MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 340f0655a6116d320d4da4ef6ba33f8cbd87a1ede8809abef13a03d481f0213f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 340f0655a6116d320d4da4ef6ba33f8cbd87a1ede8809abef13a03d481f0213f
SHA3-384 hash: fdc7dc3c3a38d949fb7ab9a4fb5df692381b1eb95f32c40bbb7dd4b523e8f1fa4d4d5a8ca1f643300fd12149029cc464
SHA1 hash: 209d0b4bf289b23f2d950aaa2f32c5211cd03b27
MD5 hash: 046de9015122abc86b95fda3f5d2a315
humanhash: magnesium-kentucky-edward-kitten
File name:kybbytjln.ps1
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:208'216 bytes
First seen:2025-05-07 10:05:56 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 3072:fjLSoQt+ggVicyoKtFSRoAbSirqVE8kKM+138CcC4Jgcxb0drP/zo402Z2DYi64O:fihFCizcanimlM+138CcC47xqToLcB7
TLSH T19E149FFB63916D9F4C1C0BA1F520434A5C189DCFE1ECC2F17A93A4BD468A454A6A4EFC
Magika txt
Reporter JAMESWT_WT
Tags:ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Base64.Reverser.6800.4098.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681b311391991ead82b5c1ff
Tags:
trojan virus
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated obfuscated
Link:
https://www.filescan.io/uploads/681b309bd95f3e34e962ddd6/reports/c2cd9eb0-182a-46c8-81ba-3f22e6c2c572/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/340f0655a6116d320d4da4ef6ba33f8cbd87a1ede8809abef13a03d481f0213f
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1683120
Signature
AI detected malicious Powershell script
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1683120 Sample: kybbytjln.ps1 Startdate: 07/05/2025 Architecture: WINDOWS Score: 52 16 AI detected malicious Powershell script 2->16 18 Joe Sandbox ML detected suspicious sample 2->18 6 powershell.exe 26 2->6         started        9 svchost.exe 1 1 2->9         started        process3 dnsIp4 20 Loading BitLocker PowerShell Module 6->20 12 conhost.exe 6->12         started        14 127.0.0.1 unknown unknown 9->14 signatures5 process6
Score:
96%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/340f0655a6116d320d4da4ef6ba33f8cbd87a1ede8809abef13a03d481f0213f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/340f0655a6116d320d4da4ef6ba33f8cbd87a1ede8809abef13a03d481f0213f/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-05-07 10:05:46 UTC
File Type:
Text
AV detection:
5 of 37 (13.51%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gqhqmvngcfwtedknutxwxiz7rs6ypipn5cajvpxrhib5japqee7q._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
execution
Link:
https://tria.ge/reports/250507-l4869azxgz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/340f0655a6116d320d4da4ef6ba33f8cbd87a1ede8809abef13a03d481f0213f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ClamAV_Emotet_String_Aggregate
Create hunting rule
Rule name:SUSP_Reversed_Base64_Encoded_EXE_RID3291
Create hunting rule
Author:Florian Roth
Description:Detects an base64 encoded executable with reversed characters
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

PowerShell (PS) ps1 340f0655a6116d320d4da4ef6ba33f8cbd87a1ede8809abef13a03d481f0213f

(this sample)

AveMariaRAT

Executable exe d7139148bedd5084d0a085ba804e0d30540bf1adb6ec50edadea46426bdcc6ab

  
URLhaus
https://urlhaus.abuse.ch/url/3537706/
  
Delivery method
Distributed via web download
  
Dropping
SHA256 d7139148bedd5084d0a085ba804e0d30540bf1adb6ec50edadea46426bdcc6ab
  
Dropping
MD5 324ca3bcae43fe7db3c43a1e24d4e514

Comments