MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d368cab5447757738b62e47b109e05df74e206884c14572ff5179be1b02d4ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d368cab5447757738b62e47b109e05df74e206884c14572ff5179be1b02d4ef
SHA3-384 hash: a76205a94ddb1bbda202a92d3cf3d944cd64d1d3cd28f4addf5edf2a715f209a4537e7e61df77332d0422d4a97cd429d
SHA1 hash: 6554065ce76f7e594d80c1357b3af37a565fb53b
MD5 hash: 7706465edda1dd90cbbc44930e246067
humanhash: butter-twelve-march-football
File name:$wz$invoice_80312.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'734'592 bytes
First seen:2022-05-04 08:59:29 UTC
Last seen:2022-05-05 08:33:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ea816a6366467a07e2a9e44a00aa51f8 (1 x RedLineStealer, 1 x AveMariaRAT)
ssdeep 24576:tpsuwMrneaQ2u5IGSjF4HwwrPKKTllvQuHW3U3xYkJrDv7:tpsuzCIIiG/vQu23cYuXv7
TLSH T17985CF71B159412AE88E533AC420246544B52FF8028197B3879CFE2D3FBD69A5EBD373
File icon (PE):PE icon
dhash icon f0ccf0d4ccf0cccc (1 x AveMariaRAT)
Reporter madjack_red
Tags:AveMariaRAT exe signed

Code Signing Certificate

Organisation:statista.com
Issuer:Amazon
Algorithm:sha256WithRSAEncryption
Valid from:2021-08-12T00:00:00Z
Valid to:2022-09-10T23:59:59Z
Serial number: 085b513918e97d0631948c1d69a8367a
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 1187ae312cc75e6ff2c166433c99a1e22007bfb9eea4138989b207f3247a329d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
270
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
avemaria
Create hunting rule
ID:
1
File name:
$wz$invoice_80312.exe
Verdict:
Malicious activity
Analysis date:
2022-05-04 09:01:25 UTC
Tags:
warzone trojan stealer rat avemaria
Link:
https://app.any.run/tasks/e118a4c5-735c-4589-abb6-dc27219d5bbe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/268575/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.3326.8835.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/16279/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/627240a82b32b1c37c9189b9/reports/ab7a1244-eb8d-40e7-b126-dfa07f7d012d/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/319b25c8-a0af-43bf-9205-0cb97b3086ab
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/987613
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 620104 Sample: $wz$invoice_80312.exe Startdate: 04/05/2022 Architecture: WINDOWS Score: 60 19 Multi AV Scanner detection for submitted file 2->19 21 Machine Learning detection for sample 2->21 23 Initial sample is a PE file and has a suspicious name 2->23 7 $wz$invoice_80312.exe 4 2->7         started        process3 file4 17 C:\Users\user\AppVerif\DllHelper.exe, PE32 7->17 dropped 25 Uses schtasks.exe or at.exe to add and modify task schedules 7->25 11 schtasks.exe 1 7->11         started        13 DllHelper.exe 7->13         started        signatures5 process6 process7 15 conhost.exe 11->15         started       
Detection:
warzone
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1d368cab5447757738b62e47b109e05df74e206884c14572ff5179be1b02d4ef/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-05-03 23:04:30 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
13 of 25 (52.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=du3izk2ui52xoofwfzd3ccpalx3u4idiqtauk4x7kf434gyc2txq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220504-kybhcsded6/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
2ed0a0565c9120ab8fa1bce297430514a9db078d3f6990f6dca6158f0c00f3b8
MD5 hash:
01b04ebbd72b7f200d9be9cc831e1d19
SHA1 hash:
f3b5c54dc578ba2e0281536ef53a98d22b25d36b
Link:
https://www.unpac.me/results/6c1c2b61-d914-4001-b2cd-82dd035c48b7/
SH256 hash:
497ddc263a9c8858d10d553542b1c12416be045b930fe2ce534392965ea14c22
MD5 hash:
bbfce2eb02ff9be804f5672cecbabcdf
SHA1 hash:
45add73c2d66b5b9b085986f057a4b30e1f842e8
Link:
https://www.unpac.me/results/6c1c2b61-d914-4001-b2cd-82dd035c48b7/
SH256 hash:
1d368cab5447757738b62e47b109e05df74e206884c14572ff5179be1b02d4ef
MD5 hash:
7706465edda1dd90cbbc44930e246067
SHA1 hash:
6554065ce76f7e594d80c1357b3af37a565fb53b
Link:
https://www.unpac.me/results/6c1c2b61-d914-4001-b2cd-82dd035c48b7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d368cab5447757738b62e47b109e05df74e206884c14572ff5179be1b02d4ef

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/268575/

Comments