MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4138d92e4af5e1c1b49d654c8a55c5c759261e2d4108c6ef6b4308f9ba8b0355. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4138d92e4af5e1c1b49d654c8a55c5c759261e2d4108c6ef6b4308f9ba8b0355
SHA3-384 hash: 900dd27001dc89c6eefded381cd2ed02a9cb5c0e4d1c268d9cbf82bd7817e9a49f6885104b99b80d40b61710427e4f4b
SHA1 hash: 44cb222b665555d6828448fd57d4f874b4bc83de
MD5 hash: b654cebe75c5ef7192f63ca3bc3b11f0
humanhash: bakerloo-texas-connecticut-sad
File name:XE9986560000000.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:509'193 bytes
First seen:2023-11-09 06:56:36 UTC
Last seen:2023-11-09 08:17:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9dda1a1d1f8a1d13ae0297b47046b26e (64 x Formbook, 40 x GuLoader, 26 x RemcosRAT)
ssdeep 12288:/nPdcH9wZoZLLZD78RWDSDsuZaSDJGU1jLAiJ:PPdG9wZotZFDZuZzvLAu
TLSH T1BFB42385C3E9E9F6D491C77809BAA9730B8A201605D9AF0E13843DAE7873653D50FB4F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 64f4d4d4ecf4d4d4 (82 x SnakeKeylogger, 34 x AgentTesla, 24 x Formbook)
Reporter abuse_ch
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
323
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.30409.11508.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Sending a custom TCP request
Unauthorized injection to a recently created process by context flags manipulation
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/654c82c8641154c7e3efc53d/reports/a0569395-0b3d-4a12-b516-1d0e70554fe6/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/4138d92e4af5e1c1b49d654c8a55c5c759261e2d4108c6ef6b4308f9ba8b0355
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
OceanLotus
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fc69a842-0629-4df8-87f8-1c75aed1b3b9
Result
Threat name:
NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1339502
Signature
Antivirus / Scanner detection for submitted sample
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Generic Dropper
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4138d92e4af5e1c1b49d654c8a55c5c759261e2d4108c6ef6b4308f9ba8b0355
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4138d92e4af5e1c1b49d654c8a55c5c759261e2d4108c6ef6b4308f9ba8b0355/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2023-10-08 17:13:59 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ie4nslsk6xq4dne5mvgiuvofy5msmhrnieemn33limeptoulankq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231109-hqya2sgb2t/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
938b7f494490b69ca6c74096ce087c57bf702797131bbfe3846e8dbc06d246ae
MD5 hash:
7643126c67568ecc8396748b2116dd3d
SHA1 hash:
d9422c15c9ccffff82fe818d8f5057075ef3a8cc
Link:
https://www.unpac.me/results/84b1b979-a4f8-4ba0-86ae-cf4d6d71531d/
SH256 hash:
4138d92e4af5e1c1b49d654c8a55c5c759261e2d4108c6ef6b4308f9ba8b0355
MD5 hash:
b654cebe75c5ef7192f63ca3bc3b11f0
SHA1 hash:
44cb222b665555d6828448fd57d4f874b4bc83de
Link:
https://www.unpac.me/results/84b1b979-a4f8-4ba0-86ae-cf4d6d71531d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4138d92e4af5e1c1b49d654c8a55c5c759261e2d4108c6ef6b4308f9ba8b0355

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 4138d92e4af5e1c1b49d654c8a55c5c759261e2d4108c6ef6b4308f9ba8b0355

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments