MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 536d2e05383047b6b1f38680c840aa099498965dfc13ceafb0ec3efaeb3b293e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 536d2e05383047b6b1f38680c840aa099498965dfc13ceafb0ec3efaeb3b293e
SHA3-384 hash: a6e7a0e7bc9860010ab3a3e87ee337807d266eecf9e0791227518f9c0ee3de241ec0aed1fd589402e73390df71f28b1e
SHA1 hash: 19c5f773358c1da7cb927edb081074713e38934c
MD5 hash: db8b61c879de14d0712856f4310bb83e
humanhash: vermont-kansas-floor-hotel
File name:PO.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:968'704 bytes
First seen:2021-09-20 12:58:30 UTC
Last seen:2021-09-20 14:25:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'652 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:JBGiY6HiFur0Oef/iaxmAUPnV/nYORaBP50oA/1YCS4bmtiK5o3OyuMtntGGzGtF:JA6CFuYO2IAUPn9850oA/1PS4b+Fo3Y
Threatray 1'485 similar samples on MalwareBazaar
TLSH T1EA2549F11234CA19FDA6ABFCC0D590214B3B6D31D462854D7B71AB8E2D73F82614FA1A
File icon (PE):PE icon
dhash icon f0f0e84dcde4e4f8 (17 x AgentTesla, 4 x AveMariaRAT, 4 x RemcosRAT)
Reporter malwarelabnet
Tags:AveMariaRAT exe warzone

