MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5261a06ba9e6f644f641d41060e67026a8834227e786e269b80f8d20e644a273. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5261a06ba9e6f644f641d41060e67026a8834227e786e269b80f8d20e644a273
SHA3-384 hash: 529357fbb6cadfcfa2cd3732a0b00e135a8f01aef300412769560947c583704b4165c0ab1a3194e232823c859ed3aaeb
SHA1 hash: 40e70f220fa6f3b90a168ffd8bfe502407a65bd9
MD5 hash: fe8a95b18fe7f2c699d58704ac7afd14
humanhash: angel-oklahoma-one-jersey
File name:fe8a95b18fe7f2c699d58704ac7afd14
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'460'736 bytes
First seen:2022-01-26 14:25:49 UTC
Last seen:2022-01-26 16:38:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0edc542bae7cd504ed54cb8d70b54508 (2 x AveMariaRAT)
ssdeep 12288:R4eWZX+6XlaNArEKP55ltuTydNNAF4B0la1:6VyOrE
TLSH T12A654C64A3A15115E9D7A7BF72B08B90C87E3C005D6D97CF4E464AC6CA2E2F079086F7
Reporter zbetcheckin
Tags:32 AveMariaRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RDPWrap
Create hunting rule
Link:
https://www.capesandbox.com/analysis/223353/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Maria.4.27056.9778.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file
Running batch commands
Creating a process from a recently created file
Searching for synchronization primitives
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Enabling autorun by creating a file
Enabling autorun
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5218/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61f15a108581cbffe086348d/reports/3700b086-9f6d-4ea1-9c33-3622a0409d27/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b5164c98-c6cf-49b3-a33a-20bca019367a
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.expl.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/927977
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5261a06ba9e6f644f641d41060e67026a8834227e786e269b80f8d20e644a273/
Threat name:
Win32.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2022-01-26 10:10:42 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer rat
Link:
https://tria.ge/reports/220126-rr18rsecb5/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops startup file
Loads dropped DLL
Executes dropped EXE
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
108.62.141.204:5400
Unpacked files
SH256 hash:
9e23162a33edc66e109adb0bfd949c71330795917c6c0d8e993a41abf370233a
MD5 hash:
7d992198ea34152bb2ed09242d58cfad
SHA1 hash:
d71e5247502d1bcbc0ad6bc232442a88ce813d4a
Detections:
win_ave_maria_g0
Create hunting rule
win_ave_maria_auto
Create hunting rule
Link:
https://www.unpac.me/results/f86bafa4-f4a8-47b8-b5d4-10ae8784b2fb/
SH256 hash:
477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52
MD5 hash:
16a9ddc4b32981114fe4f069a4353105
SHA1 hash:
bf73849f57c150f9e2199c61427f631be2dfa595
Link:
https://www.unpac.me/results/f86bafa4-f4a8-47b8-b5d4-10ae8784b2fb/
SH256 hash:
f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36
MD5 hash:
6c72218c48cd68cbcb654675053a0abb
SHA1 hash:
12207fa32070f99683648d87b44410e5d3cdf2de
Link:
https://www.unpac.me/results/f86bafa4-f4a8-47b8-b5d4-10ae8784b2fb/
SH256 hash:
5261a06ba9e6f644f641d41060e67026a8834227e786e269b80f8d20e644a273
MD5 hash:
fe8a95b18fe7f2c699d58704ac7afd14
SHA1 hash:
40e70f220fa6f3b90a168ffd8bfe502407a65bd9
Link:
https://www.unpac.me/results/f86bafa4-f4a8-47b8-b5d4-10ae8784b2fb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5261a06ba9e6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5261a06ba9e6f644f641d41060e67026a8834227e786e269b80f8d20e644a273

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe 5261a06ba9e6f644f641d41060e67026a8834227e786e269b80f8d20e644a273

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2007399/
Cape
Cape
https://www.capesandbox.com/analysis/223353/

Comments


Avatar
zbet commented on 2022-01-26 14:25:51 UTC

url : hxxp://airr-au.cam/chromes.exe