MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a51730f5d9e67072e013a6afb4e373bdf67eafe14f852f3d28b6d69cb02a83f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a51730f5d9e67072e013a6afb4e373bdf67eafe14f852f3d28b6d69cb02a83f
SHA3-384 hash: 6ee5db72a0de50b30ce42bc4f5f742045fd4f942f5a44df851a32f9102fd084e5aa588e1f55626d6e83e7e86c91e6169
SHA1 hash: 8b014947be45252a09119e66723910a575bf7899
MD5 hash: 94aaf99194581a21c2131d6d82942891
humanhash: purple-single-triple-alaska
File name:FV-083471-23-02-22-269407·pdf.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:332'784 bytes
First seen:2023-02-20 12:55:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3abe302b6d9a1256e6a915429af4ffd2 (271 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep 6144:NwK5v3HlqvqK/inUJG2f5ps0PIPjYEdwQ3f6Q5XumSztpWKIpl4Fen/cD:Hflqv1AUM65ps0PI7zLfQpoKIpWkns
Threatray 563 similar samples on MalwareBazaar
TLSH T12664137136ACD087C41745F02D77DBA2732AFAA23042570F17A93F7BFA21651CA0E566
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 71f8e4ececf0f871 (1 x NanoCore, 1 x AveMariaRAT)
Reporter abuse_ch
Tags:AveMariaRAT exe RAT signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-04T08:08:55Z
Valid to:2025-10-03T08:08:55Z
Serial number: 6a7283b1ce2fce07e41306e22e50872d757862a9
Thumbprint Algorithm:SHA256
Thumbprint: ff6408ff546a23fc1e0445165061b09bc26aa485b039069b4c0d075c22894109
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
AveMariaRAT C2:
79.134.225.96:2345

Intelligence

File Origin
# of uploads :
1
# of downloads :
270
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FV-083471-23-02-22-269407·pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-02-20 12:56:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b67236f2-7559-437d-bde4-5f36799d7973

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/368425/
Detection(s):
SecuriteInfo.com.Adware.Downware.19579.26308.2454.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file
Creating a file in the %temp% subdirectories
Searching for synchronization primitives
Сreating synchronization primitives
Delayed reading of the file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/71846/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
buer overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63f36de4b53d126ad263485c/reports/73271ac3-c92d-4acc-9639-92dcfd4110f8/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/3a51730f5d9e67072e013a6afb4e373bdf67eafe14f852f3d28b6d69cb02a83f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2509e8ea-9a34-4b1e-8a13-4103a8acc8b3
Result
Threat name:
AveMaria, GuLoader, UACMe
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1179210
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Creates files in alternative data streams (ADS)
Drops PE files to the document folder of the user
Drops script or batch files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Tries to detect Any.run
Yara detected AveMaria stealer
Yara detected GuLoader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 11569 Sample: FV-083471-23-02-22-269407#U... Startdate: 20/02/2023 Architecture: WINDOWS Score: 100 70 googlehosted.l.googleusercontent.com 2->70 72 drive.google.com 2->72 74 doc-0o-8g-docs.googleusercontent.com 2->74 80 Malicious sample detected (through community Yara rule) 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 Yara detected GuLoader 2->84 86 5 other signatures 2->86 12 FV-083471-23-02-22-269407#U00b7pdf.exe 1 33 2->12         started        16 Windows.exe 20 2->16         started        signatures3 process4 file5 62 C:\Users\user\AppData\Local\...\System.dll, PE32 12->62 dropped 64 C:\Users\...\Microsoft.Practices.Unity.dll, PE32 12->64 dropped 96 Drops PE files to the document folder of the user 12->96 98 Drops script or batch files to the startup folder 12->98 100 Adds a directory exclusion to Windows Defender 12->100 18 FV-083471-23-02-22-269407#U00b7pdf.exe 5 14 12->18         started        66 C:\Users\user\AppData\Local\...\System.dll, PE32 16->66 dropped 102 Tries to detect Any.run 16->102 23 Windows.exe 2 8 16->23         started        signatures6 process7 dnsIp8 76 drive.google.com 142.250.186.142, 443, 49806, 49816 GOOGLEUS United States 18->76 78 googlehosted.l.googleusercontent.com 216.58.212.161, 443, 49807, 49817 GOOGLEUS United States 18->78 52 C:\Users\user\Documents\Windows.exe, PE32 18->52 dropped 54 C:\Users\user\...\Documents:ApplicationData, PE32 18->54 dropped 56 C:\Users\user\...\Windows.exe:Zone.Identifier, ASCII 18->56 dropped 58 2 other malicious files 18->58 dropped 88 Creates files in alternative data streams (ADS) 18->88 90 Adds a directory exclusion to Windows Defender 18->90 92 Tries to detect Any.run 18->92 94 2 other signatures 18->94 25 Windows.exe 20 18->25         started        28 powershell.exe 23 18->28         started        30 cmd.exe 23->30         started        file9 signatures10 process11 file12 60 C:\Users\user\AppData\Local\...\System.dll, PE32 25->60 dropped 32 WerFault.exe 21 16 25->32         started        34 conhost.exe 28->34         started        36 sdclt.exe 30->36         started        38 conhost.exe 30->38         started        40 sdclt.exe 30->40         started        42 sdclt.exe 30->42         started        process13 process14 44 control.exe 36->44         started        process15 46 Windows.exe 44->46         started        file16 68 C:\Users\user\AppData\Local\...\System.dll, PE32 46->68 dropped 104 Tries to detect Any.run 46->104 50 Windows.exe 46->50         started        signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a51730f5d9e67072e013a6afb4e373bdf67eafe14f852f3d28b6d69cb02a83f/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-02-20 12:56:08 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
10 of 25 (40.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hjixgd25tztqolqbhjvpwtrxhppwp2x6ct4ff46srnwwtsycva7q._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
136f87c6d9a1b61c87ba550c7f550e54d66a1b51dab1c803c43705f178ed9e55
AveMariaRAT
4f93f4cec712117b9e8bd20f079e8086b6358f0d0b2738a8a448dbdf9fc3db3c
AveMariaRAT
635aff002f09930542b741c8e5ae7e6ed57b4cacf793dabb96a2df3397a8a945
AveMariaRAT
723ff97e6559f6558c288ca693898592a21aab28c003883ca13b81667d7e3aef
AveMariaRAT
be0fa67ce465f9ae26a1ed20ddb104f2731cd3b717b2df0f469937b2d88b57cb
AveMariaRAT
c8b995746f09979fc1ccd83a08dab8913aa88b9036b584cc60d72029e867dd1d
AveMariaRAT
d6e26fa2f4dcfe5a112c21fb851f626aa7ee8e9f6cac73bd27f927b054f7182d
AveMariaRAT
f83914dd2ce0c31fda44574ae93ecdd188e9e974d0a45b619b03db7e3d279208
AveMariaRAT
+ 553 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:warzonerat downloader evasion infostealer persistence rat upx
Link:
https://tria.ge/reports/230220-p6cgvaae4z/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Modifies WinLogon
Checks QEMU agent file
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
UPX packed file
Modifies Windows Firewall
Sets DLL path for service in the registry
Guloader,Cloudeye
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
MD5 hash:
fbe295e5a1acfbd0a6271898f885fe6a
SHA1 hash:
d6d205922e61635472efb13c2bb92c9ac6cb96da
Link:
https://www.unpac.me/results/bdf94428-f4e2-4de6-8e18-321ac8c596fd/
SH256 hash:
26fd86db5c1e2e4dd0f3b8e7f2a660d3db1d9b655e0ca3a9c378e86b8f4ae2f6
MD5 hash:
361d0f64fc402d9954e6822114831e0e
SHA1 hash:
1527500cff14fcbc0f83fe27c8a4bd3f7cf0eaea
Link:
https://www.unpac.me/results/bdf94428-f4e2-4de6-8e18-321ac8c596fd/
SH256 hash:
3a51730f5d9e67072e013a6afb4e373bdf67eafe14f852f3d28b6d69cb02a83f
MD5 hash:
94aaf99194581a21c2131d6d82942891
SHA1 hash:
8b014947be45252a09119e66723910a575bf7899
Link:
https://www.unpac.me/results/bdf94428-f4e2-4de6-8e18-321ac8c596fd/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3a51730f5d9e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.03
Link:
https://yomi.yoroi.company/submissions/3a51730f5d9e67072e013a6afb4e373bdf67eafe14f852f3d28b6d69cb02a83f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/368425/

Comments