MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b53b4b9d14763cb1a084f67aa28e17517cfac8d7375fafb501fbf09b20c6f34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	0b53b4b9d14763cb1a084f67aa28e17517cfac8d7375fafb501fbf09b20c6f34
SHA3-384 hash:	317937eb1d6d4a1089a415835d8070b1a9bd6ed179b75723c3f0a31bab2b77b4b0cb7ba630d7fe4c17e6900a8f067645
SHA1 hash:	9bdf327d5e1ca02e842caa5336c38eaf95d02133
MD5 hash:	cab502e94eef262702b8d354de320cec
humanhash:	johnny-connecticut-zebra-burger
File name:	SOA-INV2234748343.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	449'968 bytes
First seen:	2022-06-27 08:23:09 UTC
Last seen:	2022-06-27 09:20:16 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	3072:kEIa3zNn6edapP11JCBCZJA3f0dzmswbk6lLyBwEbRePFzedZ4F/TkkShpZX+TR5:kja4uAjNskNwE8EEwTZXeRiLx24kc4
Threatray	1'620 similar samples on MalwareBazaar
TLSH	T1C1A45C633551A6B6EC28D175F89745832F243D6997873EAB32CCF32B1AB1170A31932D
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	71e1e8f4b6d8c962 (1 x AveMariaRAT)
Reporter	abuse_ch
Tags:	AveMariaRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

233

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/283464/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Launching a process

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed packed

Link:

https://www.filescan.io/uploads/62b9696362d792dc574998a8/reports/5e9de4a3-91d2-4f39-b1f5-9b2e53005664/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1bd49cdb-beb7-4517-a991-94e92f966e66

Result

Threat name:

AveMaria

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1020222

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to hide user accounts

Contains functionality to steal Chrome passwords or cookies

Encrypted powershell cmdline option found

Found evasive API chain (may stop execution after checking mutex)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Increases the number of concurrent connection per server for Internet Explorer

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AveMaria stealer

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0b53b4b9d14763cb1a084f67aa28e17517cfac8d7375fafb501fbf09b20c6f34/

Threat name:

ByteCode-MSIL.Downloader.PsDownload

Status:

Malicious

First seen:

2022-06-27 08:24:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bnj3joori5r4wgqij5t2ukhboul47lenon27v62qd67qtmqmn42a._file

Verdict:

malicious

AveMariaRAT

3efa859091d8e7994ad47304244de9b0d14d4cfb5dca3df2a13aa7c0a62a021d

AveMariaRAT

61785f3d1e0ea932704bccfbd0ffe5d2e64d47290f25ac181caf9114f6f80068

AveMariaRAT

792bc8203c1c9e51685d264f5bb7a78f3a3fcf15ff7bfba813e2b5affa0909c8

AveMariaRAT

89fd50a006af9537d9181a8d2dd4872cd29639150ef2ed96a93ed1c3ad1967a4

AveMariaRAT

b163b9a4f26156aa3f0abcfcb522ceef509baf218be2f73fdc40db9ec3de6dac

AveMariaRAT

b3d4465709ca13e62a73e19d24e5234952553050d0793fe147c180d6b0db1f4e

AveMariaRAT

b826516b9fe4412f730527fa84dd3f1f927b58c933fad403dc64e54815cb147a

AveMariaRAT

dc54dbd72838084b3707ff4859365733c3f6ee284a7095a6cc958e793bffe9a9

AveMariaRAT

e4af6a6b4243bb6971be7edc28f16198ff88734d6a764dcddc6f5c6424309bd6

AveMariaRAT

+ 1'610 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat collection infostealer rat

Link:

https://tria.ge/reports/220627-kap1vabgc4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Loads dropped DLL

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

bed.fastestmaking.com:2562

Unpacked files

SH256 hash:

0b53b4b9d14763cb1a084f67aa28e17517cfac8d7375fafb501fbf09b20c6f34

MD5 hash:

cab502e94eef262702b8d354de320cec

SHA1 hash:

9bdf327d5e1ca02e842caa5336c38eaf95d02133

Link:

https://www.unpac.me/results/97d3ee53-c932-4882-9afe-5b3fb4a1c7e5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/0b53b4b9d14763cb1a084f67aa28e17517cfac8d7375fafb501fbf09b20c6f34

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/283464/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample