MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14f2a593281d5c9700a878f32199aa69b18f10b2d3849d216764f96a3f8a00f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 14f2a593281d5c9700a878f32199aa69b18f10b2d3849d216764f96a3f8a00f9
SHA3-384 hash: b2f745da5d20193b6b473432a5a0845c182e10942a7753d58b4a80078d325dfd013f6be80897907f62a1eba4c9dea306
SHA1 hash: c85cf74f93a693c0cfe30c2b858c738d1266e064
MD5 hash: 236eb14b78cb074e7e70e2d2114e19a1
humanhash: cup-hamper-lemon-tennis
File name:236eb14b78cb074e7e70e2d2114e19a1
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:235'008 bytes
First seen:2022-08-17 07:13:06 UTC
Last seen:2022-08-17 09:35:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a57cfbd6931c8ca5bade61539c0444d4 (1 x AveMariaRAT)
ssdeep 6144:BlfFlG4GX4yv2tSbQs9sZMVPt/4JrqmuW:bFlG4nyEcQsN1/4JrqmuW
Threatray 2'250 similar samples on MalwareBazaar
TLSH T1DE34BF23B29565F0E47A4372CC614596E3727C365BE0AA5F13A877391E332904E7EFA0
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 71d5d4a9b9deddb1 (1 x AveMariaRAT)
Reporter zbetcheckin
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
236eb14b78cb074e7e70e2d2114e19a1
Verdict:
No threats detected
Analysis date:
2022-08-17 07:16:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6a3a2ad5-1aca-4fe3-af5c-4afa22585557

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/299199/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.61306739.3576.11947.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Running batch commands
Launching a process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/29187/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c82641d4-440e-4613-9fe1-dabe1863d457
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1052794
Signature
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Disable Windows Defender notifications (registry)
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Powershell drops PE file
Self deletion via cmd or bat file
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Very long command line found
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 685312 Sample: gSMubITWIY Startdate: 17/08/2022 Architecture: WINDOWS Score: 100 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected AveMaria stealer 2->53 55 3 other signatures 2->55 8 gSMubITWIY.exe 1 2->8         started        process3 signatures4 61 Very long command line found 8->61 63 Self deletion via cmd or bat file 8->63 11 cmd.exe 1 8->11         started        14 cmd.exe 1 8->14         started        16 cmd.exe 8->16         started        18 conhost.exe 8->18         started        process5 signatures6 65 Uses ping.exe to sleep 11->65 67 Very long command line found 11->67 69 Encrypted powershell cmdline option found 11->69 71 2 other signatures 11->71 20 powershell.exe 15 25 11->20         started        24 powershell.exe 16 14->24         started        27 PING.EXE 16->27         started        29 conhost.exe 16->29         started        process7 dnsIp8 37 cdn.discordapp.com 162.159.130.233, 443, 49744 CLOUDFLARENETUS United States 20->37 57 Disable Windows Defender notifications (registry) 20->57 59 Powershell drops PE file 20->59 39 162.159.134.233, 443, 49760, 49761 CLOUDFLARENETUS United States 24->39 35 C:\ProgramData\tsetup-x64.3.1.9.exe, PE32 24->35 dropped 31 tsetup-x64.3.1.9.exe 24->31         started        41 192.168.1.1 unknown unknown 27->41 file9 signatures10 process11 dnsIp12 43 www.google.com 142.250.185.196, 443, 49762 GOOGLEUS United States 31->43 45 Machine Learning detection for dropped file 31->45 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->47 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/14f2a593281d5c9700a878f32199aa69b18f10b2d3849d216764f96a3f8a00f9/
Threat name:
Win64.Trojan.SelfDel
Create hunting rule
Status:
Malicious
First seen:
2022-08-16 04:00:12 UTC
File Type:
PE+ (Exe)
Extracted files:
16
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ctzklezidvojoafipdzsdgnkngyy6efs2ocj2ilhmt4wup4kad4q._file
Verdict:
malicious
Similar samples:
47dbb2594cd5eb7015ef08b7fb803cd5adc1a1fbe4849dc847c0940f1ccace35
AveMariaRAT
7682422fbf1ea8822eb5361adb5ed7b4c9580781ad88502278b4bc2f9b591397
AveMariaRAT
79591b44955812c9f6c9f6d168a927c7af1bea5928d22c1d210eddbbcd93578e
AveMariaRAT
950ae733089e9761c22fcd9b1f5c1a45357fb744667298070da464afaa560905
AveMariaRAT
a06010d09b93b8cf46c397a30a15e7f4a163fddd7eaa18dc0eeb202b9f2560a5
AveMariaRAT
ac64301a43403c83264c5c32676a99521304e842fec99a66941a3313520f4e07
AveMariaRAT
b64b3219e447c13440ca2f800705d25b03f1ce27e214edad3cb240a34b36862b
AveMariaRAT
b75c337a0fb7eb49ec34d6d313a612e93dc4180a8bf25f99fd7b10ea1077e8e1
AveMariaRAT
b968be42546794effa6900666e9e6ad09c6e211d192571a1bed308c92222c227
AveMariaRAT
c765e040e1facf4b651d4684a4fdb3fd04c0d01e506bfb0dce454104f2c43f8c
AveMariaRAT
+ 2'240 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/220817-h2m98accej/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Sets DLL path for service in the registry
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
parkerpublic.com:4444
Unpacked files
SH256 hash:
14f2a593281d5c9700a878f32199aa69b18f10b2d3849d216764f96a3f8a00f9
MD5 hash:
236eb14b78cb074e7e70e2d2114e19a1
SHA1 hash:
c85cf74f93a693c0cfe30c2b858c738d1266e064
Link:
https://www.unpac.me/results/57433c99-85e6-412e-9192-3bb15d34b03a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/14f2a593281d5c9700a878f32199aa69b18f10b2d3849d216764f96a3f8a00f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe 14f2a593281d5c9700a878f32199aa69b18f10b2d3849d216764f96a3f8a00f9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2273717/
  
URLhaus
https://urlhaus.abuse.ch/url/2273720/
  
URLhaus
https://urlhaus.abuse.ch/url/2273726/
Cape
Cape
https://www.capesandbox.com/analysis/299199/

Comments


Avatar
zbet commented on 2022-08-17 07:13:18 UTC

url : hxxp://109.206.241.81/htdocs/dGFJs.exe