MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54d288be3de7ca248076fda266a5fcc3b5488b6d4a91f93033b1652dfe0164d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54d288be3de7ca248076fda266a5fcc3b5488b6d4a91f93033b1652dfe0164d3
SHA3-384 hash: a2811ae20b97cd5acce371ce1ba57dd64012bc4648464c295129f55802382b96e8ac4ec0b43a5c811b2ad0d67d600a54
SHA1 hash: 1860be4ed1c42cfa7317cf6cb2ff9a80eae982c8
MD5 hash: 557da3cd999097a88f81f0d311fd0c30
humanhash: mars-golf-arkansas-mango
File name:Samsung-Galaxy-Video-Wohnung.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:272'896 bytes
First seen:2022-10-19 02:36:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c5f2513605e48f2d8ea5440a870cb9e (60 x Babadeda, 6 x AveMariaRAT, 5 x CoinMiner)
ssdeep 3072:D7DhdC6kzWypvaQ0FxyNTBfrUrWZKAgeZ6SZWXo67dqJSrNbrvbR70vAskA9oqNk:DBlkZvaF4NTBjJ7tQl0L7XDfXZyost
Threatray 2'974 similar samples on MalwareBazaar
TLSH T12444BE13B1D423F6E5A84C7300AA21AB1F3A31759794A8FF939C293709519A9933F77C
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 3e9cc42c36d2f131 (1 x AveMariaRAT)
Reporter r3dbU7z
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Samsung-Galaxy-Video-Wohnung.exe
Verdict:
Malicious activity
Analysis date:
2022-10-19 05:58:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/663435f1-b7d8-4444-8abb-d21f37d1ce5d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321551/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34587420.17402.2208.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Forced system process termination
Searching for the window
Launching a process
Sending an HTTP GET request
Creating a file
Using the Windows Management Instrumentation requests
Modifying a system executable file
Launching cmd.exe command interpreter
Launching a tool to kill processes
Forced shutdown of a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/43741/overview
Behaviour
MalwareBazaar
CPUID_Instruction
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/634f62cfa67b0a5ed57a751f/reports/ef6c7a63-a94f-43d9-ae60-52bc1a3d1c34/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/41501e97-8ed7-4542-91fa-c24ae042f8db
Result
Threat name:
Babadeda
Create hunting rule
Detection:
malicious
Classification:
troj.expl
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1093158
Signature
Antivirus detection for dropped file
Drops script or batch files to the startup folder
Machine Learning detection for sample
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
Yara detected Babadeda
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 725780 Sample: Samsung-Galaxy-Video-Wohnung.exe Startdate: 19/10/2022 Architecture: WINDOWS Score: 88 94 Snort IDS alert for network traffic 2->94 96 Antivirus detection for dropped file 2->96 98 Yara detected Babadeda 2->98 100 3 other signatures 2->100 12 Samsung-Galaxy-Video-Wohnung.exe 8 2->12         started        process3 process4 14 cmd.exe 1 12->14         started        17 conhost.exe 12->17         started        signatures5 106 Drops script or batch files to the startup folder 14->106 108 Uses cmd line tools excessively to alter registry or file data 14->108 19 Samsung-Galaxy-Video-Wohnung.exe 8 14->19         started        process6 process7 21 cmd.exe 4 19->21         started        24 conhost.exe 19->24         started        file8 86 C:\Users\user\AppData\Roaming\...\part2.bat, ASCII 21->86 dropped 88 C:\Users\user\AppData\Roaming\...\part1.bat, ASCII 21->88 dropped 26 cmd.exe 21->26         started        28 cmd.exe 1 21->28         started        30 cmd.exe 21->30         started        32 11 other processes 21->32 process9 dnsIp10 35 cmd.exe 26->35         started        38 conhost.exe 26->38         started        40 cmd.exe 1 28->40         started        42 conhost.exe 28->42         started        44 cmd.exe 30->44         started        46 conhost.exe 30->46         started        92 111.90.151.174, 49695, 49696, 49697 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 32->92 48 cmd.exe 32->48         started        50 cmd.exe 32->50         started        52 6 other processes 32->52 process11 signatures12 102 Uses cmd line tools excessively to alter registry or file data 35->102 54 cmd.exe 35->54         started        61 7 other processes 35->61 57 cmd.exe 1 40->57         started        63 6 other processes 40->63 59 cmd.exe 44->59         started        65 5 other processes 44->65 67 6 other processes 48->67 69 5 other processes 50->69 71 7 other processes 52->71 process13 file14 74 reg.exe 54->74         started        104 Uses cmd line tools excessively to alter registry or file data 57->104 76 reg.exe 57->76         started        78 reg.exe 59->78         started        80 reg.exe 67->80         started        82 reg.exe 69->82         started        90 C:\configuration\5201.exe, PE32 71->90 dropped 84 reg.exe 71->84         started        signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/54d288be3de7ca248076fda266a5fcc3b5488b6d4a91f93033b1652dfe0164d3/
