MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b1532fa6483dfb4194a1f3fbf583f511caea6035f61e9ffad798bd58981f5a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b1532fa6483dfb4194a1f3fbf583f511caea6035f61e9ffad798bd58981f5a8
SHA3-384 hash: 1fa215f66a2ee8e9bf28d78237bc56eaa2a9e29a6459f153122b6a778fda5d3543ee889cdb03f8e20117499921c24237
SHA1 hash: c57a04f187123a0e0e1930430593a78d8308a2b0
MD5 hash: b6fdc93520bea642974ef59099cd5177
humanhash: bravo-wyoming-enemy-three
File name:LETTER OF CREDIT-PNP PO-11698 SLUB INV REVISED.bat
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:993'280 bytes
First seen:2022-03-21 07:56:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 24576:wUual98wKYiARGnXdPNv1nxLm5if1JWJ8CMmBj6Ggt0qwq68mQ/98:LucAYpGnXdPd/t6BgsSl8
Threatray 9'118 similar samples on MalwareBazaar
TLSH T1462523BA23B84731C46C5374ECE6608586324903E651EF50AFC6F52A1D27B8B1B07EB7
Reporter GovCERT_CH
Tags:AveMariaRAT exe WarzoneRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RDPWrap
Create hunting rule
Link:
https://www.capesandbox.com/analysis/253332/
Detection(s):
SecuriteInfo.com.Trojan.Hosts.49867.5460.29163.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/62382fd0dfdfa8501cc5a26d/reports/8d1e8790-d66b-431e-bc76-c6908624acb9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1f8482f6-c6aa-49e1-b83c-de169d2e038c
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/960494
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to create processes via WMI
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Creates files in alternative data streams (ADS)
Creates processes via WMI
Detected unpacking (creates a PE file in dynamic memory)
Drops script or batch files to the startup folder
Increases the number of concurrent connection per server for Internet Explorer
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 592971 Sample: LETTER OF CREDIT-PNP PO-116... Startdate: 21/03/2022 Architecture: WINDOWS Score: 100 79 Malicious sample detected (through community Yara rule) 2->79 81 Multi AV Scanner detection for dropped file 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 16 other signatures 2->85 10 LETTER OF CREDIT-PNP PO-11698 SLUB INV REVISED.exe 7 2->10         started        14 cmd.exe 2->14         started        16 WmiPrvSE.exe 2->16         started        process3 file4 69 C:\Users\user\AppData\...\dSwzeGAKjL.exe, PE32 10->69 dropped 71 C:\Users\...\dSwzeGAKjL.exe:Zone.Identifier, ASCII 10->71 dropped 73 C:\Users\user\AppData\Local\...\tmpA56B.tmp, XML 10->73 dropped 75 LETTER OF CREDIT-P...INV REVISED.exe.log, ASCII 10->75 dropped 103 Adds a directory exclusion to Windows Defender 10->103 18 LETTER OF CREDIT-PNP PO-11698 SLUB INV REVISED.exe 4 8 10->18         started        22 powershell.exe 24 10->22         started        24 schtasks.exe 1 10->24         started        26 WMIC.exe 14->26         started        28 conhost.exe 14->28         started        signatures5 process6 file7 61 C:\ProgramData\windowsupdate.exe, PE32 18->61 dropped 63 C:\ProgramData:ApplicationData, PE32 18->63 dropped 65 C:\Users\user\AppData\...\programs.bat:start, ASCII 18->65 dropped 67 2 other malicious files 18->67 dropped 87 Creates files in alternative data streams (ADS) 18->87 89 Adds a directory exclusion to Windows Defender 18->89 91 Increases the number of concurrent connection per server for Internet Explorer 18->91 30 windowsupdate.exe 18->30         started        33 powershell.exe 8 18->33         started        35 conhost.exe 22->35         started        37 conhost.exe 24->37         started        93 Creates processes via WMI 26->93 signatures8 process9 signatures10 105 Multi AV Scanner detection for dropped file 30->105 107 Detected unpacking (creates a PE file in dynamic memory) 30->107 109 Machine Learning detection for dropped file 30->109 111 Adds a directory exclusion to Windows Defender 30->111 39 windowsupdate.exe 30->39         started        43 powershell.exe 30->43         started        45 