MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d877ed3177f6917741d1387fe8cae644c582c0eacf8bdd54fc7dd762de40b01. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d877ed3177f6917741d1387fe8cae644c582c0eacf8bdd54fc7dd762de40b01
SHA3-384 hash: 414cda6ae5beb467309bffa699cb021910d72a327beaf304bb85c7f103637523f0339fc08fcb8f60e710e67449a6d2c2
SHA1 hash: 54226d419785bf37da5bcde3f990f5d305417a75
MD5 hash: d99045be81e81d8e798d0d47acae9bb8
humanhash: bakerloo-finch-artist-timing
File name:PO#112422001101100100.PDF.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:620'992 bytes
First seen:2022-07-13 14:54:02 UTC
Last seen:2022-07-13 15:41:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f0c714c36e6cc016b3a1f4bc86559e4 (199 x GuLoader, 14 x Formbook, 4 x AgentTesla)
ssdeep 12288:nq7z1taZP1WUndA850Yr0K9FkJYlgzaRs5+DEOn6rqGRGKz2ny:q7TaZhd3vH9vsh+AO6rc
Threatray 15'202 similar samples on MalwareBazaar
TLSH T1FED412223BA1EC66D9001A75CE65CAFA87B1FD42DD10624337E43F5E7D739819E2E182
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 4bc498327090a828 (4 x Formbook, 2 x GuLoader, 1 x Neshta)
Reporter GovCERT_CH
Tags:AveMariaRAT exe GuLoader signed

Code Signing Certificate

Organisation:ADVARSELSSIGNALERNE Propraetorian7 HYSTEROPHYTAL Ossypite6
Issuer:ADVARSELSSIGNALERNE Propraetorian7 HYSTEROPHYTAL Ossypite6
Algorithm:sha256WithRSAEncryption
Valid from:2022-07-13T11:02:33Z
Valid to:2023-07-13T11:02:33Z
Serial number: 20222e5ffc27ede2
Thumbprint Algorithm:SHA256
Thumbprint: 07ae8d7e09004d8c7eca0e805834794f9973bfd59e5087866cfa4a1b3b4931b6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO#112422001101100100.PDF.exe
Verdict:
Malicious activity
Analysis date:
2022-07-13 23:17:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6d6e3e36-44ef-418b-8471-840ccf5c150c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/287587/
Detection(s):
SecuriteInfo.com.Variant.Tedy.164012.3615.30127.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% subdirectories
Searching for the window
Delayed reading of the file
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
buer overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62cedceb8dab2096b9945221/reports/b2ddff3e-d241-4d89-824b-fe209aa968f4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b6dfcc8e-30ab-4eb5-ba69-31219406094b
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1030392
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d877ed3177f6917741d1387fe8cae644c582c0eacf8bdd54fc7dd762de40b01/
Threat name:
Win32.Downloader.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2022-07-13 14:00:54 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
11 of 26 (42.31%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fwdx5uyxp5uro5a5cod75dfomrgfqlaovt4l3vkpy7oxmlpebmaq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
051400edf4aae2a1041743c1b12740a9e03cf51b6f9491e7e08138640dcd0db6
AveMariaRAT
091d92d2e14ba95af59e11e051333ad696507d9b2a93d9a926fc95cd40b4fbf4
AveMariaRAT
0cb7f05cc5d9f8ddd206af78f98965b2b1966d61ea6711f722019036b5e2e602
AveMariaRAT
721c03c3cc73dddfcf27e473fc9d1962dd59b3cc7f7b70cdc17d2d6a049aed8e
AveMariaRAT
755563f333f32b67a9920bc004ca720c9ad07a7d04d0f29fbbc0e7c634973ef6
AveMariaRAT
7aa19913253d9a036b10df1f8f0bdb25567edda11fe99050d85a47249142bec2
AveMariaRAT
804bfd9544242a85db66b1f2bd26e7a93a5e75009385137333dee18ad9685a6a
AveMariaRAT
9dcf1501177b898785315d1f3024cd8371da1c77401c0075aa2421bd5b056740
AveMariaRAT
cc09f5827a24df009fcdf2c71b6dacf33947e8bbc7521402171a9c08b3b8ca41
AveMariaRAT
+ 15'192 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:warzonerat collection discovery downloader infostealer persistence rat spyware stealer suricata
Link:
https://tria.ge/reports/220713-r9xcjaage4/
Behaviour
outlook_win_path
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
outlook_office_path
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Checks QEMU agent file
Loads dropped DLL
Reads user/profile data of web browsers
Warzone RAT payload
Guloader,Cloudeye
WarzoneRat, AveMaria
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
Malware Config
C2 Extraction:
warzone.ddns.net:20911
Unpacked files
SH256 hash:
c7a20bcaa0197aedddc8e4797bbb33fdf70d980f5e83c203d148121c2106d917
MD5 hash:
792b6f86e296d3904285b2bf67ccd7e0
SHA1 hash:
966b16f84697552747e0ddd19a4ba8ab5083af31
Link:
https://www.unpac.me/results/e97f58f3-83b2-43a6-80f2-343f344fc2c4/
SH256 hash:
949ac0869507df6078853e8bfc9036e5df16ac515a5516bbd882529ee59fefc9
MD5 hash:
e9d0e7921c5a5da2d74480cfd7dfa9d1
SHA1 hash:
71e0a4db61612815f88cbb526f87b8d6f0438ef7
Link:
https://www.unpac.me/results/e97f58f3-83b2-43a6-80f2-343f344fc2c4/
SH256 hash:
2d877ed3177f6917741d1387fe8cae644c582c0eacf8bdd54fc7dd762de40b01
MD5 hash:
d99045be81e81d8e798d0d47acae9bb8
SHA1 hash:
54226d419785bf37da5bcde3f990f5d305417a75
Link:
https://www.unpac.me/results/e97f58f3-83b2-43a6-80f2-343f344fc2c4/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2d877ed3177f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GuLoader
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/2d877ed3177f6917741d1387fe8cae644c582c0eacf8bdd54fc7dd762de40b01

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 2d877ed3177f6917741d1387fe8cae644c582c0eacf8bdd54fc7dd762de40b01

(this sample)

  
Dropped by
guloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/287587/

Comments