MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49cecc5851dc6ed4f7dfd13f91ade2941ea491cd7c08df9f3630de8de50e3fb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49cecc5851dc6ed4f7dfd13f91ade2941ea491cd7c08df9f3630de8de50e3fb4
SHA3-384 hash: b5df1460f65c86161fcad3a1a1c000b8f66288391141be46142eb6eddf98381d75f78f49e707d7d024d3925a56abb2cd
SHA1 hash: 5ddf66aec8de460d4dcd85845bd84ea5007d62ac
MD5 hash: 315ee22d17ea8ce5cbc0b443f1b5789c
humanhash: ceiling-mirror-spring-double
File name:Sandra-Wohl-Bewerbung-Anschreiben.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:101'888 bytes
First seen:2022-10-19 02:39:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c5f2513605e48f2d8ea5440a870cb9e (60 x Babadeda, 6 x AveMariaRAT, 5 x CoinMiner)
ssdeep 1536:/7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIf3w/OpJ0HWIYuOl:z7DhdC6kzWypvaQ0FxyNTBf3wOpF
Threatray 2'974 similar samples on MalwareBazaar
TLSH T1F9A38E41F3E102F7E6F2053100A6766F9736A2389724A8DBC74C3D929913AD5A63D3E9
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 6cecccdcd4d0e8f0 (4 x AveMariaRAT, 1 x Smoke Loader, 1 x GuLoader)
Reporter r3dbU7z
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
251
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Sandra-Wohl-Bewerbung-Anschreiben.exe
Verdict:
Malicious activity
Analysis date:
2022-10-19 06:36:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/276f22a1-0c9d-47ba-aac8-9931f8512a3a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321553/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34587420.17402.2208.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Running batch commands
Forced system process termination
Launching a process
Sending an HTTP GET request
Creating a file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Modifying a system executable file
Launching cmd.exe command interpreter
Launching a tool to kill processes
Forced shutdown of a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/43743/overview
Behaviour
MalwareBazaar
CPUID_Instruction
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/634f6383b5f60e72b8c77291/reports/acffea2c-72e0-4971-ba1b-161e3a509f21/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/fca5b1eb-03d4-4481-b714-f11e9ec3a919
Result
Threat name:
Babadeda
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.expl
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1093160
Signature
Antivirus detection for dropped file
Drops PE files to the startup folder
Drops script or batch files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
Yara detected Babadeda
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 725782 Sample: Sandra-Wohl-Bewerbung-Ansch... Startdate: 19/10/2022 Architecture: WINDOWS Score: 96 97 Snort IDS alert for network traffic 2->97 99 Antivirus detection for dropped file 2->99 101 Yara detected Babadeda 2->101 103 4 other signatures 2->103 12 Sandra-Wohl-Bewerbung-Anschreiben.exe 8 2->12         started        process3 process4 14 cmd.exe 1 12->14         started        17 conhost.exe 12->17         started        signatures5 109 Drops script or batch files to the startup folder 14->109 111 Uses cmd line tools excessively to alter registry or file data 14->111 113 Drops PE files to the startup folder 14->113 19 Sandra-Wohl-Bewerbung-Anschreiben.exe 8 14->19         started        process6 process7 21 cmd.exe 3 19->21         started        24 conhost.exe 19->24         started        file8 91 C:\Users\user\AppData\Roaming\...\part1.bat, ASCII 21->91 dropped 26 cmd.exe 1 21->26         started        28 cmd.exe 21->28         started        30 cmd.exe 21->30         started        32 13 other processes 21->32 process9 dnsIp10 35 cmd.exe 2 26->35         started        39 conhost.exe 26->39         started        41 cmd.exe 28->41         started        43 conhost.exe 28->43         started        45 cmd.exe 30->45         started        47 conhost.exe 30->47         started        95 111.90.151.174, 49696, 49697, 49698 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 32->95 49 cmd.exe 32->49         started        51 cmd.exe 32->51         started        53 6 other processes 32->53 process11 file12 89 C:\Users\user\AppData\...\Ransomware.exe, PE32 35->89 dropped 105 Uses cmd line tools excessively to alter registry or file data 35->105 55 cmd.exe 1 35->55         started        62 7 other processes 35->62 58 cmd.exe 41->58         started        64 6 other processes 41->64 60 cmd.exe 45->60         started        66 6 other processes 45->66 68 5 other processes 49->68 70 4 other processes 51->70 72 6 other processes 53->72 signatures13 process14 file15 107 Uses cmd line tools excessively to alter registry or file data 55->107 75 reg.exe 55->75         started        77 reg.exe 58->77         started        79 reg.exe 60->79         started        81 Conhost.exe 64->81         started        83 reg.exe 68->83         started        85 reg.exe 70->85         started        93 C:\configuration\5201.exe, PE32 72->93 dropped 87 reg.exe 72->87         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49cecc5851dc6ed4f7dfd13f91ade2941ea491cd7c08df9f3630de8de50e3fb4/
Threat name:
Win32.Backdoor.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-10-19 02:57:57 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
8 of 26 (30.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jhhmywcr3rxnj5672e7zdlpcsqpkjeonpqen7hzwgdpi3zioh62a._file
Verdict:
unknown
Similar samples:
2278d1bca473d91247e01794a1202297bda4bce23c3a1e74c43abc67d8d7b371
AveMariaRAT
275e4c659edeeb5dd650b29253f72c8e95b7556e465253fabf8264d76abb2f02
AveMariaRAT
4fe08cc381f8f4ea6e3d8e34fddf094193ccbbcc1cae7217f0233893b9c566a2
AveMariaRAT
54d288be3de7ca248076fda266a5fcc3b5488b6d4a91f93033b1652dfe0164d3
AveMariaRAT
58f6462c0225f4ec37209add8486ef9bdcdc1d1e766096af73b3c7797ebeadb1
AveMariaRAT
882d3aaa507d5340258272b1b39c8d603776eda51124e2c443ae8ea1edc2059b
AveMariaRAT
993afa5ca786935ff44f01d5495e0583034008d30d93eaac100e6d4325dfb89d
AveMariaRAT
9e2374545fd02bff5d25134c71940bf423173a9bb611f54f5db6729c8407da66
AveMariaRAT
eaf08f6d20670daa716352b18fbc7801d4dbba9e26f986cec4234947e83bba0e
AveMariaRAT
+ 2'964 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:eternity family:warzonerat evasion infostealer persistence ransomware rat trojan upx
Link:
https://tria.ge/reports/221019-c5wg4sedh5/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Modifies Control Panel
Modifies registry class
NTFS ADS
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Sets desktop wallpaper using registry
Adds Run key to start application
Checks computer location settings
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Disables Task Manager via registry modification
Downloads MZ/PE file
