MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3abea4ab1fa4c8497722e9b58c5981fbc90fefe5a1d0bda707bdabfe3c1bdb1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3abea4ab1fa4c8497722e9b58c5981fbc90fefe5a1d0bda707bdabfe3c1bdb1f
SHA3-384 hash: cc0e0a46c537e63aca5898012ef42746177b979b3276b6f82099aedce88211526f45f8c75d538a3cf8205c9d06fe9d3e
SHA1 hash: 48ba9c1be52988de95bf1a2597fd573f96892895
MD5 hash: 4dbe71a4ca0eaea634ec73b4a82d32a9
humanhash: pluto-oranges-oregon-aspen
File name:Solicitud de Cotización (Ulatina) 15-03-23·pd.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:274'232 bytes
First seen:2023-03-15 17:40:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3abe302b6d9a1256e6a915429af4ffd2 (271 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep 6144:GDOmbbC0309OSXjr2Z2UCEVSOuzAtf/QZv3z9jnnOldiUf:4bZ309//2HCEVNuzaf/QZvj1nki
Threatray 453 similar samples on MalwareBazaar
TLSH T18144226327B1C5BADA028374547ADE97CAF90AE489C2474383F4EC9F7D92BD3442E052
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:AveMariaRAT exe RAT signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-07-27T02:32:34Z
Valid to:2025-07-26T02:32:34Z
Serial number: 28270636857a82b98cd13430a948ca97d199f469
Thumbprint Algorithm:SHA256
Thumbprint: 21ed298d90d0ad53329ad824667e207e8e9b40dfb9fdf9d7663bfaef1a4480cf
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
AveMariaRAT C2:
37.0.14.210:5689

Intelligence

File Origin
# of uploads :
1
# of downloads :
694
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Solicitud de Cotización (Ulatina) 15-03-23·pd.exe
Verdict:
Malicious activity
Analysis date:
2023-03-15 17:42:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bb2273b8-1309-4578-ab69-438192c3fbc5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/374633/
Detection(s):
SecuriteInfo.com.Trojan.BtcMine.2964.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file
Delayed reading of the file
Creating a file in the %temp% subdirectories
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/73301/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
buer overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6412032f53484187e748a427/reports/a74d300d-20be-48a4-b949-f595700a1129/overview
Verdict:
Malicious
Labled as:
Trojan.RegRun.4
Link:
https://www.hybrid-analysis.com/sample/3abea4ab1fa4c8497722e9b58c5981fbc90fefe5a1d0bda707bdabfe3c1bdb1f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9ff27271-5e41-4334-bcd6-e30a0d69fce7
Result
Threat name:
AveMaria, GuLoader, UACMe
Create hunting rule
Detection:
malicious
Classification:
troj.evad.rans.phis.spyw.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1194424
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Drops PE files to the document folder of the user
Found potential ransomware demand text
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Hides user accounts
Increases the number of concurrent connection per server for Internet Explorer
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected GuLoader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 827323 Sample: Solicitud_de_Cotizaci#U00f3... Startdate: 15/03/2023 Architecture: WINDOWS Score: 100 78 dnmpbczm0963fxtdplc.duckdns.org 2->78 80 googlehosted.l.googleusercontent.com 2->80 82 2 other IPs or domains 2->82 96 Snort IDS alert for network traffic 2->96 98 Malicious sample detected (through community Yara rule) 2->98 100 Multi AV Scanner detection for dropped file 2->100 102 7 other signatures 2->102 12 Solicitud_de_Cotizaci#U00f3n_(Ulatina)_15-03-23#U00b7pd.exe 43 2->12         started        16 Windows.exe 16 2->16         started        18 rdpvideominiport.sys 2->18         started        20 2 other processes 2->20 signatures3 process4 file5 70 System.Reflection.Emit.ILGeneration.dll, PE32 12->70 dropped 72 C:\Users\user\AppData\Local\...\System.dll, PE32 12->72 dropped 128 Drops PE files to the document folder of the user 12->128 130 Adds a directory exclusion to Windows Defender 12->130 132 Tries to detect Any.run 12->132 134 Hides threads from debuggers 12->134 22 Solicitud_de_Cotizaci#U00f3n_(Ulatina)_15-03-23#U00b7pd.exe 5 11 12->22         started        74 C:\Users\user\AppData\Local\...\System.dll, PE32 16->74 dropped 27 WerFault.exe 21 16->27         started        signatures6 process7 dnsIp8 88 drive.google.com 142.250.184.238, 443, 49831, 49840 GOOGLEUS United States 22->88 90 googlehosted.l.googleusercontent.com 142.250.185.129, 443, 49832, 49841 GOOGLEUS United States 22->90 66 C:\Users\user\Documents\Windows.exe, PE32 22->66 dropped 68 C:\Users\user\...\Windows.exe:Zone.Identifier, ASCII 22->68 dropped 112 Adds a directory exclusion to Windows Defender 22->112 114 Tries to detect Any.run 22->114 116 Increases the number of concurrent connection per server for Internet Explorer 22->116 118 2 other signatures 22->118 29 Windows.exe 16 22->29         started        33 powershell.exe 23 22->33         started        file9 signatures10 process11 file12 76 C:\Users\user\AppData\Local\...\System.dll, PE32 29->76 dropped 136 Adds a directory exclusion to Windows Defender 29->136 138 Tries to detect Any.run 29->138 140 Hides threads from debuggers 29->140 35 Windows.exe 5 38 29->35         started        40 conhost.exe 33->40         started        signatures13 process14 dnsIp15 84 dnmpbczm0963fxtdplc.duckdns.org 37.0.14.210, 49842, 5689 WKD-ASIE Netherlands 35->84 86 127.0.0.1 unknown unknown 35->86 58 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 35->58 dropped 60 C:\Users\user\AppData\Local\Temp\nss3.dll, PE32 35->60 dropped 62 C:\Users\user\AppData\Local\...\mozglue.dll, PE32 35->62 dropped 64 6 other files (3 malicious) 35->64 dropped 104 Hides user accounts 35->104 106 Tries to harvest and steal browser information (history, passwords, etc) 35->106 108 Writes to foreign memory regions 35->108 110 5 other signatures 35->110 42 7.exe 35->42         started        46 powershell.exe 35->46         started        48 cmd.exe 35->48         started        file16 signatures17 process18 dnsIp19 92 192.168.11.1, 5351 unknown unknown 42->92 94 239.255.255.250, 1900 unknown Reserved 42->94 120 Antivirus detection for dropped file 42->120 122 Multi AV Scanner detection for dropped file 42->122 124 Uses netsh to modify the Windows network and firewall settings 42->124 126 Modifies the windows firewall 42->126 50 netsh.exe 42->50         started        52 conhost.exe 46->52         started        54 conhost.exe 48->54         started        signatures20 process21 process22 56 conhost.exe 50->56         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3abea4ab1fa4c8497722e9b58c5981fbc90fefe5a1d0bda707bdabfe3c1bdb1f/
Threat name:
Win32.Trojan.NsisInject
Create hunting rule
Status:
Malicious
First seen:
2023-03-15 17:41:06 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hk7kjky7utees5zc5g2yywmb7peq737fuhil3jyhxwv74pa33mpq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
04e37487ffb37eae4b2c7afc8d932dd002549c4d6e276a51327de2606dbad9f5
AveMariaRAT
1618cd5f5490038c34e179710ad15803a6549955b22a9d83b4f60eeccb7f2975
AveMariaRAT
3a51730f5d9e67072e013a6afb4e373bdf67eafe14f852f3d28b6d69cb02a83f
AveMariaRAT
723ff97e6559f6558c288ca693898592a21aab28c003883ca13b81667d7e3aef
AveMariaRAT
c3259446397e0e08410310eaa17c9206bf2f3d43244d456f8cb9a9be28bc2795
AveMariaRAT
dc5da53a5e93a588335b6561258d1540ac7d696c633d03de92e72d8e53254234
AveMariaRAT
e1ac514b5cc907df4f0a6ed89cb6f17827302f89fd4cb95d8f8606b4d2e54d5b
AveMariaRAT
ef56f8c0615d059de3d0f669b651d38caf535155878ff4bc7d1b1a62abd45213
AveMariaRAT
+ 443 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:warzonerat downloader evasion infostealer persistence rat upx
Link:
https://tria.ge/reports/230315-v9en9sgg4v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Modifies WinLogon
Checks QEMU agent file
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Modifies Windows Firewall
Warzone RAT payload
Guloader,Cloudeye
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
dnmpbczm0963fxtdplc.duckdns.org:5689
Unpacked files
SH256 hash:
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77
MD5 hash:
b0c77267f13b2f87c084fd86ef51ccfc
SHA1 hash:
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3
Link:
https://www.unpac.me/results/0533c982-2206-4e41-a71a-0a538bef4b25/
SH256 hash:
3abea4ab1fa4c8497722e9b58c5981fbc90fefe5a1d0bda707bdabfe3c1bdb1f
MD5 hash:
4dbe71a4ca0eaea634ec73b4a82d32a9
SHA1 hash:
48ba9c1be52988de95bf1a2597fd573f96892895
Link:
https://www.unpac.me/results/0533c982-2206-4e41-a71a-0a538bef4b25/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3abea4ab1fa4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/3abea4ab1fa4c8497722e9b58c5981fbc90fefe5a1d0bda707bdabfe3c1bdb1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/374633/

Comments