MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48a3b4c4a19c3edc85071280654e61f9396a2e7d486ac784a020769d0adc1ff9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48a3b4c4a19c3edc85071280654e61f9396a2e7d486ac784a020769d0adc1ff9
SHA3-384 hash: c3bb35d01cc571ba6dbc102837d8f6ef7a62b9b085f56b30e3e4da73563ee2c4a90c065d6612c8a20361089a7043b701
SHA1 hash: 94d671b954a6aaf8293380c6fd731323e8f641ea
MD5 hash: 32e5edda716c1ef6c4273ce6284da8e3
humanhash: fillet-oklahoma-idaho-hawaii
File name:INVOICE-A2MG PF220559.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:734'720 bytes
First seen:2022-04-07 10:33:48 UTC
Last seen:2022-04-07 11:07:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:qJUD25E0ZQK1nVgzHigpSroCHeWLv+ufGpWt6KxV8r5:qBE2VgzCgpbCHzpG8t6KXo
Threatray 8'466 similar samples on MalwareBazaar
TLSH T147F4121EF7BBE912C2B10F3BE7D116245BB1E685D522DF169ECD12E82A077930F41682
File icon (PE):PE icon
dhash icon b2cccccce8b2b28a (21 x AgentTesla, 14 x Formbook, 11 x SnakeKeylogger)
Reporter GovCERT_CH
Tags:AveMariaRAT exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
288
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INVOICE-A2MG PF220559.exe
Verdict:
Malicious activity
Analysis date:
2022-04-07 10:41:49 UTC
Tags:
evasion trojan snake
Link:
https://app.any.run/tasks/f7415c00-ceb5-4545-aa6a-c034f533fc76

