MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83acd77bd1b76095992046c1cd53fd0fb4f0ae9f22f410facf174f4e1ce2f475. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AresRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 83acd77bd1b76095992046c1cd53fd0fb4f0ae9f22f410facf174f4e1ce2f475
SHA3-384 hash: 1418bb8d969df006d1c8e1397632d1250eaaada4d853c99c859931c39c270b35ec30660b7b536f80c5a5d44ddaf4f115
SHA1 hash: cb0b4a024c9d791f9dcb84f5c23a24e1f94b793e
MD5 hash: 2aaa043f1abc3118d8c292920efcbf77
humanhash: bacon-gee-floor-oranges
File name:SecuriteInfo.com.Trojan.DownLoader34.18436.32216.2975
Download: download sample
Signature AresRAT
Create hunting rule
File size:2'048 bytes
First seen:2020-08-08 10:09:04 UTC
Last seen:2020-08-08 10:36:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24:eH1GSxrdWF5nmSj6UEHZBzT+NGaQoULuRlMKgz:yxUF5nhj6UUvT8GaQoULuRlMv
Threatray 37 similar samples on MalwareBazaar
TLSH CD41544B436D4A73F23C037A8AA7CB1468F8211063E9C2911DC628286189AE8F675F00
Reporter SecuriteInfoCom
Tags:AresRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/42193/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader34.18436.32216.2975.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a file in the %AppData% directory
Launching a process
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Creating a file
Deleting a recently created file
Using the Windows Management Instrumentation requests
Creating a file in the Windows subdirectories
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a file downloaded from the Internet
Result
Threat name:
AresRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
54 / 100
Link:
https://www.joesandbox.com/analysis/415832
Signature
Bypasses PowerShell execution policy
Powershell drops PE file
Sigma detected: Powershell download and execute file
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Yara detected AresRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 260165 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 08/08/2020 Architecture: WINDOWS Score: 54 50 64dd00de5b6a.ngrok.io 2->50 64 Sigma detected: Powershell download and execute file 2->64 66 Yara detected AresRAT 2->66 68 Suspicious powershell command line found 2->68 70 2 other signatures 2->70 12 SecuriteInfo.com.Trojan.DownLoader34.18436.32216.exe 1 2->12         started        14 utilman.exe 501 2->14         started        16 utilman.exe 2->16         started        signatures3 process4 process5 18 cmd.exe 1 12->18         started        21 conhost.exe 12->21         started        23 utilman.exe 14->23         started        25 utilman.exe 16->25         started        signatures6 60 Suspicious powershell command line found 18->60 62 Tries to download and execute files (via powershell) 18->62 27 powershell.exe 15 21 18->27         started        process7 dnsIp8 58 cnc.cyberwex.com 178.128.229.214, 443, 49723 DIGITALOCEAN-ASNUS Netherlands 27->58 48 C:\Users\user\AppData\Roaming\utilman.exe, PE32+ 27->48 dropped 72 Suspicious powershell command line found 27->72 74 Powershell drops PE file 27->74 32 utilman.exe 501 27->32         started        34 powershell.exe 6 27->34         started        file9 signatures10 process11 process12 36 utilman.exe 9 32->36         started        dnsIp13 52 ip.42.pl 36->52 54 42.pl 79.98.145.42, 49730, 80 NITRONETPL Poland 36->54 56 4 other IPs or domains 36->56 46 C:\Users\user\ares\utilman.exe, PE32+ 36->46 dropped 40 cmd.exe 1 36->40         started        file14 process15 process16 42 conhost.exe 40->42         started        44 reg.exe 1 1 40->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/83acd77bd1b76095992046c1cd53fd0fb4f0ae9f22f410facf174f4e1ce2f475/
Threat name:
Win32.Trojan.CryptInject
Create hunting rule
Status:
Malicious
First seen:
2020-08-06 14:38:22 UTC
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0ee680c945bcd40a5f26f165e043509c9dd99fa0d85a8812aa359477a05e82fc
AresRAT
11123fd370dfdb5d9d5cade853fa923679377c7791bda00d2f415078e2729e65
AresRAT
30eb8727af3b8a2f4551574c7d826e9f27480e79d242b92d392b1f64091acf12
AresRAT
314ce9b62cecb9435d9ff2338943e4e784cbfbaf9a65dbda7fe1064f477afe41
AresRAT
3dcdb90a6140612a5ca5e3a3e7efbc82c43766355399965a200a5753fd1273ad
AresRAT
485fcf4c2834e20d71b6765eccd79f6b0880d6a9fdc5d3e519a943862e9b8246
AresRAT
5f7edbfee38f8e9a93df459405b952189d48b4a7f2ddc7a81d25bdfd59b31c80
AresRAT
6084cf861e6b10480c4d05cd3aefb10a92820b191d1a8813154155fa1ca7a88c
AresRAT
ea1213c0a684662e8305cfe1c6eeebbb12a9d1404e7571438d3730cc1df1caab
AresRAT
f42c71d191748551be0bbb356e4dc638c60fbdc906e7d6536ed4512c5c7eab3e
AresRAT
+ 27 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/200808-hb4qde3g86/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies registry key
Suspicious use of WriteProcessMemory
JavaScript code in executable
Adds Run key to start application
Loads dropped DLL
Blacklisted process makes network request
Executes dropped EXE
Blacklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Virus
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/83acd77bd1b76095992046c1cd53fd0fb4f0ae9f22f410facf174f4e1ce2f475

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AresRAT

Executable exe 83acd77bd1b76095992046c1cd53fd0fb4f0ae9f22f410facf174f4e1ce2f475

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/427813/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/42193/

Comments