MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1430490e98890154380a156e19dc99e32ef9a5c95fcd14d30469f444812772ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1430490e98890154380a156e19dc99e32ef9a5c95fcd14d30469f444812772ca
SHA3-384 hash: a1ad438494ffdf62b1c6ad5cc19a9d53b83a71ffe29982abf96a44e33c344075f5adff8c77bad0be16d095609a114ad0
SHA1 hash: a269d076d60979a70b432f01b914dbdb6523a1bc
MD5 hash: 13385b79506993ea47687aeb8f64f3b8
humanhash: coffee-winner-video-seventeen
File name:DOC_098765678.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:719'360 bytes
First seen:2021-08-23 10:17:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:RFUHcP/5GJ4RiRvvivAKL7P5Fkn1Y/U+TrIjJBT3wV6Vt+4z0gEV9xCkYhgBJ:RFUktcvi4Kv501R+Tr+AV6/70n5CI
Threatray 2'357 similar samples on MalwareBazaar
TLSH T123E412057FC8EB8EC67F4E379D60242087F4D4761B52E3195CC627FA2A4DB858A2439B
Reporter GovCERT_CH
Tags:AveMariaRAT exe WarzoneRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DOC_098765678.exe
Verdict:
Malicious activity
Analysis date:
2021-08-23 10:19:25 UTC
Tags:
trojan stealer rat avemaria
Link:
https://app.any.run/tasks/562d2aa2-abfd-4523-a2d0-e67536bc978b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/181457/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the Program Files subdirectories
Launching a service
Loading a system driver
Sending a TCP request to an infection source
Enabling autorun for a service
Forced shutdown of a system process
Connection attempt to an infection source
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ac9e3b57-edc4-406f-acbf-8cd3286d6730
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/837439
Signature
Contains functionality to hide user accounts
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides user accounts
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Process Start Without DLL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1430490e98890154380a156e19dc99e32ef9a5c95fcd14d30469f444812772ca/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-23 07:32:15 UTC
AV detection:
21 of 46 (45.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cqyesduyreavioakcvxbtxez4mxptjojl7grjuyenh2ejajholfa._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
27c7c159ac96bd76fc993fd76e2ee88106631af414a235a2a1aae1e31100af99
AveMariaRAT
36c35b4364b62c4d1ff2be1e1a043a10bc587625ad383dd2b4dacde157a952e4
AveMariaRAT
411a7c0f381354be120c25158756008260b2ba2f3b2a83e4a514602ab09edbea
AveMariaRAT
562dd81cf76983ebc3fa71b9914d25e9f40a5a6ddbf5bf95a48d60104812cca0
AveMariaRAT
885e34ff7befbdcdb027a017843cbacdba7eebb34d3df2e3113cceb9adafe8b5
AveMariaRAT
94fd8c7b7935c64a7ed46794b3b5597800ae02715d5d0d95df19b208dc0d98fb
AveMariaRAT
9cd6c84ba5aee64aca1a0e7d17839c3974b965efd4ab83cc0d1deb336793f590
AveMariaRAT
dbdfbca2dcc01a530cd7c449500dc0f6b564c11f9ed9dc8d746709a235d6826f
AveMariaRAT
ed2bb22bb3dd5725d0be4c93f3ee6bb3b0424db9a38e11a825eac6a8862d0241
AveMariaRAT
f9ca14fcdffeb48b11ea026812ac0a7dc941f27e0c1384dc8e9b83b18de4c2a7
AveMariaRAT
+ 2'347 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/210823-sk8y8e35sj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Loads dropped DLL
Sets DLL path for service in the registry
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
185.140.53.231:8383
Unpacked files
SH256 hash:
6912e4bedd1288f116e968f0a79d9797f6d6bd24d45a5f10c52e20f9d33b8c61
MD5 hash:
03bde4a82ad64c0f314985232fbca3fa
SHA1 hash:
e8d0b6339e94192eaaca32c812f914e60576dca6
Link:
https://www.unpac.me/results/35596d00-69a0-4783-89c1-3eb9ce1037cb/
SH256 hash:
477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52
MD5 hash:
16a9ddc4b32981114fe4f069a4353105
SHA1 hash:
bf73849f57c150f9e2199c61427f631be2dfa595
Link:
https://www.unpac.me/results/35596d00-69a0-4783-89c1-3eb9ce1037cb/
SH256 hash:
82d2f431554c888e55326ba95d9dec1d86c26946678305815703ee38517989a6
MD5 hash:
59a7fdf510d7ca09ab5723dbe7d92c6c
SHA1 hash:
8c94343cfd99ae63dc6fd28a83408acb34e49977
Link:
https://www.unpac.me/results/35596d00-69a0-4783-89c1-3eb9ce1037cb/
SH256 hash:
6727597ee3d6f8ec7b10ad29d3de109101da6efd106a4c64c1d56dcb57daf992
MD5 hash:
56a5ced6f574ac44e26316d10f01fedf
SHA1 hash:
87dc2865bc5b69acd88a359526c1c6548e512de0
Detections:
win_ave_maria_g0
Create hunting rule
win_ave_maria_auto
Create hunting rule
Link:
https://www.unpac.me/results/35596d00-69a0-4783-89c1-3eb9ce1037cb/
SH256 hash:
171750d9133b1789251a748ba9172be644962f0db12ff40ee9805a50cd53afca
MD5 hash:
e0959a66d0e192f56fd7a5e2ca5d0c6e
SHA1 hash:
652de2da13f877d72e4156ece7862684f8b35bbe
Link:
https://www.unpac.me/results/35596d00-69a0-4783-89c1-3eb9ce1037cb/
SH256 hash:
f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36
MD5 hash:
6c72218c48cd68cbcb654675053a0abb
SHA1 hash:
12207fa32070f99683648d87b44410e5d3cdf2de
Link:
https://www.unpac.me/results/35596d00-69a0-4783-89c1-3eb9ce1037cb/
SH256 hash:
1430490e98890154380a156e19dc99e32ef9a5c95fcd14d30469f444812772ca
MD5 hash:
13385b79506993ea47687aeb8f64f3b8
SHA1 hash:
a269d076d60979a70b432f01b914dbdb6523a1bc
Link:
https://www.unpac.me/results/35596d00-69a0-4783-89c1-3eb9ce1037cb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1430490e9889/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1430490e98890154380a156e19dc99e32ef9a5c95fcd14d30469f444812772ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 1430490e98890154380a156e19dc99e32ef9a5c95fcd14d30469f444812772ca

(this sample)

  
Dropped by
warzonerat
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/181457/

Comments