MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5004dccfea55cb7c7338390ef12adf835341473d9e850e9232aee6e7c7b6f1f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5004dccfea55cb7c7338390ef12adf835341473d9e850e9232aee6e7c7b6f1f6
SHA3-384 hash: ce8388ff842e39eb6618fefd3b895e7d2e3a4eeea0fb07824370a4a114423c2eee6810b01ed7089c8b9ff9005652b121
SHA1 hash: b7a46f5caa9e2d87d1abb9b44c89439907d317b9
MD5 hash: 9856cead20fb0c57a8f338af1504a1aa
humanhash: freddie-xray-violet-venus
File name:SecuriteInfo.com.Trojan.PackedNET.331.26146.16975
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:706'048 bytes
First seen:2022-05-11 08:40:07 UTC
Last seen:2022-05-11 09:49:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:i9u9WQhQkLnwUPxq1A/qvDYqZv3C9Za6ML:cu9WQhQksUh/hqZaZOL
Threatray 4'731 similar samples on MalwareBazaar
TLSH T1B3E4D0C37734CB57F4783BF4652A843447B56C27A661D74B1F8EB9EB18B27001A82A63
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 31b09c969698f033 (8 x AgentTesla, 5 x SnakeKeylogger, 1 x AveMariaRAT)
Reporter SecuriteInfoCom
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
274
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269637/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.331.26146.16975.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Running batch commands
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/627b769392de4ecac4105395/reports/767538bb-bbda-4532-995b-ca52758aa0cc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/13e4ad95-d8c4-4656-b94f-9d45ca56a0d4
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/991697
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates an undocumented autostart registry key
Detected unpacking (creates a PE file in dynamic memory)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 624193 Sample: SecuriteInfo.com.Trojan.Pac... Startdate: 11/05/2022 Architecture: WINDOWS Score: 100 69 Snort IDS alert for network traffic 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Multi AV Scanner detection for dropped file 2->73 75 9 other signatures 2->75 9 SecuriteInfo.com.Trojan.PackedNET.331.26146.exe 7 2->9         started        process3 file4 55 C:\Users\user\AppData\...\lXsvObkwzxYrFg.exe, PE32 9->55 dropped 57 C:\...\lXsvObkwzxYrFg.exe:Zone.Identifier, ASCII 9->57 dropped 59 C:\Users\user\AppData\Local\...\tmp1B63.tmp, XML 9->59 dropped 61 SecuriteInfo.com.T...T.331.26146.exe.log, ASCII 9->61 dropped 95 Contains functionality to inject threads in other processes 9->95 97 Contains functionality to steal Chrome passwords or cookies 9->97 99 Contains functionality to steal e-mail passwords 9->99 101 2 other signatures 9->101 13 SecuriteInfo.com.Trojan.PackedNET.331.26146.exe 4 5 9->13         started        17 powershell.exe 24 9->17         started        19 schtasks.exe 1 9->19         started        21 3 other processes 9->21 signatures5 process6 file7 63 C:\ProgramData\images.exe, PE32 13->63 dropped 65 C:\ProgramData\images.exe:Zone.Identifier, ASCII 13->65 dropped 103 Adds a directory exclusion to Windows Defender 13->103 105 Increases the number of concurrent connection per server for Internet Explorer 13->105 107 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->107 23 images.exe 13->23         started        27 cmd.exe 13->27         started        29 powershell.exe 24 13->29         started        31 conhost.exe 17->31         started        33 conhost.exe 19->33         started        signatures8 process9 file10 53 C:\Users\user\AppData\...