MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d5a138754a0bcb2bf5557f158c342e8f7e32a509a3d93775e5aeb59d5d4e0d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	0d5a138754a0bcb2bf5557f158c342e8f7e32a509a3d93775e5aeb59d5d4e0d0
SHA3-384 hash:	605faa4f8321e34c196fa0933b07c771912f2de3934e06b3eae0fe3e308c90af5186a40f01755ebe0230ab7477707038
SHA1 hash:	e53b929f598c81cd6748d135f46eb0e0bc5db009
MD5 hash:	c61d630e1916a43161512d07bdc9d4bb
humanhash:	echo-louisiana-crazy-may
File name:	FAKTURA 2.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	804'352 bytes
First seen:	2022-11-03 07:53:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4360123f607bd9d51842a83c01b57e13 (3 x ModiLoader, 1 x AveMariaRAT)
ssdeep	24576:O1ej9vjNxT4NMb8SDxOTeCYSfI5b2sJxHJHtuSCg/c3kCv/oMw2n+OkI8axrtrgr:O1gvPsfdA
TLSH	T12B05AE6372D63077E1531A78CD1A5B1AA82BBF791EAC680217F0795D3BF91C13C2A187
TrID	65.6% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 25.9% (.EXE) Win32 Executable Borland Delphi 6 (262638/61) 4.2% (.EXE) InstallShield setup (43053/19/16) 1.3% (.EXE) Win32 Executable Delphi generic (14182/79/4) 1.2% (.SCR) Windows screen saver (13097/50/3)
File icon (PE):
dhash icon	74f48888868e88b4 (12 x SnakeKeylogger, 7 x Formbook, 5 x RemcosRAT)
Reporter	abuse_ch
Tags:	AveMariaRAT exe RAT

abuse_ch

AveMariaRAT C2:
194.5.98.62:5200

Intelligence

File Origin

# of uploads :

# of downloads :

202

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

FAKTURA 2.exe

Verdict:

Malicious activity

Analysis date:

2022-11-03 08:10:07 UTC

Tags:

installer

Link:

https://app.any.run/tasks/2ecc20e1-6731-4c56-8b6a-53a32b7ece1c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/327724/

Detection(s):

SecuriteInfo.com.Variant.Strictor.244004.784.15712.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Creating a file

Launching a process

Creating a process with a hidden window

Searching for the window

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/47824/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

keylogger

Link:

https://www.filescan.io/uploads/6363739d41979aedb8d5311a/reports/f9fe34ea-1e16-4d65-aa4d-02e329fb633e/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f2b9d15f-90e8-46d3-838a-f0042c86df7e

Result

Threat name:

DBatLoader

Detection:

malicious

Classification:

troj

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1104905

Signature

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected DBatLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0d5a138754a0bcb2bf5557f158c342e8f7e32a509a3d93775e5aeb59d5d4e0d0/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-11-03 07:54:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bvnbhb2uuc6lfp2vk7yvrq2c5d36gksqti6zg526llvvtvou4dia._file

Verdict:

malicious

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:modiloader family:warzonerat infostealer persistence rat trojan

Link:

https://tria.ge/reports/221103-jrj1gsfhb2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Adds Run key to start application

ModiLoader Second Stage

Warzone RAT payload

ModiLoader, DBatLoader

WarzoneRat, AveMaria

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/68bd9cac-f5e9-4d8f-8f8a-1540822dbf4c

Unpacked files

SH256 hash:

3f17ebba5a2529b8794c6e86f2b124eacc332692ccdb8acfc6ebf8829c5889e7

MD5 hash:

