MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a6a04b924f8b72cd9a023067e6e0163d9eb44e6d241b07b17f1434b78094c0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 12 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a6a04b924f8b72cd9a023067e6e0163d9eb44e6d241b07b17f1434b78094c0b
SHA3-384 hash: e02627fef1fac8d55aea44e39d23ce034a7484609c143eca6e8a3fbee98758608324679319e82211cf153b9ecc1aa8c5
SHA1 hash: c2a1d0342929b78618424edd7ae0346584011857
MD5 hash: 392dbbc022fbff71b60199b0913eaecb
humanhash: nevada-cup-six-table
File name:392dbbc022fbff71b60199b0913eaecb
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:780'456 bytes
First seen:2022-06-30 06:42:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:2pytIVq3VMCJpwR0BN/ljwl8S135vLJw+wVuQwHr0OD7v84t:2gtmqicqR0BNNMl1pD++wVuDN7
Threatray 3'759 similar samples on MalwareBazaar
TLSH T1ACF4F08EDE209065CC206D7EA0A105F40AF33DFCD5A4172E57E9BA590BB72F3597318A
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 92292b3373338e69 (2 x AveMariaRAT, 1 x Formbook)
Reporter zbetcheckin
Tags:32 AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
donexx(1).exe
Verdict:
Malicious activity
Analysis date:
2022-06-30 08:08:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/99638445-e812-403c-a5c3-b2ec9a949fb8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/284511/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated overlay packed strictor
Link:
https://www.filescan.io/uploads/62bd45f7b0578633c8b33fc0/reports/f5b9d37f-1eb5-40de-87a5-99f3769c7b76/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
gzRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/af4bb3e1-43ba-4308-b76c-744521634c89
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1022396
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 654890 Sample: FUSlCWBCdY Startdate: 30/06/2022 Architecture: WINDOWS Score: 100 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 8 other signatures 2->57 7 FUSlCWBCdY.exe 1 7 2->7         started        11 Kcoeymc.exe 3 2->11         started        13 Kcoeymc.exe 2->13         started        process3 file4 35 C:\Users\user\AppData\Roaming\...\Kcoeymc.exe, PE32 7->35 dropped 37 C:\Users\user\...\Kcoeymc.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\...\FUSlCWBCdY.exe.log, ASCII 7->39 dropped 59 Encrypted powershell cmdline option found 7->59 61 Writes to foreign memory regions 7->61 63 Injects a PE file into a foreign processes 7->63 15 RegAsm.exe 3 2 7->15         started        19 powershell.exe 14 7->19         started        21 powershell.exe 15 7->21         started        65 Antivirus detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 23 powershell.exe 14 11->23         started        25 powershell.exe 13->25         started        signatures5 process6 dnsIp7 41 45.162.228.171, 26112 QNAXLTDABR Brazil 15->41 43 Contains functionality to inject threads in other processes 15->43 45 Contains functionality to steal Chrome passwords or cookies 15->45 47 Contains functionality to steal e-mail passwords 15->47 49 2 other signatures 15->49 27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a6a04b924f8b72cd9a023067e6e0163d9eb44e6d241b07b17f1434b78094c0b/
Threat name:
ByteCode-MSIL.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2022-06-30 06:43:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
11 of 40 (27.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bjvajoje7c3szwnaemdh43qbmpm6wrhg2ja3a6yx6fbuw6ajjqfq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0603c2488dc90b966ad00a7917e99b3bcc632f3830dc6417dc1b5caf7612e5c1
AveMariaRAT
17db20ebfbce957562eb47a2a0db1a052df6352613d554fe707fae58b8975f81
AveMariaRAT
182280b43ae55b3458fe8d5ea1fe4ffcdd1c00fbc0f21cdcfde29f8686d245f9
AveMariaRAT
28899cd77a674fd8fc103e44aa12ce58b76dadcdcdecca0637c774df8dbdc61c
AveMariaRAT
2d59fe70ac77719864809b6386552a5e1c6470b496c80f36f7a8ff1ce3cf469d
AveMariaRAT
489a2e9c82e83a219e62ded379b4dd8323be026889a3453bc97f0cca67a8828d
AveMariaRAT
bc6f0afa356c9ffebad19431fd6a7ce3c845c946e030191099b115cb59daee3c
AveMariaRAT
d6f0adc68939dadf1673789efc9578fa08958bd6b5f20233a0d92cf12043c4ee
AveMariaRAT
e961ac85380ccd346de98c4a55e10b837b9a77b7d31ec7a312b61b484e32c932
AveMariaRAT
fb9d0187ef58360b6877dc38f0509030b2e7d57d060deae2bb6e3233dda8f47d
AveMariaRAT
+ 3'749 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/220630-hgxcdsgefp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
45.162.228.171:26112
Unpacked files
SH256 hash:
fbe2f7ba4a223c6f83f737e9d299c83c3000721f2534a683e157104fde5638c6
MD5 hash:
9f4b9294428615843a64daf4687a6dcd
SHA1 hash:
6b55ef3d624f270d031271626604925ffa3d8396
Link:
https://www.unpac.me/results/1d994260-a070-4796-a171-f37232f8e71d/
SH256 hash:
6fcd8ca3d7b7faacb7c0879f223baeb775131dc47aedf15360f56b4e6b6d6243
MD5 hash:
51c772f14656a631339bcbddf2ea4ea6
SHA1 hash:
39ea10d088b9085c26f23f54c34c876ac7551acc
Link:
https://www.unpac.me/results/1d994260-a070-4796-a171-f37232f8e71d/
SH256 hash:
0a6a04b924f8b72cd9a023067e6e0163d9eb44e6d241b07b17f1434b78094c0b
MD5 hash:
392dbbc022fbff71b60199b0913eaecb
SHA1 hash:
c2a1d0342929b78618424edd7ae0346584011857
Link:
https://www.unpac.me/results/1d994260-a070-4796-a171-f37232f8e71d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0a6a04b924f8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/0a6a04b924f8b72cd9a023067e6e0163d9eb44e6d241b07b17f1434b78094c0b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding command execution via IExecuteCommand COM object
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_WarzoneRAT
Create hunting rule
Author:ditekSHen
Description:Detects AveMaria/WarzoneRAT
Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe 0a6a04b924f8b72cd9a023067e6e0163d9eb44e6d241b07b17f1434b78094c0b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2215110/
Cape
Cape
https://www.capesandbox.com/analysis/284511/

Comments


Avatar
zbet commented on 2022-06-30 06:42:51 UTC

url : hxxp://ppz.devel.gns.com.br/temps/donexx.exe