\images.exe.log, ASCII 23->53 dropped 87 Multi AV Scanner detection for dropped file 23->87 89 Detected unpacking (creates a PE file in dynamic memory) 23->89 91 Machine Learning detection for dropped file 23->91 93 Adds a directory exclusion to Windows Defender 23->93 35 images.exe 23->35         started        39 powershell.exe 23->39         started        41 schtasks.exe 23->41         started        43 reg.exe 27->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        signatures11 process12 dnsIp13 67 212.193.30.38, 49752, 5200 SPD-NETTR Russian Federation 35->67 77 Tries to steal Mail credentials (via file / registry access) 35->77 79 Tries to harvest and steal browser information (history, passwords, etc) 35->79 81 Adds a directory exclusion to Windows Defender 35->81 83 Installs a global keyboard hook 35->83 49 conhost.exe 39->49         started        51 conhost.exe 41->51         started        85 Creates an undocumented autostart registry key 43->85 signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5004dccfea55cb7c7338390ef12adf835341473d9e850e9232aee6e7c7b6f1f6/
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2022-05-11 08:41:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
28
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kacnzt7kkxfxy4zyhehpckw7qnjucrz5t2cq5ersv3topr5w6h3a._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
29a4c97029dcf52e73bb65d748d1fd6194c5f7f72fe8c272320bbe38636e0f3a
AveMariaRAT
52e2c9a43a9de0685055f60bd590f2f893882ad710f3b7e8c451985eea69ec07
AveMariaRAT
649acc4a8ec45c2b3d6e217e3818db8174eb3a3bd923d8b907f6164fd42bb751
AveMariaRAT
9454554ff02715a0e17bde7743b9fa2eb0795058d02c178b148d2c090396dfba
AveMariaRAT
9e2a3d4464636baff78628d870f39d1a9f3ba23da71f8c50ead2576479077702
AveMariaRAT
f4d3d1d7abd51b08b3bad84d718cb3beaf9d0513422ce276ea2cc2617c3cf889
AveMariaRAT
fdcb93d14d249d6970c9f7374eb95190af62db72b5555c48d23a3af20902b682
AveMariaRAT
+ 4'721 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat collection infostealer rat spyware stealer
Link:
https://tria.ge/reports/220511-kkyqqsahen/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
212.193.30.38:5200
Unpacked files
SH256 hash:
3929eb9a005b5deefc242154341ba2ba6505dffe437042cce811352a6b936d12
MD5 hash:
6f345586cc1fb0cbccabe61031581287
SHA1 hash:
f0fb5a8a2ce5b204e67568d8b576ab1ad3461c9e
Link:
https://www.unpac.me/results/64fdbe81-e7d3-4762-ab6e-24ff3d4893cc/
SH256 hash:
fd6b67a46f9f0f5b72002b5c2044a795bd85d127b5fc2700474dd38c465a8747
MD5 hash:
b3d9fca9f138834736eba7f33284f34a
SHA1 hash:
e72178da8fd82d616e56ee5bf3c013f5a7b8bba1
Link:
https://www.unpac.me/results/64fdbe81-e7d3-4762-ab6e-24ff3d4893cc/
SH256 hash:
477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52
MD5 hash:
16a9ddc4b32981114fe4f069a4353105
SHA1 hash:
bf73849f57c150f9e2199c61427f631be2dfa595
Link:
https://www.unpac.me/results/64fdbe81-e7d3-4762-ab6e-24ff3d4893cc/
SH256 hash:
753bb6d3f2107a7ed0071a4efa04ddb1a9d09edbeb382020e4d558d46b572048
MD5 hash:
b5911e16822a39925df899d348f05e0f
SHA1 hash:
47690a21ed470fae27fa0e315dbbee4d97dd43ee
Link:
https://www.unpac.me/results/64fdbe81-e7d3-4762-ab6e-24ff3d4893cc/
SH256 hash:
227cff2ffcf15d296c474ba1a16e71c8a4355865b26d130b97dcaaf19156f480
MD5 hash:
5691bfcae182e9114926ea32948afeec
SHA1 hash:
42aa6c759e0763258f9f66df0dd0d49c8d1ff679
Detections:
win_ave_maria_g0
Create hunting rule
win_ave_maria_auto
Create hunting rule
Link:
https://www.unpac.me/results/64fdbe81-e7d3-4762-ab6e-24ff3d4893cc/
SH256 hash:
f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36
MD5 hash:
6c72218c48cd68cbcb654675053a0abb
SHA1 hash:
12207fa32070f99683648d87b44410e5d3cdf2de
Link:
https://www.unpac.me/results/64fdbe81-e7d3-4762-ab6e-24ff3d4893cc/
SH256 hash:
5004dccfea55cb7c7338390ef12adf835341473d9e850e9232aee6e7c7b6f1f6
MD5 hash:
9856cead20fb0c57a8f338af1504a1aa
SHA1 hash:
b7a46f5caa9e2d87d1abb9b44c89439907d317b9
Link:
https://www.unpac.me/results/64fdbe81-e7d3-4762-ab6e-24ff3d4893cc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5004dccfea55/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5004dccfea55cb7c7338390ef12adf835341473d9e850e9232aee6e7c7b6f1f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269637/

Comments