367c:$a5: for /F "usebackq tokens=*" %%A in (" 0x5187c:$a6: \Torch\User Data\Default\Login Data 0x5716c:$a7: /n:%temp%\ellocnak.xml 0x5719c:$a9: Hey I'm Admin 0x51dc8:$a10: \logins.json 0x51ed0:$a10: \logins.json 0x527b4:$a11: Accounts\Account.rec0 0x53444:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de6d90.1.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x441:$r1: Classes\Folder\shell\open\command 0x495:$r1: Classes\Folder\shell\open\command 0x50d:$r1: Classes\Folder\shell\open\command 0x464:$k1: DelegateExecute
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x60098:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x60098:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x60098:$c1: Elevation:Administrator!new:
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x5a570:$a1: \Opera Software\Opera Stable\Login Data 0x5a870:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5a068:$a3: \Google\Chrome\User Data\Default\Login Data
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x5c8e5:$r1: Classes\Folder\shell\open\command 0x5c949:$r1: Classes\Folder\shell\open\command 0x5c99d:$r1: Classes\Folder\shell\open\command 0x5ca15:$r1: Classes\Folder\shell\open\command 0x5c96c:$k1: DelegateExecute
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x5bea4:$s1: RDPClip 0x5cb84:$s2: Grabber 0x5cb94:$s2: Grabber 0x5c490:$s3: Ave_Maria Stealer OpenSource 0x5c448:$s4: \MidgetPorn\workspace\MsgBox.exe 0x601b8:$s6: /n:%temp%\ellocnak.xml 0x601e8:$s7: Hey I'm Admin
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x5cba4:$pwsh: powershell 0x593cb:$s2: User-Agent: 0x5970c:$s4: LdrLoadDll 0x5c398:$s4: LdrLoadDll 0x58f54:$v6: start
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x5c7d8:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x5b03c:$a2: SMTP Password 0x59c08:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x60098:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x5c6c8:$a5: for /F "usebackq tokens=*" %%A in (" 0x5a8c8:$a6: \Torch\User Data\Default\Login Data 0x601b8:$a7: /n:%temp%\ellocnak.xml 0x601e8:$a9: Hey I'm Admin 0x5ae14:$a10: \logins.json 0x5af1c:$a10: \logins.json 0x5b800:$a11: Accounts\Account.rec0 0x5c490:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x2c1f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x2c1f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2c1f0:$c1: Elevation:Administrator!new:
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x266e0:$a1: \Opera Software\Opera Stable\Login Data 0x269e0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x261d8:$a3: \Google\Chrome\User Data\Default\Login Data
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x28a55:$r1: Classes\Folder\shell\open\command 0x28ab9:$r1: Classes\Folder\shell\open\command 0x28b0d:$r1: Classes\Folder\shell\open\command 0x28b85:$r1: Classes\Folder\shell\open\command 0x28adc:$k1: DelegateExecute
0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x28014:$s1: RDPClip 0x28cf4:$s2: Grabber 0x28d04:$s2: Grabber 0x28600:$s3: Ave_Maria Stealer OpenSource 0x285b8:$s4: \M

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: AveMaria

Yara Signatures

Memory Dumps

Unpacked PEs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: AveMaria

Yara Signatures

Memory Dumps

Unpacked PEs

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe