MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9d35153c2220d608ca08a3e4b26bd01a105e9e99c2bbc6c464f629f6ab472cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	c9d35153c2220d608ca08a3e4b26bd01a105e9e99c2bbc6c464f629f6ab472cb
SHA3-384 hash:	78ac35841dda336201f143a41cd0158ab4887019279dde1c7af2ae403c183babe25ff96700a5402c514ab31130af06d5
SHA1 hash:	5b022c382a338871a8fe8bbdfc3b466a0ea07819
MD5 hash:	ec187ec0cc5528d5051f4b2a1c6e1216
humanhash:	muppet-floor-seventeen-moon
File name:	018384e0247096d3db8f25f5a1f1f5ce.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	103'936 bytes
First seen:	2020-04-02 14:10:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	879635b629affd65258851469f9bf6f9 (31 x AveMariaRAT)
ssdeep	1536:lvqIPE8ddFD1frrq7gVxoNGPNJKF1m+xVE0/bK:cI8CxFVxAMNJKu+xVE0TK
Threatray	423 similar samples on MalwareBazaar
TLSH	8FA39D2377D14439F67102B02CB97F79CABFFE380221855BD72456876B31994EA263A3
Reporter	abuse_ch
Tags:	AveMariaRAT exe GuLoader

abuse_ch

Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=1usmR35TtBAICNeO88I9bC_efVU8-1ZmP

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.PWS.Maria.4.17072.22484.UNOFFICIAL

SecuriteInfo.com.Trojan.PWS.Maria.3.30306.22950.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Antiav

Status:

Malicious

First seen:

2020-04-02 14:35:23 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

40 of 47 (85.11%)

Threat level:

5/5

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

5dd2674c9f116740c0132fca0553257cd52d8785a7ff47dd6d361b30a9634189

AveMariaRAT

6eb590a11b5310606564853be8c43179b95ee93c3a4c8c3ea8f011819a3b2337

AveMariaRAT

7b7b7e7ad9b106a5508583f1b60e3a3d7385bf0d6592ca816839f6633f5e8045

AveMariaRAT

7c7fbeb0b90a27a56ddbd1adee5627396a0d3f4639bea0d8675687a66064b6c8

AveMariaRAT

94c5bf5ba01bdb8b028fe00eca0d805b8150c3639ce9e3cf0b86670061d66196

AveMariaRAT

9c62d911a4efd2a37364d26439085d493ca2ab7e4b0fa90ba2f5d937e99e5bdf

AveMariaRAT

9ce5eb576c72ecc29eabbbece917f1873bf4f5782485b22549dfbb6ff1d56f58

AveMariaRAT

b38f7cacc56a97f122827cc2e89c55c9747ad790f7649b6078cedca83659b4dc

AveMariaRAT

e43d34170181b3e9b5baf550d70b27fdbcfcc8e974694352d77e5e52e8866a2d

AveMariaRAT

+ 413 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

77682cc8c429b0fd5a5bc6b3369f62ea61e8294e21c3830fe5a5d5fc8e128dc4

AveMariaRAT

exe c9d35153c2220d608ca08a3e4b26bd01a105e9e99c2bbc6c464f629f6ab472cb

(this sample)

Dropped by

MD5 018384e0247096d3db8f25f5a1f1f5ce

Dropped by

MD5 0c8105ce323e2dd65cbd3853310a178a

Dropped by

GuLoader

Dropped by

SHA256 77682cc8c429b0fd5a5bc6b3369f62ea61e8294e21c3830fe5a5d5fc8e128dc4

Dropped by

SHA256 420e5f51fc95ea7c63d30d5763145764d42a47343aa44b12b1ebd8077cd488e5

URLhaus

https://urlhaus.abuse.ch/url/334085/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::FreeSid ADVAPI32.dll::InitializeSecurityDescriptor
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance ole32.dll::CoInitializeSecurity
DP_API	Uses DP API	CRYPT32.dll::CryptUnprotectData
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::SetSecurityDescriptorDacl
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteW SHELL32.dll::ShellExecuteExA SHELL32.dll::ShellExecuteExW
URL_MONIKERS_API	Can Download & Execute components	urlmon.dll::URLDownloadToFileW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateRemoteThread KERNEL32.dll::CreateProcessW KERNEL32.dll::CreateProcessA KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken KERNEL32.dll::VirtualAllocEx
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetDriveTypeW KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WinExec
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW SHELL32.dll::SHCreateDirectoryExW KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileA KERNEL32.dll::DeleteFileW
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameW ADVAPI32.dll::LookupAccountSidW ADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyA ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegOpenKeyExW
WIN_SOCK_API	Uses Network to send and receive data	WS2_32.dll::freeaddrinfo WS2_32.dll::getaddrinfo WS2_32.dll::InetNtopW
WIN_SVC_API	Can Manipulate Windows Services	ADVAPI32.dll::ChangeServiceConfigW ADVAPI32.dll::OpenSCManagerW ADVAPI32.dll::OpenServiceW ADVAPI32.dll::QueryServiceConfigW ADVAPI32.dll::StartServiceW
WIN_USER_API	Performs GUI Actions	USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample