MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ac1be1ee3013db4347de3cfff22c2a030fcca769ee918ba6c4585e38e43c05a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ac1be1ee3013db4347de3cfff22c2a030fcca769ee918ba6c4585e38e43c05a
SHA3-384 hash: 5f6eb1c89e5c06e88bbe0721fa32fd33ed41637ed81eb764f7d580094f521b7dfc9bab03f7dab8ed48d6ef210824d4f3
SHA1 hash: 98149090fb2e8ba7bd1db007a6a1b89a59786c57
MD5 hash: e7d6aaee7ccc60273b1a7cd7a8142990
humanhash: december-ten-orange-blue
File name:Pyuocuaciwkzcgnbgekomyddfwoonhzxzg.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:725'504 bytes
First seen:2021-08-17 08:13:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 23820aba24c2be0acaa9e8720fdc4001 (1 x RemcosRAT, 1 x AveMariaRAT)
ssdeep 12288:4iH+k1z45HbkeuKwYCBt+e2vtarxy7dS2WivoUA:4iboHYeUuVAmLDA
Threatray 1'468 similar samples on MalwareBazaar
TLSH T135F48C66E9AE6AF3E13622BD5D379541E818BD012E243DC43FB4396C4E35981362F0DB
dhash icon 0125244463ed9d17 (1 x RemcosRAT, 1 x AveMariaRAT)
Reporter GovCERT_CH
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Pyuocuaciwkzcgnbgekomyddfwoonhzxzg.exe
Verdict:
Malicious activity
Analysis date:
2021-08-17 08:14:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/98e99f82-a523-4e20-93b5-1c0e62ab0500

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179888/
Detection(s):
Win.Packed.Zbot-9849940-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Deleting a recently created file
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c4b2f556-7e95-4b63-89da-050b3fa5809b
Result
Threat name:
AveMaria UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/834170
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 466601 Sample: Pyuocuaciwkzcgnbgekomyddfwo... Startdate: 17/08/2021 Architecture: WINDOWS Score: 100 44 latua.nsupdate.info 2->44 54 Multi AV Scanner detection for domain / URL 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 6 other signatures 2->60 9 Pyuocuaciwkzcgnbgekomyddfwoonhzxzg.exe 1 24 2->9         started        14 Pyuocua.exe 13 2->14         started        16 Pyuocua.exe 13 2->16         started        signatures3 process4 dnsIp5 48 latua.nsupdate.info 9->48 50 cdn.discordapp.com 162.159.133.233, 443, 49703, 49704 CLOUDFLARENETUS United States 9->50 42 C:\Users\Public\Libraries\...\Pyuocua.exe, PE32 9->42 dropped 70 Writes to foreign memory regions 9->70 72 Allocates memory in foreign processes 9->72 74 Creates a thread in another existing process (thread injection) 9->74 18 mshta.exe 3 2 9->18         started        22 cmd.exe 1 9->22         started        24 cmd.exe 1 9->24         started        52 162.159.130.233, 443, 49711 CLOUDFLARENETUS United States 14->52 76 Multi AV Scanner detection for dropped file 14->76 78 Machine Learning detection for dropped file 14->78 80 Injects a PE file into a foreign processes 14->80 26 DpiScaling.exe 2 14->26         started        28 mobsync.exe 2 16->28         started        file6 signatures7 process8 dnsIp9 46 latua.nsupdate.info 194.5.97.69, 49708, 49713, 49716 DANILENKODE Netherlands 18->46 62 Contains functionality to inject threads in other processes 18->62 64 Contains functionality to steal Chrome passwords or cookies 18->64 66 Contains functionality to steal e-mail passwords 18->66 68 2 other signatures 18->68 30 reg.exe 1 22->30         started        32 conhost.exe 22->32         started        34 cmd.exe 1 24->34         started        36 conhost.exe 24->36         started        signatures10 process11 process12 38 conhost.exe 30->38         started        40 conhost.exe 34->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ac1be1ee3013db4347de3cfff22c2a030fcca769ee918ba6c4585e38e43c05a/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 03:09:00 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hla34hxdae63ind54ph76iwcuaypzstwt3urrotmiwc6hdsdybna._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
122ef85900670d4776f3afdbe676d59c23c4cd9944b9d392eb9a446b3bb40dde
AveMariaRAT
1ec80487df001c0f6d41a90bbe2451242977a6f36a276d6eefa8aef0f593ab6b
AveMariaRAT
37997c1eec37f3540a10458aa1e67be3cff20ef13feea966da82ec0f99f4fbc7
AveMariaRAT
5cbed2f8a5fdadbd99816c4c8792bd51a2db7479f80bf70409f0f257f942d0c9
AveMariaRAT
5f0161e643adfaeca9dc6918e8cc29fc85ecdcf6727afd601649068f1e36a814
AveMariaRAT
803ed954a2fbfa36e1b154d7b1b6b270021eb72583d5a876e5aaedd728c39cc7
AveMariaRAT
9b342770fe4594e3a6d22b0b8d50269f8c749fb6d43c4f22d6ba48ddbff23bb4
AveMariaRAT
af84cf642737e0b62537d9a78861cc129fbc0e68a34770cb70c6ccaa3f553687
AveMariaRAT
da31c02c004f7e04408dea6429c362b4870c87a99fb2ae8ace1dac200a7fce5d
AveMariaRAT
f69faea7165ab34da776a4afaeb59a46c6061f58d431bc231bbab76db9e2ec4c
AveMariaRAT
+ 1'458 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/210817-jeygvl8psj/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Warzone RAT Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
latua.nsupdate.info:5526
Unpacked files
SH256 hash:
795b2b5d6668147d7924ac96f90741ddc2a2b5003f455fb842b613a286fbf8fc
MD5 hash:
53011b69a7231aea23d66805a681144b
SHA1 hash:
e3d0d157e763c865e79ccc5bedc2fd5fd90413f7
Link:
https://www.unpac.me/results/6d1c9d0b-8e18-4f87-b2da-8b2fea09c5a4/
SH256 hash:
3ac1be1ee3013db4347de3cfff22c2a030fcca769ee918ba6c4585e38e43c05a
MD5 hash:
e7d6aaee7ccc60273b1a7cd7a8142990
SHA1 hash:
98149090fb2e8ba7bd1db007a6a1b89a59786c57
Link:
https://www.unpac.me/results/6d1c9d0b-8e18-4f87-b2da-8b2fea09c5a4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3ac1be1ee301/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ac1be1ee3013db4347de3cfff22c2a030fcca769ee918ba6c4585e38e43c05a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 3ac1be1ee3013db4347de3cfff22c2a030fcca769ee918ba6c4585e38e43c05a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/179888/

Comments