Intelligence

File Origin
# of uploads :
2
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO.exe
Verdict:
Malicious activity
Analysis date:
2021-09-20 13:00:25 UTC
Tags:
trojan stealer rat avemaria
Link:
https://app.any.run/tasks/afa4d0d3-a5b3-454b-bcde-e35cff6a91d7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189443/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.48175.1108.18610.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a window
Enabling autorun with the shell\open\command registry branches
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/713304ce-461b-4e84-87f6-17e16c38d376
Result
Threat name:
AgentTesla AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/854256
Signature
.NET source code contains potential unpacker
Contains functionality to hide user accounts
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 486688 Sample: PO.exe Startdate: 20/09/2021 Architecture: WINDOWS Score: 100 45 mail.privateemail.com 2->45 59 Malicious sample detected (through community Yara rule) 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 6 other signatures 2->65 10 PO.exe 3 7 2->10         started        signatures3 process4 file5 35 C:\Users\user\AppData\Roaming\LZzPjLkB.exe, PE32 10->35 dropped 37 C:\Users\user\AppData\Local\...\tmp9036.tmp, XML 10->37 dropped 39 C:\Users\user\AppData\Local\...\PO.exe.log, ASCII 10->39 dropped 75 Uses schtasks.exe or at.exe to add and modify task schedules 10->75 77 Writes to foreign memory regions 10->77 79 Injects a PE file into a foreign processes 10->79 14 vbc.exe 3 21 10->14         started        19 schtasks.exe 1 10->19         started        signatures6 process7 dnsIp8 47 dazzling-lichterman.157-245-55-235.plesk.page 157.245.55.235, 443, 49745 DIGITALOCEAN-ASNUS United States 14->47 49 45.144.225.112, 49744, 5207 DEDIPATH-LLCUS Netherlands 14->49 41 C:\Users\user\AppData\Roaming\hlDiHfF.G.exe, PE32 14->41 dropped 43 C:\Users\user\AppData\Local\...\tv[1].exe, PE32 14->43 dropped 51 Tries to harvest and steal browser information (history, passwords, etc) 14->51 53 Increases the number of concurrent connection per server for Internet Explorer 14->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->55 57 Installs a global keyboard hook 14->57 21 hlDiHfF.G.exe 6 14->21         started        25 conhost.exe 19->25         started        file9 signatures10 process11 file12 33 C:\Users\user\AppData\Roaming\iybZpv.exe, PE32 21->33 dropped 67 Multi AV Scanner detection for dropped file 21->67 69 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->69 71 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->71 73 Injects a PE file into a foreign processes 21->73 27 schtasks.exe 1 21->27         started        29 hlDiHfF.G.exe 2 21->29         started        signatures13 process14 process15 31 conhost.exe 27->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/536d2e05383047b6b1f38680c840aa099498965dfc13ceafb0ec3efaeb3b293e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 03:49:07 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=knws4bjygbd3nmptq2amqqfkbgkjrfs57qj45l5q5q7pv2z3fe7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
avemaria
Create hunting rule
Similar samples:
03030b4b8956e90558cbca148708bef3cbc18f17e14af330d1f22a16bc45ca4c
AveMariaRAT
18557447ecf0465479dbc151e8b1370550f10211373cd738e3a67e9112927bc8
AveMariaRAT
5b185af278fe0bdf4ed8724f98efa63f50c2bfc5a3d704d31e7a1d08a8089d39
AveMariaRAT
c1576e2a6542baf1bedf9a8f9b62da6a5e2f17dfcef52e5d977bc268c11306ca
AveMariaRAT
d4ab1b2e0d1a1a389c3e8f40237b7f7b40ba798468e2d73abe416b927bbe8f13
AveMariaRAT
d8bbb318b7db225f134c3bff2300f60614d87276dc038efe6370f1f52c44828a
AveMariaRAT
f4d3d1d7abd51b08b3bad84d718cb3beaf9d0513422ce276ea2cc2617c3cf889
AveMariaRAT
fea29fb2293dfa888c3ce64dba2e775b2793b7f2edd4bd647dd5d2a96d1bdc04
AveMariaRAT
+ 1'475 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:warzonerat infostealer keylogger rat spyware stealer trojan
Link:
https://tria.ge/reports/210920-p73enaebe9/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
AgentTesla Payload
AgentTesla
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
45.144.225.112:5207
Unpacked files
SH256 hash:
f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36
MD5 hash:
6c72218c48cd68cbcb654675053a0abb
SHA1 hash:
12207fa32070f99683648d87b44410e5d3cdf2de
Link:
https://www.unpac.me/results/b3b9fa29-0ece-4177-8898-953cc1c51b31/
SH256 hash:
20c1bb607f93e9dc580de25183edd830f7aabb9a748d82ce95b97e09446ef161
MD5 hash:
0a173d9278f6e9ef0220a8411005b7cd
SHA1 hash:
70582c36ee964a77065b5669a3b6a71efbdde352
Link:
https://www.unpac.me/results/b3b9fa29-0ece-4177-8898-953cc1c51b31/
SH256 hash:
eca5e2443f169846c7820bf8c2fb99da265f6955f7103f12e3d9ce32d12d6b54
MD5 hash:
1a8cbfb5f6f44ede4c2ab55c46a7e202
SHA1 hash:
88d4d72627633fa429232b87f60d6ea9aaea1129
Link:
https://www.unpac.me/results/b3b9fa29-0ece-4177-8898-953cc1c51b31/
SH256 hash:
cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7
MD5 hash:
71a894ff252c767b80d65ab1e54fda2b
SHA1 hash:
bcc4ff628585ca28b8b0f2c30e63049b910d4d49
Link:
https://www.unpac.me/results/b3b9fa29-0ece-4177-8898-953cc1c51b31/
SH256 hash:
477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52
MD5 hash:
16a9ddc4b32981114fe4f069a4353105
SHA1 hash:
bf73849f57c150f9e2199c61427f631be2dfa595
Link:
https://www.unpac.me/results/b3b9fa29-0ece-4177-8898-953cc1c51b31/
SH256 hash:
51a17ac241e7554dc15a840fbf32306728d7dc1e596f3664889cf16c70b64c3b
MD5 hash:
3b5edb22ec20da2f1ada256d09020e22
SHA1 hash:
d8b79a5c2da2955237e45965da333651ef555d4a
Detections:
win_ave_maria_g0
Create hunting rule
win_ave_maria_auto
Create hunting rule
Link:
https://www.unpac.me/results/b3b9fa29-0ece-4177-8898-953cc1c51b31/
SH256 hash:
536d2e05383047b6b1f38680c840aa099498965dfc13ceafb0ec3efaeb3b293e
MD5 hash:
db8b61c879de14d0712856f4310bb83e
SHA1 hash:
19c5f773358c1da7cb927edb081074713e38934c
Link:
https://www.unpac.me/results/b3b9fa29-0ece-4177-8898-953cc1c51b31/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/536d2e05383047b6b1f38680c840aa099498965dfc13ceafb0ec3efaeb3b293e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AveMaria_WarZone
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding command execution via IExecuteCommand COM object
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_WarzoneRAT
Create hunting rule
Author:ditekSHen
Description:Detects AveMaria/WarzoneRAT
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.ave_maria.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/189443/

Comments