MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2278d1bca473d91247e01794a1202297bda4bce23c3a1e74c43abc67d8d7b371. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2278d1bca473d91247e01794a1202297bda4bce23c3a1e74c43abc67d8d7b371
SHA3-384 hash: 1ce4de2324bcb127d9be1a99dbd78d111bda00deda1c6fa06243978ced02da56a1b1c39843ab913be207e01fc4dd7fe4
SHA1 hash: 277d9f69e0698f248222d53e029b198b5370d14d
MD5 hash: 1ef419923a2023c3cb30fa7b844e71d8
humanhash: comet-bacon-comet-uranus
File name:Samsung-Galaxy-Video-Keller.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:294'912 bytes
First seen:2022-10-19 02:37:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c5f2513605e48f2d8ea5440a870cb9e (60 x Babadeda, 6 x AveMariaRAT, 5 x CoinMiner)
ssdeep 6144:8BlkZvaF4NTB0Ilv6pceeqYa+5d69kVrKwIpeVRnbUbf0yiyvXN:8oSWNT+IUpIbhkOqJF
Threatray 2'970 similar samples on MalwareBazaar
TLSH T11F549D211AA2899BD1512F7800B0B76E827A5FE07D3AE797DF2134D1AF32BC539752D0
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 677737333723e564 (1 x AveMariaRAT)
Reporter r3dbU7z
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Samsung-Galaxy-Video-Keller.exe
Verdict:
Malicious activity
Analysis date:
2022-10-19 06:24:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4c969bf8-00b7-484b-853a-58b96cf5756b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321552/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34587420.17402.2208.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Running batch commands
Forced system process termination
Launching a process
Sending an HTTP GET request
Creating a file
Using the Windows Management Instrumentation requests
Modifying a system executable file
Launching cmd.exe command interpreter
Launching a tool to kill processes
Forced shutdown of a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/43742/overview
Behaviour
MalwareBazaar
CPUID_Instruction
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/634f630b8a8cb5d2d4a9e59a/reports/88a7338a-5c91-47b1-97e5-c8b8e77d1c32/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/40619d73-1840-420d-956b-df8aed2a21a4
Result
Threat name:
AveMaria, Babadeda, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1093159
Signature
Antivirus detection for dropped file
Contains functionality to hide user accounts
Creates files in alternative data streams (ADS)
Drops script or batch files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
Yara detected AveMaria stealer
Yara detected Babadeda
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 725781 Sample: Samsung-Galaxy-Video-Keller.exe Startdate: 19/10/2022 Architecture: WINDOWS Score: 100 113 Snort IDS alert for network traffic 2->113 115 Malicious sample detected (through community Yara rule) 2->115 117 Multi AV Scanner detection for submitted file 2->117 119 7 other signatures 2->119 12 Samsung-Galaxy-Video-Keller.exe 8 2->12         started        process3 process4 14 cmd.exe 1 12->14         started        17 cmd.exe 12->17         started        19 conhost.exe 12->19         started        21 conhost.exe 12->21         started        signatures5 133 Drops script or batch files to the startup folder 14->133 135 Uses cmd line tools excessively to alter registry or file data 14->135 23 Samsung-Galaxy-Video-Keller.exe 8 14->23         started        25 cmd.exe 14->25         started        28 conhost.exe 14->28         started        36 4 other processes 14->36 30 cmd.exe 17->30         started        32 conhost.exe 17->32         started        34 cacls.exe 17->34         started        38 2 other processes 17->38 process6 signatures7 40 cmd.exe 4 23->40         started        43 conhost.exe 23->43         started        121 Uses cmd line tools excessively to alter registry or file data 25->121 45 reg.exe 25->45         started        47 reg.exe 30->47         started        process8 file9 107 C:\Users\user\AppData\Roaming\...\part2.bat, ASCII 40->107 dropped 109 C:\Users\user\AppData\Roaming\...\part1.bat, ASCII 40->109 dropped 49 cmd.exe 1 40->49         started        51 cmd.exe 1 40->51         started        53 cmd.exe 40->53         started        55 11 other processes 40->55 process10 dnsIp11 58 cmd.exe 1 49->58         started        60 conhost.exe 49->60         started        62 cmd.exe 1 51->62         started        65 conhost.exe 51->65         started        67 cmd.exe 53->67         started        69 conhost.exe 53->69         started        111 111.90.151.174, 49694, 49695, 49696 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 55->111 71 cmd.exe 55->71         started        73 cmd.exe 55->73         started        75 4 other processes 55->75 process12 signatures13 77 5201.exe 58->77         started        86 2 other processes 58->86 137 Uses cmd line