990016aba0656d25f84a329e5a48c50b

SHA1 hash:

f13ea53aaa58d65bd696da99836dd5473f290536

Detections:

win_dbatloader_g1

Link:

https://www.unpac.me/results/992f732f-3d2f-403d-aff8-5c5e426183e6/

Parent samples :

de8962c07eba5fdd819df024cf7a88ccbec0084913e782182dc0392338f0243e
a35981f164ad40d52d9c1f665d0cd9506abcefec984fd00ec21a7a83aeb25024
483919bfc0da6d92481d70ca620e1ee0aebb3d81931d88a894ac32328e8808e8
cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8
25d182f0fae63df346da5dd500309607c39325a90aca36121e9d928e4c445b76
3a61c9b0b4096cef95698ca41594941955d36e857c7b42f8d84962272f850115
4cf4313d499e9400a60a0961344e6df29acc85e6d62e18c118bef1493f801e53
f36b68e818ef0e90919221028f143fe314f463f418f550c707e1ca5fc632ad9c
f90adf7f130b1deacd0b940e101f471efeb9c670e848cd2a7e77152db0455298
580f58b0bcc5fdd1b9e1237ec9d6a58b3de0f532d92b0ef49314bcc05442272a
0d5a138754a0bcb2bf5557f158c342e8f7e32a509a3d93775e5aeb59d5d4e0d0
6d22199bcb9c6a15a14e129c4c30ad4aa19148a9b1aac32531d1dfa19a40f671
2bfbbbf3105253503802f18a048d3b36954efeb97ecb9ab9556dffa98bfb832a
e9ca640bda7dd97f7d0c9d1b810a7704144cfba14ec0271ead9e8dd6636c89d0
3f2a62eed0aff1007bac6177aed82a1722bb6b63b1d49fa87153199cd8e8d5f1
b5b7bca8e148356c32d008301fc0209f003ac123c0d752e685f87a66e81ac64b
b812dd30a73b638b960af5ef21e2e3dcf807728b381a8f71553e0a32d2307b92
da7ce792ea58fe4b0920be78435d44fef2ef1025cfac8abb0b43a9878d26c6c3
97672b7a0e6ab5bdc206aecdc117fd9ec7529db666f9c30764fa0d4e31fa48bb
3f5d2ca933f5c7cea6f55f14ebfd7d9f703ef2d9ba54ed8212aeda2d893c875b
e56fd483ef8e5da7ce843288c45d4af517bf868c18ddeba08da40814b8b0a60e
754025dc4effece12c7c7b3041d2f22050b442251ef1f25dc425f685a277e0e6
1d160af25e96ec1d33d50216a3eafdc16a1df90a6c62929e25f626dae138015b
f6ddc63173d134db79db880c7f5b338987f31ddd36cfcb27cf15e3bb08a507bb
6ffcc5061fbafa5eeee756b0292d6ec83109623b786b8e2f5ca5ecbd92a816c0
63419dd22896ba6ddb1710fd35ae0b64506c8a80c62b59ba33979d375737c2ca
22655d19fee46d3578c4425d75f5633cb06b353b7383a300962d46289b6ba24d
7a9c39d98ace102b6fa94aafaa6bd652b17b247da09bee12e84fca6302b08e19
bec4ef3573fb041d4a688c353f4682186f2bfe3918e9add4b9c5ceda5ec2627c
0aa8a9d5f174dc2d70924c909f6f1f1336152de536a729931a1acfa2500fb2f5

SH256 hash:

255f0b5decd60eb3a30ed4688041c345bcb47fc55d8d0314526defd13e7c0638

MD5 hash:

4dd3e25d884e7f0da154644326bb4999

SHA1 hash:

7df189b1c641e6c4e4664afdbcfee05bdbc37d78

Link:

https://www.unpac.me/results/992f732f-3d2f-403d-aff8-5c5e426183e6/

SH256 hash:

0d5a138754a0bcb2bf5557f158c342e8f7e32a509a3d93775e5aeb59d5d4e0d0

MD5 hash:

c61d630e1916a43161512d07bdc9d4bb

SHA1 hash:

e53b929f598c81cd6748d135f46eb0e0bc5db009

Detections:

DbatLoaderStage1

Link:

https://www.unpac.me/results/992f732f-3d2f-403d-aff8-5c5e426183e6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0d5a138754a0bcb2bf5557f158c342e8f7e32a509a3d93775e5aeb59d5d4e0d0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/327724/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample