MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 496474c14635d8ec7b918d4faf166a7855da8a64b2765dceff976abbf4eebbc3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 496474c14635d8ec7b918d4faf166a7855da8a64b2765dceff976abbf4eebbc3
SHA3-384 hash: 732465b292c010b47ea10783a9d312371232749c8e709648761f25b4f9aac4aa349dbdd224f652db4dc9757091119394
SHA1 hash: 3042786fec3f28fca100233fd435e1ab6eab1a1c
MD5 hash: 5500251b84167799590acec67a9a149a
humanhash: three-march-early-tennessee
File name:Allaire Project -RFQ-FA2232023.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'222'656 bytes
First seen:2023-02-24 21:01:37 UTC
Last seen:2023-02-27 11:11:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:velFi24xfIUyAz9HVmcCLQtyRflRbr6sO+t+WebXb:s6xfVdVmcvCfrblO+7ebXb
TLSH T13745D008EA70132ADB9BFAB57510215F6EE1B9913720DBBDE7C534F492007B5E2884ED
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter TeamDreier
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Allaire Project -RFQ-FA2232023.exe
Verdict:
Suspicious activity
Analysis date:
2023-02-24 21:03:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6a2ed769-70cf-40fc-904f-bf74846fd177

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/369531/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63f925ce2313ffd5d3186237/reports/9bd2c646-0250-4c9d-afe5-f68ded0b727d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/496474c14635d8ec7b918d4faf166a7855da8a64b2765dceff976abbf4eebbc3
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/080973ed-b947-489e-90c5-ff2a32aa3523
Result
Threat name:
zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1182128
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Generic Downloader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/496474c14635d8ec7b918d4faf166a7855da8a64b2765dceff976abbf4eebbc3/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-02-24 14:35:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
53
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jfshjqkggxmoy64rrvh26ftkpbk5vctewj3f3tx7s5vlx5hoxpbq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230224-zvfegaah48/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
d88dc9a316d00aae5a1195e49fc3ad318224ea842d02e58f88bf22b09a978b13
MD5 hash:
3023dbbde0aa9c1e72421e4947b2ddf6
SHA1 hash:
f7bb65a6f5d40f1645562d8c1483ca52f53d3db0
Detections:
win_mofksys_auto
Create hunting rule
Link:
https://www.unpac.me/results/a8c3946a-8c45-4a89-9e36-a89d42d0240b/
Parent samples :
64aa3b6b174535490dfbd46d731118c3bc146d2463f4c2efaa2bfef3ec584070
f1c65a4c95ac59ee5774fd858b8e4cb9cdd3d1374894c33eabeef692f76f889e
496474c14635d8ec7b918d4faf166a7855da8a64b2765dceff976abbf4eebbc3
43ef89e27ca9e14fe36f2626444fd52557aa7a62c59ce2dc13e8ec4bec2a7b7b
5dadc4b400540ed0ce0cc4947ce32817c32d0e2b808c5c5a8519bcf7d56ce810
bd9d4a2d5627b27b2e43afd37b07ce6c6b2d64a7017def2020c2c1434eae1a2a
SH256 hash:
149c1f7345fba5ef1e42a654acda2193352764c3e01092aea2deb3816e9f3829
MD5 hash:
7a8b8af0bab9bac453d8aee33bda76e4
SHA1 hash:
b1c4e15f965362f24bf7129181b6e07680b38f5c
Link:
https://www.unpac.me/results/a8c3946a-8c45-4a89-9e36-a89d42d0240b/
SH256 hash:
903f531c031812ad2d4f1ce3d1c1f10edd0ce69f4f3392bc833d5c8c04f72aac
MD5 hash:
e719ba7e73548ce75ea01175d55b7583
SHA1 hash:
1968064a4fa56868dbf73cdd286a42182c885427
Link:
https://www.unpac.me/results/a8c3946a-8c45-4a89-9e36-a89d42d0240b/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/a8c3946a-8c45-4a89-9e36-a89d42d0240b/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
dea2369b7d4c0bbad43ececcf9ba24cc7dc8e46c3de236b154cb9d5af0cbf5be
MD5 hash:
6336ffa05034538ea24a4bbd92249135
SHA1 hash:
7641540073babd9c68fd35144475bbeaaf637904
Link:
https://www.unpac.me/results/a8c3946a-8c45-4a89-9e36-a89d42d0240b/
SH256 hash:
1ae778c35cb24238d96ecf164ad60c1be2f17aaad634950b855908f0097646e9
MD5 hash:
d3c7fdd3b07314af7ee8486f3c39c90c
SHA1 hash:
7363e3c80d0f2b8ecc1ed26b66b562a585d2a29c
Link:
https://www.unpac.me/results/a8c3946a-8c45-4a89-9e36-a89d42d0240b/
SH256 hash:
496474c14635d8ec7b918d4faf166a7855da8a64b2765dceff976abbf4eebbc3
MD5 hash:
5500251b84167799590acec67a9a149a
SHA1 hash:
3042786fec3f28fca100233fd435e1ab6eab1a1c
Link:
https://www.unpac.me/results/a8c3946a-8c45-4a89-9e36-a89d42d0240b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/496474c14635d8ec7b918d4faf166a7855da8a64b2765dceff976abbf4eebbc3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 496474c14635d8ec7b918d4faf166a7855da8a64b2765dceff976abbf4eebbc3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/369531/

Comments