MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 038468b4bce04705f5f08025f029ca8f327540d31f8f373892248b42750f5a00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 038468b4bce04705f5f08025f029ca8f327540d31f8f373892248b42750f5a00
SHA3-384 hash: d09e3ad9b4cd67f3319adb141326e27606801cbdce9483f1b1098c902bca1043ae547f7c8ab8a6349b250fece8b9ac25
SHA1 hash: 3818977d4d9ac5f22f5336b09b7bb4a2b1463432
MD5 hash: 5bf7c4b2b2980b4796c0c93b00dcf602
humanhash: finch-eighteen-football-hotel
File name:5bf7c4b2b2980b4796c0c93b00dcf602
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:525'312 bytes
First seen:2021-09-02 01:06:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:J4vWZxUrGqLftSjwxRP5I3J9qLLRiHDdV7JikiwJ:J4uT9wcwlICLNQDdVlii
Threatray 1'488 similar samples on MalwareBazaar
TLSH T199B4E02E36C4DB11C54599B5C2E7E93103E3AA8B3237E3483E5562DA0E437A4ED8E7C5
dhash icon 489669d8d8699648 (53 x AgentTesla, 24 x SnakeKeylogger, 16 x AveMariaRAT)
Reporter zbetcheckin
Tags:32 AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5bf7c4b2b2980b4796c0c93b00dcf602
Verdict:
Malicious activity
Analysis date:
2021-09-02 01:07:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/32745f87-0d5b-486b-b0ef-82991549935d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/184620/
Detection(s):
SecuriteInfo.com.Variant.Bulz.621167.10654.21814.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
DNS request
Sending a UDP request
Running batch commands
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4dae2bca-20a2-4295-9948-39cceff86875
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/843728
Signature
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates an undocumented autostart registry key
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 476159 Sample: IAUGOFGT4R Startdate: 02/09/2021 Architecture: WINDOWS Score: 100 48 time.google.com 2->48 62 Multi AV Scanner detection for domain / URL 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 6 other signatures 2->68 10 IAUGOFGT4R.exe 6 2->10         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\IAUGOFGT4R.exe, PE32 10->38 dropped 40 C:\Users\...\IAUGOFGT4R.exe:Zone.Identifier, ASCII 10->40 dropped 42 C:\Users\user\AppData\...\IAUGOFGT4R.exe.log, ASCII 10->42 dropped 74 Writes to foreign memory regions 10->74 76 Injects a PE file into a foreign processes 10->76 14 IAUGOFGT4R.exe 4 5 10->14         started        18 powershell.exe 20 10->18         started        signatures6 process7 dnsIp8 44 C:\ProgramData\sys64.exe, PE32 14->44 dropped 46 C:\ProgramData\sys64.exe:Zone.Identifier, ASCII 14->46 dropped 78 Multi AV Scanner detection for dropped file 14->78 80 Machine Learning detection for dropped file 14->80 82 Contains functionality to inject threads in other processes 14->82 84 4 other signatures 14->84 21 sys64.exe 3 14->21         started        24 cmd.exe 1 14->24         started        50 8.8.8.8.in-addr.arpa 18->50 52 4.4.8.8.in-addr.arpa 18->52 54 2 other IPs or domains 18->54 26 conhost.exe 18->26         started        file9 signatures10 process11 signatures12 70 Multi AV Scanner detection for dropped file 21->70 72 Machine Learning detection for dropped file 21->72 28 powershell.exe 16 21->28         started        31 reg.exe 1 1 24->31         started        34 conhost.exe 24->34         started        process13 dnsIp14 56 8.8.8.8.in-addr.arpa 28->56 58 4.4.8.8.in-addr.arpa 28->58 60 3 other IPs or domains 28->60 36 conhost.exe 28->36         started        86 Creates an undocumented autostart registry key 31->86 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/038468b4bce04705f5f08025f029ca8f327540d31f8f373892248b42750f5a00/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-09-01 10:46:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
24 of 45 (53.33%)
Threat level:
  3/5
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0532411d15ff23b27d4f5306264a32e972c0181dcb5ca0fe8a9b6694a2280369
AveMariaRAT
17dfa2e1768aa1ef822527eec763f22090807a4aa4a674e8924090e7bc37bbef
AveMariaRAT
1ba0e44040e713ddc5dea6e5645c58f2c4131d907343e4eb67b3c704bdd2d4d8
AveMariaRAT
302fa5500a1b8df5e1b37c2e79a28806110e93f6c3037b7ecb7e1d2864ba13d1
AveMariaRAT
45d8a91be1d071837969fc7801a224b06e918bdc813e7ec14348abf8d0810312
AveMariaRAT
7aefa586d32593736751d667d9588fcf4c3091ace48375d38f06947aa119129e
AveMariaRAT
8506352e60dea0ee05bff79a9408f910850735939399bdf040c40ffdead19d61
AveMariaRAT
9b67caf9dccb8672273f6b0715292e69f323510f09dbfd7dbf3bca8522bcdfe0
AveMariaRAT
f26b262e24e9837a992500d19b3c4ac70085b13d6bd5354378a8bfc358677b02
AveMariaRAT
+ 1'478 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer rat
Link:
https://tria.ge/reports/210902-cke1r8lxls/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
mrtoby.hopto.org:49319
Unpacked files
SH256 hash:
477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52
MD5 hash:
16a9ddc4b32981114fe4f069a4353105
SHA1 hash:
bf73849f57c150f9e2199c61427f631be2dfa595
Link:
https://www.unpac.me/results/14e4b081-1f0e-45da-ab2d-89ccdba032a7/
SH256 hash:
f8533eb77b23bfca6ca8093725ca2333da471d879dd6a6fcbf18fc5d22bf01b8
MD5 hash:
3e7342da25cb0ba828d582c17f1faeda
SHA1 hash:
ba6588944aab264501d634511084a868a528993e
Detections:
win_ave_maria_g0
Create hunting rule
win_ave_maria_auto
Create hunting rule
Link:
https://www.unpac.me/results/14e4b081-1f0e-45da-ab2d-89ccdba032a7/
SH256 hash:
f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36
MD5 hash:
6c72218c48cd68cbcb654675053a0abb
SHA1 hash:
12207fa32070f99683648d87b44410e5d3cdf2de
Link:
https://www.unpac.me/results/14e4b081-1f0e-45da-ab2d-89ccdba032a7/
SH256 hash:
5884fb17f5afe5c91cf72a93d2ceb106bb3aa86c97c8a1c1a14d0083af5ac588
MD5 hash:
617283c6c6d092a22d9fb017c8c47413
SHA1 hash:
eb5503ed1a32857900c1673329c51c5e40cfecbc
Link:
https://www.unpac.me/results/14e4b081-1f0e-45da-ab2d-89ccdba032a7/
SH256 hash:
87ea4b893fdf371bbab1b93adf854cc92c821fe8ef1e56b2f2b06bed7cc08654
MD5 hash:
2eb0de8a19af8c96b119312838595fcb
SHA1 hash:
5179a31fed9cf5bb5db42e3ace4b7fe0e79653bd
Link:
https://www.unpac.me/results/14e4b081-1f0e-45da-ab2d-89ccdba032a7/
SH256 hash:
aa5c4eeecb36adff3d490bbaa736ccd23dd07712f1c9579debce0de90b378511
MD5 hash:
59564c06f32cbe6d3656bb84fbb03329
SHA1 hash:
256d257cfafdcf448411f660b156c78ac1a3b260
Link:
https://www.unpac.me/results/14e4b081-1f0e-45da-ab2d-89ccdba032a7/
SH256 hash:
038468b4bce04705f5f08025f029ca8f327540d31f8f373892248b42750f5a00
MD5 hash:
5bf7c4b2b2980b4796c0c93b00dcf602
SHA1 hash:
3818977d4d9ac5f22f5336b09b7bb4a2b1463432
Link:
https://www.unpac.me/results/14e4b081-1f0e-45da-ab2d-89ccdba032a7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/038468b4bce04705f5f08025f029ca8f327540d31f8f373892248b42750f5a00

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:buerloader_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe 038468b4bce04705f5f08025f029ca8f327540d31f8f373892248b42750f5a00

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1584737/
Cape
Cape
https://www.capesandbox.com/analysis/184620/
  
URLhaus
https://urlhaus.abuse.ch/url/1585856/

Comments


Avatar
zbet commented on 2021-09-02 01:06:27 UTC

url : hxxp://doggyrar.mooo.com/win32/TOBI.exe