schtasks.exe 30->45         started        47 conhost.exe 33->47         started        process11 dnsIp12 77 76.8.53.133, 1198, 49793 QUONIXNETUS United States 39->77 95 Writes to foreign memory regions 39->95 97 Allocates memory in foreign processes 39->97 99 Adds a directory exclusion to Windows Defender 39->99 101 2 other signatures 39->101 49 powershell.exe 39->49         started        51 cmd.exe 39->51         started        53 conhost.exe 43->53         started        55 conhost.exe 45->55         started        signatures13 process14 process15 57 conhost.exe 49->57         started        59 conhost.exe 51->59         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b1532fa6483dfb4194a1f3fbf583f511caea6035f61e9ffad798bd58981f5a8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-21 04:18:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jmktf6teqpp3igkkd4736wb7keok5jqdl5q6t75npgf5lcmb6wua._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
52e2c9a43a9de0685055f60bd590f2f893882ad710f3b7e8c451985eea69ec07
AveMariaRAT
7aefa586d32593736751d667d9588fcf4c3091ace48375d38f06947aa119129e
AveMariaRAT
9e2a3d4464636baff78628d870f39d1a9f3ba23da71f8c50ead2576479077702
AveMariaRAT
a58cf7753cdff434e81e0163ec97f8e1a8b32c80ddfa7cbf021778a759f78842
AveMariaRAT
d4ab1b2e0d1a1a389c3e8f40237b7f7b40ba798468e2d73abe416b927bbe8f13
AveMariaRAT
d8bbb318b7db225f134c3bff2300f60614d87276dc038efe6370f1f52c44828a
AveMariaRAT
d9740755673a2b1025f0a9ea9a579657b0d22d7c00a049d113f84326d37b66bb
AveMariaRAT
+ 9'108 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer rat
Link:
https://tria.ge/reports/220321-js9mjaadgr/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
76.8.53.133:1198
Unpacked files
SH256 hash:
afabede35559388983de1af25d4faebf32b0494ea9b6e8549c7943969ccf0086
MD5 hash:
893d1e18ed297c604a66e9d52c7c98dc
SHA1 hash:
c5dd4ad352c757371736d3aa9f11448b53b42110
Link:
https://www.unpac.me/results/e6ec2a5c-42df-4d1a-8c73-8af65d1e1945/
SH256 hash:
477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52
MD5 hash:
16a9ddc4b32981114fe4f069a4353105
SHA1 hash:
bf73849f57c150f9e2199c61427f631be2dfa595
Link:
https://www.unpac.me/results/e6ec2a5c-42df-4d1a-8c73-8af65d1e1945/
SH256 hash:
017c61631075514428dd2183757cd18727db1bb1a4a4aa779ed4e59989f61b94
MD5 hash:
22b6633349dec3d98bf94b389d3a64c4
SHA1 hash:
1d2ce6374735498193d55ac5977e89b7ceb78518
Detections:
win_ave_maria_g0
Create hunting rule
win_ave_maria_auto
Create hunting rule
Link:
https://www.unpac.me/results/e6ec2a5c-42df-4d1a-8c73-8af65d1e1945/
Parent samples :
4b1532fa6483dfb4194a1f3fbf583f511caea6035f61e9ffad798bd58981f5a8
dce4615cac8bad8de4310b354621a02e36e153ab8bf4f5c5c2242e81f9a98a27
SH256 hash:
24d1d5159a5d9a6dc5c5d732afabecedc02ccda455446f80834e997218fd94fc
MD5 hash:
482f4acd9c15b4f9943373ec4018def5
SHA1 hash:
1639839d8da863ec6c9fd49a171ff08dd29cb6b7
Link:
https://www.unpac.me/results/e6ec2a5c-42df-4d1a-8c73-8af65d1e1945/
SH256 hash:
f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36
MD5 hash:
6c72218c48cd68cbcb654675053a0abb
SHA1 hash:
12207fa32070f99683648d87b44410e5d3cdf2de
Link:
https://www.unpac.me/results/e6ec2a5c-42df-4d1a-8c73-8af65d1e1945/
SH256 hash:
6ff21c090296e9fd3ec2b17e03e184e2396adf4013b2a4f4c9dea5bd7aff38f7
MD5 hash:
7c3fb3e3d91e338ae917c4cb46895e71
SHA1 hash:
ba577b8ccb3c6bbc5e9e3a838aec98859cd4dbaa
Link:
https://www.unpac.me/results/e6ec2a5c-42df-4d1a-8c73-8af65d1e1945/
SH256 hash:
4b1532fa6483dfb4194a1f3fbf583f511caea6035f61e9ffad798bd58981f5a8
MD5 hash:
b6fdc93520bea642974ef59099cd5177
SHA1 hash:
c57a04f187123a0e0e1930430593a78d8308a2b0
Link:
https://www.unpac.me/results/e6ec2a5c-42df-4d1a-8c73-8af65d1e1945/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b1532fa6483dfb4194a1f3fbf583f511caea6035f61e9ffad798bd58981f5a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 4b1532fa6483dfb4194a1f3fbf583f511caea6035f61e9ffad798bd58981f5a8

(this sample)

  
Dropped by
warzonerat
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/253332/

Comments