MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00a9a0b3801fe8d44427681396fd65560b46b7440a8544a3964c3c9fec72a7b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00a9a0b3801fe8d44427681396fd65560b46b7440a8544a3964c3c9fec72a7b3
SHA3-384 hash: 3ebe2af512dd8990bf790f9c074cc013fd6e76e29ce875efe18dca35a10f12794521038f8197757789dd03058e1aeba6
SHA1 hash: b7f2a52f74e80c534d7932469a22f292e023cd55
MD5 hash: c70652c1aeae871369d79b93fbbf37e1
humanhash: bluebird-equal-summer-whiskey
File name:c70652c1aeae871369d79b93fbbf37e1
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'011'200 bytes
First seen:2022-07-23 17:42:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:JhIGwBUDPMS0msSeqB7pZkwjhKNxjR1q:fJAc08eCpaoitC
Threatray 2'413 similar samples on MalwareBazaar
TLSH T1C625DF92E194A6A4DD28ABB11533CD3456337DADB874E42D24DE3D273BFB3D210216A3
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon d4c4c4d8ccd4f0cc (241 x AgentTesla, 65 x Loki, 41 x Formbook)
Reporter zbetcheckin
Tags:32 AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
419
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/293721/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.44349.11880.14868-222265.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62dc33800e298a94f3f4622a/reports/cc421c31-cbef-4d73-a4c6-1723a9318bcb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8d59074b-094f-4248-aab8-b650bab85ea6
Result
Threat name:
AveMaria, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1039829
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to check if Internet connection is working
Contains functionality to create processes via WMI
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Creates files in alternative data streams (ADS)
Creates processes via WMI
Drops PE files to the document folder of the user
Drops script or batch files to the startup folder
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected Generic Downloader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 672319 Sample: oNCP83D6Ux Startdate: 23/07/2022 Architecture: WINDOWS Score: 100 95 Malicious sample detected (through community Yara rule) 2->95 97 Multi AV Scanner detection for dropped file 2->97 99 Multi AV Scanner detection for submitted file 2->99 101 10 other signatures 2->101 10 oNCP83D6Ux.exe 7 2->10         started        14 cmd.exe 2->14         started        16 WmiPrvSE.exe 2->16         started        process3 file4 77 C:\Users\user\AppData\Roaming\quAKEUlgg.exe, PE32 10->77 dropped 79 C:\Users\...\quAKEUlgg.exe:Zone.Identifier, ASCII 10->79 dropped 81 C:\Users\user\AppData\Local\...\tmp61C3.tmp, XML 10->81 dropped 83 C:\Users\user\AppData\...\oNCP83D6Ux.exe.log, ASCII 10->83 dropped 113 Found evasive API chain (may stop execution after checking mutex) 10->113 115 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->115 117 Drops PE files to the document folder of the user 10->117 119 8 other signatures 10->119 18 oNCP83D6Ux.exe 10->18         started        22 schtasks.exe 1 10->22         started        24 powershell.exe 21 10->24         started        30 3 other processes 10->30 26 WMIC.exe 14->26         started        28 conhost.exe 14->28         started        signatures5 process6 file7 69 C:\Users\user\Documents\winhost.exe, PE32 18->69 dropped 71 C:\Users\user\...\Documents:ApplicationData, PE32 18->71 dropped 73 C:\Users\user\...\winhost.exe:Zone.Identifier, ASCII 18->73 dropped 75 2 other malicious files 18->75 dropped 103 Creates files in alternative data streams (ADS) 18->103 105 Adds a directory exclusion to Windows Defender 18->105 107 Increases the number of concurrent connection per server for Internet Explorer 18->107 109 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->109 32 winhost.exe 18->32         started        35 powershell.exe 18->35         started        37 conhost.exe 22->37         started        39 conhost.exe 22->39         started        41 conhost.exe 24->41         started        111 Creates processes via WMI 26->111 43 conhost.exe 30->43         started        signatures8 process9 signatures10 87 Multi AV Scanner detection for dropped file 32->87 89 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 32->89 91 Machine Learning detection for dropped file 32->91 93 2 other signatures 32->93 45 winhost.exe 32->45         started        49 powershell.exe 32->49         started        51 powershell.exe 32->51         started        53 schtasks.exe 32->53         started        55 conhost.exe 35->55         started        process11 dnsIp12 85 87.101.92.171, 5478 M247GB Romania 45->85 121 Writes to foreign memory regions 45->121 123 Allocates memory in foreign processes 45->123 125 Adds a directory exclusion to Windows Defender 45->125 127 Creates a thread in another existing process (thread injection) 45->127 57 powershell.exe 45->57         started        59 cmd.exe 45->59         started        61 conhost.exe 49->61         started        63 conhost.exe 51->63         started        signatures13 process14 process15 65 conhost.exe 57->65         started        67 conhost.exe 59->67         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00a9a0b3801fe8d44427681396fd65560b46b7440a8544a3964c3c9fec72a7b3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-23 04:56:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
55
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=acu2bm4ad7unirbhnajzn7lfkyfunn2ebkcuji4wjq6j73dsu6zq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
060b0e65ae129b5c84b802b3b4e49b71f3f25514317c3294d006e643f05b6ed6
AveMariaRAT
0c78222c8ba928915a4daa3332b2bf6129e243676c9de511332e95caa14c573d
AveMariaRAT
4782eddb9ab8bac26615543aab44d368e333862217eaa8408181a4e565997d54
AveMariaRAT
4b4f618f12ac211ecbabd1e40da2da32137a3d73f09d1e87b837cd77311e581e
AveMariaRAT
6987377a1118969bd5be9bc61cbad585f85fcb41f7f52cf8d9998ac3241f87eb
AveMariaRAT
bb11afb98f41a9ab5f5a8ce84ff3f5202d993efb1cfe68d4bdd4e89e0b01c8f2
AveMariaRAT
bd6e789f312094e2d4a5caf66739fc0dda356a5c6c15603a6f73cab7a9f73366
AveMariaRAT
c94f8f04a2c0697a50e52b396b411491a88f1b0ba5bbd07f36fcf07f3a4daf7e
AveMariaRAT
+ 2'403 additional samples on MalwareBazaar
Gathering data
Unpacked files
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
Link:
https://www.unpac.me/results/52bc3eb4-b751-4d9e-86a6-e6c5ea2642b9/
SH256 hash:
7aa0ea2defb08acf8454e77f42d47d5be0242fee7ff0ffad01239f94cec2509b
MD5 hash:
5d0230d91dbdc20cff272bf32c04de9e
SHA1 hash:
dbe210d64ae54f03a7715ac7dd2d58a1d4acfefb
Link:
https://www.unpac.me/results/52bc3eb4-b751-4d9e-86a6-e6c5ea2642b9/
SH256 hash:
ca4e3745f87ae419e10fa9dd15e9814f66a7dca601ae70bd3ae3b0b0781e9491
MD5 hash:
6491ab64072f34a6124f4cdf1d9bdd43
SHA1 hash:
78008e0c188d1732ebb5bbfe6d15892ebe32b1f7
Link:
https://www.unpac.me/results/52bc3eb4-b751-4d9e-86a6-e6c5ea2642b9/
SH256 hash:
00a9a0b3801fe8d44427681396fd65560b46b7440a8544a3964c3c9fec72a7b3
MD5 hash:
c70652c1aeae871369d79b93fbbf37e1
SHA1 hash:
b7f2a52f74e80c534d7932469a22f292e023cd55
Link:
https://www.unpac.me/results/52bc3eb4-b751-4d9e-86a6-e6c5ea2642b9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/00a9a0b3801fe8d44427681396fd65560b46b7440a8544a3964c3c9fec72a7b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe 00a9a0b3801fe8d44427681396fd65560b46b7440a8544a3964c3c9fec72a7b3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2260481/
Cape
Cape
https://www.capesandbox.com/analysis/293721/

Comments


Avatar
zbet commented on 2022-07-23 17:42:35 UTC

url : hxxp://179.43.175.187/xotl/dl0lCUKsyeKfL9F.exe