MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 328d2afddbe8e9235437788706f4a64f193d0aad020e695daa2a4afd8f09c475. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 328d2afddbe8e9235437788706f4a64f193d0aad020e695daa2a4afd8f09c475
SHA3-384 hash: d481e078d7d4fabf98f0b652ac541b24d135b16912a0768a350e44e38c97f3410683d8563ca4fdd36e3de3fc0d22b8f6
SHA1 hash: 9b418b51583de0bd6d4d9d38b0c908eb5a6f93a7
MD5 hash: d81b35a76ff630de9f6b769d9f257580
humanhash: monkey-may-robin-ack
File name:SecuriteInfo.com.Scr.MalPbsgen1.26772.19662
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'461'248 bytes
First seen:2022-05-18 17:47:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 36c0ffdab89e265b5a748a59648230b2 (2 x BitRAT, 1 x DBatLoader, 1 x AveMariaRAT)
ssdeep 24576:IS9G0VKjq4R7Bi2JvS761Y9uIyd73h517nOVy00xBORvOZO:Ie1WxOPyRhvOVX0Sv
Threatray 9'522 similar samples on MalwareBazaar
TLSH T1A765BF22B2D14433C43317749D0F97A1A9377E512B6494BA2BF56D9C5FBA6823C3A383
TrID 46.4% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
31.5% (.EXE) Win32 Executable Borland Delphi 5 (451463/56/28)
18.3% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
0.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
0.9% (.SCR) Windows screen saver (13101/52/3)
File icon (PE):PE icon
dhash icon e69296968e9e9ea6 (4 x AveMariaRAT, 4 x RemcosRAT, 3 x BitRAT)
Reporter SecuriteInfoCom
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Scr.MalPbsgen1.26772.19662
Verdict:
Malicious activity
Analysis date:
2022-05-18 20:53:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a918ac77-7543-4e39-a243-2fd52bd7f7ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/272195/
Detection(s):
SecuriteInfo.com.Scr.MalPbsgen1.26772.19662.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Reading critical registry keys
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/18842/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe greyware keylogger packed replace.exe
Link:
https://www.filescan.io/uploads/6285313938fe62fc11b8180a/reports/7d15d011-0561-438f-a048-17e6deedad72/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/299930ae-88f7-48f1-8bed-95ced76b9074
Result
Threat name:
AveMaria, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/997083
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 629579 Sample: SecuriteInfo.com.Scr.MalPbs... Startdate: 18/05/2022 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 6 other signatures 2->67 8 SecuriteInfo.com.Scr.MalPbsgen1.26772.exe 1 22 2->8         started        13 Jxnklst.exe 17 2->13         started        15 Jxnklst.exe 14 2->15         started        process3 dnsIp4 47 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49730, 49733 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->47 49 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49729, 49732 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->49 55 3 other IPs or domains 8->55 41 C:\Users\Public\Libraries\Jxnklst.exe, PE32 8->41 dropped 43 C:\Users\...\Jxnklst.exe:Zone.Identifier, ASCII 8->43 dropped 83 Writes to foreign memory regions 8->83 85 Allocates memory in foreign processes 8->85 87 Creates a thread in another existing process (thread injection) 8->87 17 logagent.exe 3 4 8->17         started        21 cmd.exe 1 8->21         started        51 onedrive.live.com 13->51 57 2 other IPs or domains 13->57 89 Injects a PE file into a foreign processes 13->89 23 DpiScaling.exe 4 13->23         started        53 onedrive.live.com 15->53 59 2 other IPs or domains 15->59 91 Multi AV Scanner detection for dropped file 15->91 25 logagent.exe 1 15->25         started        file5 signatures6 process7 dnsIp8 45 febrem1.ddns.net 191.101.130.52, 49772, 49802, 5200 MAJESTIC-HOSTING-01US Chile 17->45 69 Tries to steal Mail credentials (via file / registry access) 17->69 71 Contains functionality to inject threads in other processes 17->71 73 Contains functionality to steal Chrome passwords or cookies 17->73 81 4 other signatures 17->81 27 cmd.exe 1 17->27         started        29 cmd.exe 1 21->29         started        31 conhost.exe 21->31         started        75 Tries to harvest and steal browser information (history, passwords, etc) 23->75 77 Writes to foreign memory regions 23->77 79 Allocates memory in foreign processes 23->79 33 cmd.exe 1 23->33         started        signatures9 process10 process11 35 conhost.exe 27->35         started        37 conhost.exe 29->37         started        39 conhost.exe 33->39         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/328d2afddbe8e9235437788706f4a64f193d0aad020e695daa2a4afd8f09c475/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2022-05-18 17:48:15 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gkgsv7o35dusgvbxpcdqn5fgj4mt2cvnaihgsxnkfjfp3dyjyr2q._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0d9facf6b7073de4e3db19eb64e80589d98cfe35b66942191390a891bb8b241c
AveMariaRAT
6299e5f3946878e16130c6454bcd90bf319b3dcf8bd13d9a56bb867ba82eb655
AveMariaRAT
6458542795cc0a40d4ab238e2be5fb15546d5ca38e52d1f9c7d4157dca27679a
AveMariaRAT
6a388696745c133ba5ea711f6413c3c10c082df2d70ca70b2f015c5f83c53c75
AveMariaRAT
6e604a080ddaa906e8e74171c393bcea4af00c95e0d8c919e2838c08195078a7
AveMariaRAT
a1e72ad944e02ee8ada1e6b4b98217e7eeb8fa0c0c19aeebaf7401e2f35ee54d
AveMariaRAT
a28d456ec326f62b15dc6257859619c1a2dc6817f332adb9c87fbb146676dc00
AveMariaRAT
c16b9319edf591f4b75c3b69e09451de772816ed5a7915c9112bb8dd14e4aea3
AveMariaRAT
f43ec67b5158f58273a216cbc49003c55b8f0e6316a3390823348924e38507be
AveMariaRAT
+ 9'512 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat collection infostealer persistence rat trojan
Link:
https://tria.ge/reports/220518-wde6lafadr/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Adds Run key to start application
Loads dropped DLL
ModiLoader Second Stage
Warzone RAT Payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
febrem1.ddns.net:5200
Unpacked files
SH256 hash:
21c0fb2b53a8dc9d38a9cef684adce53f0dd311c3e8861cddda7946408f00b77
MD5 hash:
e91f52a1d9b8f23ae40be2e76017452c
SHA1 hash:
f86fd2cfcc8513e76c7c3ae74ae03d509aa3f453
Link:
https://www.unpac.me/results/16add8c2-329f-466b-baaa-6eb347c9785c/
SH256 hash:
328d2afddbe8e9235437788706f4a64f193d0aad020e695daa2a4afd8f09c475
MD5 hash:
d81b35a76ff630de9f6b769d9f257580
SHA1 hash:
9b418b51583de0bd6d4d9d38b0c908eb5a6f93a7
Link:
https://www.unpac.me/results/16add8c2-329f-466b-baaa-6eb347c9785c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/328d2afddbe8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/328d2afddbe8e9235437788706f4a64f193d0aad020e695daa2a4afd8f09c475

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/272195/

Comments