tools excessively to alter registry or file data 62->137 80 cmd.exe 62->80         started        89 6 other processes 62->89 82 cmd.exe 1 67->82         started        91 6 other processes 67->91 84 cmd.exe 71->84         started        93 5 other processes 71->93 95 5 other processes 73->95 process14 file15 123 Antivirus detection for dropped file 77->123 125 Creates files in alternative data streams (ADS) 77->125 127 Increases the number of concurrent connection per server for Internet Explorer 77->127 129 Hides that the sample has been downloaded from the Internet (zone.identifier) 77->129 97 reg.exe 80->97         started        131 Uses cmd line tools excessively to alter registry or file data 82->131 99 reg.exe 82->99         started        101 reg.exe 84->101         started        105 C:\configuration\5201.exe, PE32 86->105 dropped 103 reg.exe 95->103         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2278d1bca473d91247e01794a1202297bda4bce23c3a1e74c43abc67d8d7b371/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-10-19 02:57:57 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ej4ndpfeopmrer7ac6kkcibcs662jphchq5b45gehk6gpwgxwnyq._file
Verdict:
unknown
Similar samples:
0ea218366bfa6605657baaa410baa697c1c861cd256159aeb91746a4117fabf6
AveMariaRAT
1d1c688d117950a23ae8c39cbe2bfee953030f33a59afe869989b2e9470c464e
AveMariaRAT
275e4c659edeeb5dd650b29253f72c8e95b7556e465253fabf8264d76abb2f02
AveMariaRAT
4fe08cc381f8f4ea6e3d8e34fddf094193ccbbcc1cae7217f0233893b9c566a2
AveMariaRAT
80af29bf7cb3a8b904a8d11d34c13bd5a2dcf5b4798138c16c093b2b8a5a9105
AveMariaRAT
993afa5ca786935ff44f01d5495e0583034008d30d93eaac100e6d4325dfb89d
AveMariaRAT
9e2374545fd02bff5d25134c71940bf423173a9bb611f54f5db6729c8407da66
AveMariaRAT
eaf08f6d20670daa716352b18fbc7801d4dbba9e26f986cec4234947e83bba0e
AveMariaRAT
+ 2'960 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat upx
Link:
https://tria.ge/reports/221019-c4p9psedh3/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Kills process with taskkill
Modifies registry class
NTFS ADS
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Adds Run key to start application
Enumerates connected drives
Drops startup file
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Modifies Installed Components in the registry
UPX packed file
Warzone RAT payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
111.90.151.174:5200
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5e314f81-4ee3-4e43-a383-97c35e6b0087
Unpacked files
SH256 hash:
746def02c12f9de40dc1464fa600c15cb4c3255d4d3b45666c16ae0d8add3dc1
MD5 hash:
8886881900b86003b74cfc7d1a919b67
SHA1 hash:
8b9644a56de2e761d5c4936636e40e42989d8255
Link:
https://www.unpac.me/results/2c922b87-41ee-4395-8034-96c8e5718dd3/
SH256 hash:
e65fed2a44571cfe7b9de30854d222b7cd8018fcc12a8245c89d2846cf7ecd43
MD5 hash:
92f9e25e2a3617af67c9fdfbc129f1ba
SHA1 hash:
f5cd0f219e36ad2f77addf621e7cf631fece46bf
Link:
https://www.unpac.me/results/2c922b87-41ee-4395-8034-96c8e5718dd3/
SH256 hash:
66bb0d8edc8527108351ce059571b0c456be4229271c09ca1e2ea6674e246d56
MD5 hash:
c96f9efe3dad406691ab989b06a76de7
SHA1 hash:
cb45f2cc833facc27812883ce2a3f90155bed5cb
Link:
https://www.unpac.me/results/2c922b87-41ee-4395-8034-96c8e5718dd3/
SH256 hash:
10d5e7445b2bf28bbde997822e4166d1d31b80082ddc43e012784f8d74f7260e
MD5 hash:
ba36d9cf77c85b3a392acced001e175c
SHA1 hash:
ba3170ba81e64519662537982b96f438c84f8146
Link:
https://www.unpac.me/results/2c922b87-41ee-4395-8034-96c8e5718dd3/
SH256 hash:
0f3c3c491bfe14f9da65590630cde9ab0f871d8b769a93b8dc8cfd488911f1f8
MD5 hash:
1e4b4b7ab1d6044e3817835982e22864
SHA1 hash:
4749feacae9f54563f73d6614344e469a32bf3c2
Link:
https://www.unpac.me/results/2c922b87-41ee-4395-8034-96c8e5718dd3/
SH256 hash:
00b9c0120df0595184523a3620ef9b3c3e11fc0e61d366d7eeabb646647cfceb
MD5 hash:
bd1f243ee2140f2f6118a7754ea02a63
SHA1 hash:
cdf7dd7dd1771edcc473037af80afd7e449e30d9
Link:
https://www.unpac.me/results/2c922b87-41ee-4395-8034-96c8e5718dd3/
SH256 hash:
e37aa72bca3cecb9bdbe51cbd81ec1143bb17163088a1379a4ccb93f5d881e76
MD5 hash:
5cac4fe734fc8454ccb847e030beee38
SHA1 hash:
34298fe220e35f614b2c837cf1dc2604ab0882d6
Link:
https://www.unpac.me/results/2c922b87-41ee-4395-8034-96c8e5718dd3/
SH256 hash:
2278d1bca473d91247e01794a1202297bda4bce23c3a1e74c43abc67d8d7b371
MD5 hash:
1ef419923a2023c3cb30fa7b844e71d8
SHA1 hash:
277d9f69e0698f248222d53e029b198b5370d14d
Link:
https://www.unpac.me/results/2c922b87-41ee-4395-8034-96c8e5718dd3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2278d1bca473d91247e01794a1202297bda4bce23c3a1e74c43abc67d8d7b371

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe 2278d1bca473d91247e01794a1202297bda4bce23c3a1e74c43abc67d8d7b371

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/321552/

Comments