MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d38ea72059443a96e979d8669d1eb95be5863beb8459ef4d408417c3e823484. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d38ea72059443a96e979d8669d1eb95be5863beb8459ef4d408417c3e823484
SHA3-384 hash: 62c50366c408925ec9830089eb143f0ebfbd1d55352a4f6b4e045cdea2811a0ded54211f5a9272ee4c1dbc4b2e294400
SHA1 hash: 003c911960d606eaf13bd26579aa15ca027344d2
MD5 hash: edbf02a1ca1a153f4a0274b6a4ba52e1
humanhash: summer-ceiling-paris-victor
File name:e11c962c564678430583982c79947a99.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:103'936 bytes
First seen:2020-03-30 03:30:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 879635b629affd65258851469f9bf6f9 (31 x AveMariaRAT)
ssdeep 1536:lvqIPE8ddFD1frrq7gVxoNGPNJKF1m+xVE0/bKM:cI8CxFVxAMNJKu+xVE0TKM
Threatray 423 similar samples on MalwareBazaar
TLSH 77A39D2377D14439F67102B02CB97F79CABFBE380221855BD72456876B31994EA363A3
Reporter abuse_ch
Tags:AveMariaRAT exe GuLoader


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=1boC4iE-cB85KxGFqXp7XyEv8UYq-2Y0C

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Maria.4.17072.22484.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Maria.3.30306.22950.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Antiav
Create hunting rule
Status:
Malicious
First seen:
2020-03-30 03:35:22 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
40 of 47 (85.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bu4ou4qfsrb2s3uxtwdgtuplsw7fqy56xbcz55gubbaxypucgsca._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
1433b4d3248aed590bdbc1295cc755490176aa3c300d1c56373736272ddd8dcb
AveMariaRAT
17f254df13906b735315c9a4377b950ba059eff2636ce4a710af5dd3a1ea4535
AveMariaRAT
1abd6deadaaa0e8386b1df2aeceacf637894adcb1d42762d1b141bcde569bc6f
AveMariaRAT
6b03acf7658af95975077de9cb4b5acaac1d2ed23f0c419ea13f39d25387bdce
AveMariaRAT
7a21a7a3639f98f4d6d5f4e838aa26cd26586a06ad9cb580aa5b23c4c8051901
AveMariaRAT
7f29131cb5f28ccbd60dbdf39b6b3c79a974d4a3950aac1d1c0f7edd68193c03
AveMariaRAT
7f62e5e2d0cfbe0740718588465b71a701fe3e188a8a4755baacbdc6fb41d52c
AveMariaRAT
9c83b050047ab4b9ca6c23e46b7d77ffc9c5207cc5981aac77c6c392abb7aff9
AveMariaRAT
b4dacfa5ab0ebae0bcc9b7b3f5519072e933d4ff20904d6504a0a032f708bdf8
AveMariaRAT
cb5c24e649bfdd00c9d03e8c16dfda3f1101fb531b94fd57922339a12e22a0d6
AveMariaRAT
+ 413 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 8e73787d3dc6bb435522fee22cb9d32fa7a02b12975f8e3eefe95a67f2b122d8

GuLoader

Executable exe c86adaa9802afda5346e7b351ebe646dcf3bdeff37af3beb9f72b2bf42d2b5e2

AveMariaRAT

Executable exe 0d38ea72059443a96e979d8669d1eb95be5863beb8459ef4d408417c3e823484

(this sample)

  
Dropped by
MD5 e11c962c564678430583982c79947a99
  
Dropped by
MD5 9329537e60f117d07a2f3fb0dbd4c9ae
  
Dropped by
GuLoader
  
Dropped by
SHA256 c86adaa9802afda5346e7b351ebe646dcf3bdeff37af3beb9f72b2bf42d2b5e2
  
Dropped by
SHA256 bd726690fc31889a77d0f1ecd06f631a8c18de7f0d3002f730627d25c274c2ab
  
URLhaus
https://urlhaus.abuse.ch/url/332084/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::InitializeSecurityDescriptor
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CoInitializeSecurity
DP_APIUses DP APICRYPT32.dll::CryptUnprotectData
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::SetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::ShellExecuteExA
SHELL32.dll::ShellExecuteExW
URL_MONIKERS_APICan Download & Execute componentsurlmon.dll::URLDownloadToFileW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateRemoteThread
KERNEL32.dll::CreateProcessW
KERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::VirtualAllocEx
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WinExec
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
SHELL32.dll::SHCreateDirectoryExW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::LookupAccountSidW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyExW
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::freeaddrinfo
WS2_32.dll::getaddrinfo
WS2_32.dll::InetNtopW
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::ChangeServiceConfigW
ADVAPI32.dll::OpenSCManagerW
ADVAPI32.dll::OpenServiceW
ADVAPI32.dll::QueryServiceConfigW
ADVAPI32.dll::StartServiceW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments