MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44bcfeba9debc5478934ba33fcda33194a2bfc1260acb0a6bd2c6832cd4e0522. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44bcfeba9debc5478934ba33fcda33194a2bfc1260acb0a6bd2c6832cd4e0522
SHA3-384 hash: 0eb87b8081acc8321c70af069524269f1d751672467378bd25588bb2d5f919ae9cb51adc1e75095c064a2777967168c4
SHA1 hash: 9e387cd7bb8ef6260e92c665713032c24ca6f1e5
MD5 hash: d5df407520eb83cd5b2dabd81c88d213
humanhash: fix-east-golf-kansas
File name:Caso2021113069001049.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:378'880 bytes
First seen:2022-05-25 03:23:38 UTC
Last seen:2022-05-25 11:19:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'658 x Formbook, 12'249 x SnakeKeylogger)
ssdeep 384:4U/i2CdfUxTYB+0Jmn06CjFN8P3YsU6fCWYA8S/hs/E8sofOh/Q0RbnqyGt/Qz2p:jKhSdM8sScz9Apqn+7
Threatray 19'427 similar samples on MalwareBazaar
TLSH T141846C063384CF25C51F15B6C8A3C2F81327BE00DD459BDB76C9FF2A79B22AA6951583
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0f519373d9cc750b (107 x AgentTesla, 20 x AveMariaRAT, 5 x Formbook)
Reporter GovCERT_CH
Tags:AveMariaRAT exe WarzoneRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
288
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
avemaria
Create hunting rule
ID:
1
File name:
Caso2021113069001049.exe
Verdict:
Malicious activity
Analysis date:
2022-05-25 03:39:57 UTC
Tags:
trojan stealer rat avemaria loader warzone
Link:
https://app.any.run/tasks/9f165d7b-20de-4924-a800-9ea42bd1915b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274323/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed strictor
Link:
https://www.filescan.io/uploads/628da161dbc0312ea2aedd9a/reports/20d33c51-69b6-4b31-85e6-101d2dcdac16/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f5250dd0-1b07-405c-86ca-7c2384acba90
Result
Threat name:
AveMaria, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1001227
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Found evasive API chain checking for user administrative privileges
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected Generic Downloader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 633720 Sample: Caso2021113069001049.exe Startdate: 25/05/2022 Architecture: WINDOWS Score: 100 64 Snort IDS alert for network traffic 2->64 66 Multi AV Scanner detection for domain / URL 2->66 68 Found malware configuration 2->68 70 12 other signatures 2->70 9 Caso2021113069001049.exe 16 7 2->9         started        14 Lzqhyh.exe 14 3 2->14         started        16 Lzqhyh.exe 3 2->16         started        process3 dnsIp4 60 2.56.57.85, 49726, 49751, 49752 GBTCLOUDUS Netherlands 9->60 54 C:\Users\user\AppData\Roaming\...\Lzqhyh.exe, PE32 9->54 dropped 56 C:\Users\...\Caso2021113069001049.exe.log, ASCII 9->56 dropped 80 Writes to foreign memory regions 9->80 82 Allocates memory in foreign processes 9->82 84 Injects a PE file into a foreign processes 9->84 18 InstallUtil.exe 3 19 9->18         started        23 cmd.exe 1 9->23         started        62 192.168.2.1 unknown unknown 14->62 86 Multi AV Scanner detection for dropped file 14->86 25 cmd.exe 14->25         started        27 cmd.exe 16->27         started        file5 signatures6 process7 dnsIp8 58 2.56.56.114, 49753, 49756, 80 GBTCLOUDUS Netherlands 18->58 50 C:\Users\user\AppData\Roaming\nnBkfhdHx.exe, PE32 18->50 dropped 52 C:\Users\user\AppData\Local\...\dl[1].exe, PE32 18->52 dropped 72 Contains functionality to inject threads in other processes 18->72 74 Contains functionality to steal Chrome passwords or cookies 18->74 76 Contains functionality to steal e-mail passwords 18->76 78 4 other signatures 18->78 29 nnBkfhdHx.exe 14 3 18->29         started        32 conhost.exe 23->32         started        34 timeout.exe 1 23->34         started        36 conhost.exe 25->36         started        38 timeout.exe 25->38         started        40 conhost.exe 27->40         started        42 timeout.exe 27->42         started        file9 signatures10 process11 signatures12 88 Antivirus detection for dropped file 29->88 90 Multi AV Scanner detection for dropped file 29->90 92 Machine Learning detection for dropped file 29->92 44 cmd.exe 29->44         started        process13 process14 46 conhost.exe 44->46         started        48 timeout.exe 44->48         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/44bcfeba9debc5478934ba33fcda33194a2bfc1260acb0a6bd2c6832cd4e0522/
Threat name:
ByteCode-MSIL.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2022-05-25 01:33:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
8 of 41 (19.51%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=is6p5ou55pcupcjuxiz7zwrtdffcx7asmcwlbjv5frudftkoaura._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
avemaria
Create hunting rule
Similar samples:
1634ba6c1fa74312f9bbb7b90c420a48908fed1def489d92fdcd1f3cde1cabf8
AveMariaRAT
244b3ee6e55774e4fa3c572494f920918cce6d79f848fef95c09cd413bae95c7
AveMariaRAT
2fffd654cfb99120026283e06b5e19c7e83c28bd66b6a7f895fef5a99c882f20
AveMariaRAT
4053206d66d627d145d9da8d8e208d08c85755036a5393ccc6e8afd6117df864
AveMariaRAT
68d46304889cdb54c2ca6624cdda1e7a67b570e16b6e9ba23d9fb17c31ffc184
AveMariaRAT
783a0ab9ef1ce64fb9390ad9906cdeed76cf978b36c0f5eedbc9e2b18a0ad8da
AveMariaRAT
a24cd03357921c77bf5e10a36f1ce1bff9fe496a12e21a402d4f66ccf977cfc7
AveMariaRAT
bf22348207105ae1af6bbeb0dae03f550489883ecfac5cb90abbcbd55608cf3b
AveMariaRAT
f98c4a3a0ceffdc495bd65f7f2810bc1ca4a9c16d1f4909f108a13791c2b304c
AveMariaRAT
+ 19'417 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:warzonerat collection infostealer keylogger persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220525-dx2jtscabq/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
AgentTesla Payload
Warzone RAT Payload
AgentTesla
WarzoneRat, AveMaria
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
2.56.57.85:56925
https://api.telegram.org/bot1749457201:AAGWIY2QPzrHZIumAIUsWjyRAEWcJrauccY/sendDocument
Unpacked files
SH256 hash:
44bcfeba9debc5478934ba33fcda33194a2bfc1260acb0a6bd2c6832cd4e0522
MD5 hash:
d5df407520eb83cd5b2dabd81c88d213
SHA1 hash:
9e387cd7bb8ef6260e92c665713032c24ca6f1e5
Link:
https://www.unpac.me/results/01057b5d-d459-4fcc-a159-1dd163b2ce9a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/44bcfeba9debc5478934ba33fcda33194a2bfc1260acb0a6bd2c6832cd4e0522

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 44bcfeba9debc5478934ba33fcda33194a2bfc1260acb0a6bd2c6832cd4e0522

(this sample)

  
Dropped by
warzonerat
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/274323/

Comments