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/261692/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.23680.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe fareit obfuscated packed
Link:
https://www.filescan.io/uploads/624ebe1bd53a7479dacd1529/reports/8ba8d76f-7687-43b0-a1b3-51342fc9caad/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8def5116-00fc-4995-9eeb-c3e930a9554f
Result
Threat name:
AveMaria Clipboard Hijacker Snake Keylog
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/972295
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected Clipboard Hijacker
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 604783 Sample: INVOICE-A2MG PF220559.exe Startdate: 07/04/2022 Architecture: WINDOWS Score: 100 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 Antivirus detection for dropped file 2->84 86 16 other signatures 2->86 10 INVOICE-A2MG PF220559.exe 3 2->10         started        13 BTC STEALER.exe 2->13         started        15 BTC STEALER.exe 2->15         started        17 BTC STEALER.exe 2->17         started        process3 file4 62 C:\Users\...\INVOICE-A2MG PF220559.exe.log, ASCII 10->62 dropped 19 INVOICE-A2MG PF220559.exe 4 10->19         started        process5 file6 54 C:\Users\user\AppData\Local\...\warpoison.exe, PE32 19->54 dropped 56 C:\Users\user\AppData\...\nerronewsn.exe, PE32 19->56 dropped 58 C:\Users\user\AppData\...\BTC STEALER.exe, PE32 19->58 dropped 22 warpoison.exe 4 4 19->22         started        26 nerronewsn.exe 15 2 19->26         started        29 BTC STEALER.exe 1 11 19->29         started        process7 dnsIp8 60 C:\ProgramData\windowsupdater.exe, PE32 22->60 dropped 88 Antivirus detection for dropped file 22->88 90 Multi AV Scanner detection for dropped file 22->90 92 Machine Learning detection for dropped file 22->92 102 6 other signatures 22->102 31 windowsupdater.exe 22->31         started        35 cmd.exe 22->35         started        37 powershell.exe 25 22->37         started        64 checkip.dyndns.com 193.122.130.0, 49725, 80 ORACLE-BMC-31898US United States 26->64 66 freegeoip.app 188.114.97.7, 443, 49727 CLOUDFLARENETUS European Union 26->66 68 checkip.dyndns.org 26->68 94 May check the online IP address of the machine 26->94 96 Tries to steal Mail credentials (via file / registry access) 26->96 98 Tries to harvest and steal ftp login credentials 26->98 100 Tries to harvest and steal browser information (history, passwords, etc) 26->100 file9 signatures10 process11 dnsIp12 70 76.8.53.133, 1198, 49735, 49760 QUONIXNETUS United States 31->70 72 Antivirus detection for dropped file 31->72 74 Multi AV Scanner detection for dropped file 31->74 76 Machine Learning detection for dropped file 31->76 78 7 other signatures 31->78 39 powershell.exe 31->39         started        41 cmd.exe 31->41         started        43 reg.exe 35->43         started        46 conhost.exe 35->46         started        48 conhost.exe 37->48         started        signatures13 process14 signatures15 50 conhost.exe 39->50         started        52 conhost.exe 41->52         started        104 Creates an undocumented autostart registry key 43->104 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48a3b4c4a19c3edc85071280654e61f9396a2e7d486ac784a020769d0adc1ff9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-07 10:34:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jcr3jrfbtq7nzbihckagkttb7e4wult5jbvmpbfaeb3j2cw4d74q._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
213d220d21939cba114f6afcc4bc672d28bb416075db96a81635f22dccfdc829
AveMariaRAT
29a4c97029dcf52e73bb65d748d1fd6194c5f7f72fe8c272320bbe38636e0f3a
AveMariaRAT
3e61ff7da9c135135af8936d7fb362a285b02c6431c8614eda55d2cce3bf3ff7
AveMariaRAT
4b1532fa6483dfb4194a1f3fbf583f511caea6035f61e9ffad798bd58981f5a8
AveMariaRAT
94fd8c7b7935c64a7ed46794b3b5597800ae02715d5d0d95df19b208dc0d98fb
AveMariaRAT
c7b9caa8ed91068cdc627c8e72f9ecb6f71d4c99b16e930d4875bc283bb25529
AveMariaRAT
cc20314107f1e2d9f2952d28176893e1123dfa3f44bd1b089a9477b60dcf5b3f
AveMariaRAT
fb55340ef36d5bfae56dd84e51b9aff7996ab7428fd1fcbe53dfb8fdcda244e8
AveMariaRAT
fdcb93d14d249d6970c9f7374eb95190af62db72b5555c48d23a3af20902b682
AveMariaRAT
+ 8'456 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger family:warzonerat collection infostealer keylogger persistence rat spyware stealer
Link:
https://tria.ge/reports/220407-ml33ysehd7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Snake Keylogger
Snake Keylogger Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
76.8.53.133:1198
Unpacked files
SH256 hash:
d185986cb9b369a5f5d641c80d09adc878771b33ab020879629fb570c2cd7cec
MD5 hash:
755b1262aa6b3a6b267b41580c7e8972
SHA1 hash:
b2f0f7293cf7162895df2976eecfc1084eeba2fc
Link:
https://www.unpac.me/results/499c141f-fd12-4569-812b-a02a8cb5b1d3/
SH256 hash:
321c0146561f0448a08d290535bdcc7e8fb606648ab6b5be5330e7fdc2866427
MD5 hash:
2c97c34c375bd1fe92a6ff4c272c2096
SHA1 hash:
af1b4c20af78ce0247d69a8bddaa6234a02692ef
Link:
https://www.unpac.me/results/499c141f-fd12-4569-812b-a02a8cb5b1d3/
SH256 hash:
bf3f9d3358d5d0ce6be79391b08d3103dd03d70578418f76ac37598a41ad0363
MD5 hash:
7aa35de50be7fd7d372cef8d35241901
SHA1 hash:
ca6bf1b5b451161ed8ad3dc09c68c5ff938251aa
Link:
https://www.unpac.me/results/499c141f-fd12-4569-812b-a02a8cb5b1d3/
SH256 hash:
bd71e4d45286f69235969e403994c341d0e7ece78c55517645ca78f2e2565f19
MD5 hash:
a2933bfe5490899a30002cc66d851837
SHA1 hash:
b7562ec6077ed6f983d6ffd6336c829b65b94d83
Link:
https://www.unpac.me/results/499c141f-fd12-4569-812b-a02a8cb5b1d3/
SH256 hash:
e11871df824c3130e35f2c94d672404e18ebefddf3172d166f2e640ad3686c73
MD5 hash:
4379771ccd9b927712ef2505214161df
SHA1 hash:
6636b7b80e279de67c60b52277f566463afebf8e
Link:
https://www.unpac.me/results/499c141f-fd12-4569-812b-a02a8cb5b1d3/
SH256 hash:
5239f8296f92b8312749e563ec4292f84cce32aa9fc65e62da42b4feebca4669
MD5 hash:
f5a93877c0aae3970485fffc9f74a2d5
SHA1 hash:
5dac63118b6fbc01568d66e74cea22a4734bcbc0
Link:
https://www.unpac.me/results/499c141f-fd12-4569-812b-a02a8cb5b1d3/
SH256 hash:
4ed3c116cd9e875131f14d9dfef6dc345192d0b245615536da1cfabc893e3275
MD5 hash:
37551bca5a31bf04580585fb78bb460a
SHA1 hash:
d6020915fb1061775a6e36c5d5f22e1e974af70e
Detections:
win_ave_maria_g0
Create hunting rule
win_ave_maria_auto
Create hunting rule
Link:
https://www.unpac.me/results/499c141f-fd12-4569-812b-a02a8cb5b1d3/
Parent samples :
adbaaaedf5553fca319364ec9f2685b546fdc135352e96654c692b12e7cd40ed
3c5a74d08899cdb6dfd22c6cbe02972d57bba3642baa8bf00ce87f884fb97086
e9ac72abe09539d39453d6370227fb6b584ded9ea8dc79fe889d206d2f661acd
48a3b4c4a19c3edc85071280654e61f9396a2e7d486ac784a020769d0adc1ff9
SH256 hash:
477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52
MD5 hash:
16a9ddc4b32981114fe4f069a4353105
SHA1 hash:
bf73849f57c150f9e2199c61427f631be2dfa595
Link:
https://www.unpac.me/results/499c141f-fd12-4569-812b-a02a8cb5b1d3/
SH256 hash:
f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36
MD5 hash:
6c72218c48cd68cbcb654675053a0abb
SHA1 hash:
12207fa32070f99683648d87b44410e5d3cdf2de
Link:
https://www.unpac.me/results/499c141f-fd12-4569-812b-a02a8cb5b1d3/
SH256 hash:
48a3b4c4a19c3edc85071280654e61f9396a2e7d486ac784a020769d0adc1ff9
MD5 hash:
32e5edda716c1ef6c4273ce6284da8e3
SHA1 hash:
94d671b954a6aaf8293380c6fd731323e8f641ea
Link:
https://www.unpac.me/results/499c141f-fd12-4569-812b-a02a8cb5b1d3/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/48a3b4c4a19c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/48a3b4c4a19c3edc85071280654e61f9396a2e7d486ac784a020769d0adc1ff9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 48a3b4c4a19c3edc85071280654e61f9396a2e7d486ac784a020769d0adc1ff9

(this sample)

  
Dropped by
snakekeylogger
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/261692/

Comments