MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 260ae0e8bbc123f97f25875e8657ce6a61ab826209a1d83b8904ceadad2ad48a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 260ae0e8bbc123f97f25875e8657ce6a61ab826209a1d83b8904ceadad2ad48a
SHA3-384 hash: 989514bf160117990c33ccdb1e80e0493663e4c8911e5164db28fc4777b2061828a206af793cf31292d0df4f2facb1f1
SHA1 hash: ad18b0c0e45eab4118ce7f8d50e478c44ea7c6e0
MD5 hash: a69ec4b8f3228017bf25a601707d2979
humanhash: mars-winner-idaho-earth
File name:a69ec4b8f3228017bf25a601707d2979.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:2'168'320 bytes
First seen:2022-08-27 07:11:21 UTC
Last seen:2022-08-27 07:54:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'754 x AgentTesla, 19'662 x Formbook, 12'252 x SnakeKeylogger)
ssdeep 12288:1w7bh6mzqBFyZPKJ6EC7Njemp3bAQGOYrpkbXwQnnZrCFDohjK4v57BPSyp5TfjX:+1zqaA6EmhZYrpwXwEVhRR7RSypp
Threatray 18 similar samples on MalwareBazaar
TLSH T141A50885B794DD96E07E2B7590F301121F78E841ABE59B8D568872B43C223413CB7BBB
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 74e4d4d4ecf4d4d4 (23 x GuLoader, 20 x LummaStealer, 19 x AgentTesla)
Reporter abuse_ch
Tags:AveMariaRAT exe RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
359
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a69ec4b8f3228017bf25a601707d2979.exe
Verdict:
Malicious activity
Analysis date:
2022-08-27 07:25:17 UTC
Tags:
opendir loader
Link:
https://app.any.run/tasks/d3b074d9-bccb-4485-b6e6-da92e4dff4b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/301549/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.23339.28451.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the %AppData% directory
Sending an HTTP GET request
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware hacktool
Link:
https://www.filescan.io/uploads/6309c3dd3cbb13868a892bfa/reports/1b8dddd1-a6d9-446e-9fec-6f0549262e0b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/07d452f5-9e93-46ec-8215-ee153311cf4a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1058803
Signature
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Generic Downloader
Yara detected MSILDownloaderGeneric
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/260ae0e8bbc123f97f25875e8657ce6a61ab826209a1d83b8904ceadad2ad48a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-08-26 11:56:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eyfob2f3yer7s7zfq5pimv6onjq2xatcbgq5qo4jathk3ljk2sfa._file
Verdict:
malicious
Similar samples:
00115cc3601a15a91c91fa2620ed1d5bfc83a0561f081b1f5d45365b8594a217
AveMariaRAT
5a2ebb201e3f9c619ad23b0043136c4aca5849f345733c68b9647d102b52b4ff
AveMariaRAT
5cb3fb5b66cd56f7f3ed2ce5b1f3a02b9b615b7e8c41590ca04289ae692af8d2
AveMariaRAT
61a98c70ef7a47d6f99891a598b234753c976c4cf9650e12d37b52d2b1923d6b
AveMariaRAT
8aa5bd6c413e609cebd3bf6a00bab7df51cac1487d9d4fa41ce6b0f167f9ce82
AveMariaRAT
c84397694e1e9273cf3fc9c9801f6ef6a4f206b6d89e4624aea2f073350be2df
AveMariaRAT
d8c2f28a4b492e55b4c7a16868a0d898097dd8f30a5d4acd371df61905fd1984
AveMariaRAT
e1db9a1008368b341ee4cbf519c859e65d16e5fb5ac5f45fa63a58aec07532b8
AveMariaRAT
f493302e1ea4bece2e801b8509aa51d1c13d5c9a741c06a048bcececfedd120e
AveMariaRAT
+ 8 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220827-h1hncaffcn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Downloads MZ/PE file
Unpacked files
SH256 hash:
260ae0e8bbc123f97f25875e8657ce6a61ab826209a1d83b8904ceadad2ad48a
MD5 hash:
a69ec4b8f3228017bf25a601707d2979
SHA1 hash:
ad18b0c0e45eab4118ce7f8d50e478c44ea7c6e0
Link:
https://www.unpac.me/results/986cbebe-d12e-47ad-87ff-f52207d6ef53/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/260ae0e8bbc1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/260ae0e8bbc123f97f25875e8657ce6a61ab826209a1d83b8904ceadad2ad48a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe 260ae0e8bbc123f97f25875e8657ce6a61ab826209a1d83b8904ceadad2ad48a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2275923/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/301549/

Comments