Executes dropped EXE
Modifies extensions of user files
UPX packed file
Warzone RAT payload
Eternity
Modifies Windows Defender Real-time Protection settings
Modifies security service
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
111.90.151.174:5200
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ca16e987-3a58-4a3a-8818-fa7f0aed8f8f
Unpacked files
SH256 hash:
7a4f15923f0e94588f7eaad463100a729908ee2fd094aba80c57cef5c8beb779
MD5 hash:
af06247b74dd39a3f9c65e1c602b160e
SHA1 hash:
34d7a587bf2a66bb706ad1167e4aaab1dabec9fe
Link:
https://www.unpac.me/results/bdf5b3af-153a-4e67-ba14-a19b4c584b3a/
SH256 hash:
765b32fd54af78542b1254d2048024dada9426a409bad725b7ff1dcf3028db5f
MD5 hash:
5da69c87d0d97ddf2ec6ce7af1f8c631
SHA1 hash:
e728bcf0c6f1b67ad63f0eaf3dacc9a4f66ee38f
Link:
https://www.unpac.me/results/bdf5b3af-153a-4e67-ba14-a19b4c584b3a/
SH256 hash:
a7ea0d8fdc9c348f88bd7aeaf52d6605a7de0037fbdcb35879c9a5b0b430a0c1
MD5 hash:
c5bb5ced47676f3c336d396befdabc35
SHA1 hash:
7d5d94c05ebae7b0811541faa294db28d2695d4e
Link:
https://www.unpac.me/results/bdf5b3af-153a-4e67-ba14-a19b4c584b3a/
SH256 hash:
6436aa479113d922b03c709a3bf35d9fc420f112a4921771d59c017b8a63af95
MD5 hash:
7798504c0d3c92a075b15126317324d3
SHA1 hash:
4e7bda323e7817dfc18c71d817303bc40f0b014f
Link:
https://www.unpac.me/results/bdf5b3af-153a-4e67-ba14-a19b4c584b3a/
SH256 hash:
7bc69245b1499d875afac012c159eadd33400b915fadedbfa1bf5041ead199b7
MD5 hash:
d14617724be24d63f5af72a436835300
SHA1 hash:
fc5bc31d528ca85f211501ed06dc3d4843f61c4b
Link:
https://www.unpac.me/results/bdf5b3af-153a-4e67-ba14-a19b4c584b3a/
SH256 hash:
73bedd5fe8269ef6d35c62e06dcccc7e1c905a963141d97d6703b1487ce8232e
MD5 hash:
dfa8c6f048bc90280e023359bc5095b5
SHA1 hash:
6fd751be12cc89736129c4a1048199bc6e59b150
Link:
https://www.unpac.me/results/bdf5b3af-153a-4e67-ba14-a19b4c584b3a/
SH256 hash:
7db6c1b21ac2d1bbe8771baa36e5b8137ee84e86c9115a2f5c9a799eded32858
MD5 hash:
c5045f5f77cf5f7a844c35a35604bdd9
SHA1 hash:
5e668f9af090e01579e2a5c081343cc08184112c
Link:
https://www.unpac.me/results/bdf5b3af-153a-4e67-ba14-a19b4c584b3a/
SH256 hash:
271dfc41a00ae7bc6b36ce97fa63046cd65ba5b11f73fe10f5b87f757dbc6f42
MD5 hash:
a03d7084831ab5495c6f1032bc984f05
SHA1 hash:
40a639dd067cf1e679d674935daa5a7a849cb209
Link:
https://www.unpac.me/results/bdf5b3af-153a-4e67-ba14-a19b4c584b3a/
SH256 hash:
34eade925a6089b55659868d6718c54c65b36d488f89e66fdad562b4ece30759
MD5 hash:
8edc49bbe9f228a6145b708006286d68
SHA1 hash:
35dc3a4f8886a359e46d6986bcabefe3080a69ef
Link:
https://www.unpac.me/results/bdf5b3af-153a-4e67-ba14-a19b4c584b3a/
SH256 hash:
e37aa72bca3cecb9bdbe51cbd81ec1143bb17163088a1379a4ccb93f5d881e76
MD5 hash:
5cac4fe734fc8454ccb847e030beee38
SHA1 hash:
34298fe220e35f614b2c837cf1dc2604ab0882d6
Link:
https://www.unpac.me/results/bdf5b3af-153a-4e67-ba14-a19b4c584b3a/
SH256 hash:
49cecc5851dc6ed4f7dfd13f91ade2941ea491cd7c08df9f3630de8de50e3fb4
MD5 hash:
315ee22d17ea8ce5cbc0b443f1b5789c
SHA1 hash:
5ddf66aec8de460d4dcd85845bd84ea5007d62ac
Link:
https://www.unpac.me/results/bdf5b3af-153a-4e67-ba14-a19b4c584b3a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49cecc5851dc6ed4f7dfd13f91ade2941ea491cd7c08df9f3630de8de50e3fb4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe 49cecc5851dc6ed4f7dfd13f91ade2941ea491cd7c08df9f3630de8de50e3fb4

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/321553/

Comments