Threat name:
Win32.Backdoor.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-10-19 02:43:46 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
9 of 26 (34.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ktjirpr547fcjadw7wrgnjp4yo2urc3njki7smbtwfss37qbmtjq._file
Verdict:
unknown
Similar samples:
2278d1bca473d91247e01794a1202297bda4bce23c3a1e74c43abc67d8d7b371
AveMariaRAT
275e4c659edeeb5dd650b29253f72c8e95b7556e465253fabf8264d76abb2f02
AveMariaRAT
49cecc5851dc6ed4f7dfd13f91ade2941ea491cd7c08df9f3630de8de50e3fb4
AveMariaRAT
4fe08cc381f8f4ea6e3d8e34fddf094193ccbbcc1cae7217f0233893b9c566a2
AveMariaRAT
58f6462c0225f4ec37209add8486ef9bdcdc1d1e766096af73b3c7797ebeadb1
AveMariaRAT
882d3aaa507d5340258272b1b39c8d603776eda51124e2c443ae8ea1edc2059b
AveMariaRAT
993afa5ca786935ff44f01d5495e0583034008d30d93eaac100e6d4325dfb89d
AveMariaRAT
9e2374545fd02bff5d25134c71940bf423173a9bb611f54f5db6729c8407da66
AveMariaRAT
eaf08f6d20670daa716352b18fbc7801d4dbba9e26f986cec4234947e83bba0e
AveMariaRAT
+ 2'964 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat upx
Link:
https://tria.ge/reports/221019-c359jafadr/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Kills process with taskkill
Modifies registry class
NTFS ADS
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Adds Run key to start application
Enumerates connected drives
Drops startup file
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Modifies Installed Components in the registry
UPX packed file
Warzone RAT payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
111.90.151.174:5200
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2aa7be9a-1335-4913-83ab-3f9c0fb72310
Unpacked files
SH256 hash:
896f4f4dc9f557e9dbfe666ca6f2ecf9dfe7e45be5b7d985b1764e175e195e53
MD5 hash:
10408b2caddc99aa6d0cafe1c06cf6b1
SHA1 hash:
eac6488e1dac1b35a4d2b0f89078101a45d51b19
Link:
https://www.unpac.me/results/a138d6fe-ebee-4384-a5ca-76d04e2264bf/
SH256 hash:
e6b17a692cbf116dff43c2b028c1315df530929b9869820219023a68d3a36d37
MD5 hash:
1dd5e374fa8a266b1c64bb1421f0791f
SHA1 hash:
d72ccd2383d2415fea9549b2847bdcaac370f93c
Link:
https://www.unpac.me/results/a138d6fe-ebee-4384-a5ca-76d04e2264bf/
SH256 hash:
800fcdaa4d403c4a3a1dafee6a38ced27f856243cd6e7364390e94a37ce551d0
MD5 hash:
44d3869a054d318b89f6e2bb6720c991
SHA1 hash:
c75da3a6657e530b4d0a3120e7106bed3ce09ca2
Link:
https://www.unpac.me/results/a138d6fe-ebee-4384-a5ca-76d04e2264bf/
SH256 hash:
e952e349d81f0c237e554f05d6d2fcb89320c41eb1fb29055d39ccb50f1df036
MD5 hash:
71fdc3211704460e733d56324d189dcf
SHA1 hash:
e4dfe1be0b021385dd11de0950e72cb01cd30d80
Link:
https://www.unpac.me/results/a138d6fe-ebee-4384-a5ca-76d04e2264bf/
SH256 hash:
631f12395a2eac727f7cab6b3230ddca58f786ec2d59e6b2c4541951f9746e89
MD5 hash:
abd6606ae0281e12f478eabfcbbc7e83
SHA1 hash:
8511aa984e84696c58945835b7983179a19a6fb9
Link:
https://www.unpac.me/results/a138d6fe-ebee-4384-a5ca-76d04e2264bf/
SH256 hash:
e922cdceda98d7fdb570514beff920fbeffe2d712faa0a3d6ee8add2053dc252
MD5 hash:
51f26673d5390ca00b25256c7d8eb305
SHA1 hash:
835977535deca4f348667d708c5ccd626a3aa79e
Link:
https://www.unpac.me/results/a138d6fe-ebee-4384-a5ca-76d04e2264bf/
SH256 hash:
c6a1b4f7e70e2a12cb9aef5bc677d2b40284a4ddee3134f0d37e822fc04715b4
MD5 hash:
b89030fae69a9f4b2a70460e384765f6
SHA1 hash:
4af69b3788bdbe9b2a8146d7a809031f21b87d5d
Link:
https://www.unpac.me/results/a138d6fe-ebee-4384-a5ca-76d04e2264bf/
SH256 hash:
819bafd03d9f6b278a8603eaf91ee7d545d8a06e432023480441a99a32814ead
MD5 hash:
beaac244a5ed1065d2c67e26bbd439be
SHA1 hash:
213314bf0d2c0a58c1a5c87c5e1630f1838339a6
Link:
https://www.unpac.me/results/a138d6fe-ebee-4384-a5ca-76d04e2264bf/
SH256 hash:
e37aa72bca3cecb9bdbe51cbd81ec1143bb17163088a1379a4ccb93f5d881e76
MD5 hash:
5cac4fe734fc8454ccb847e030beee38
SHA1 hash:
34298fe220e35f614b2c837cf1dc2604ab0882d6
Link:
https://www.unpac.me/results/a138d6fe-ebee-4384-a5ca-76d04e2264bf/
SH256 hash:
54d288be3de7ca248076fda266a5fcc3b5488b6d4a91f93033b1652dfe0164d3
MD5 hash:
557da3cd999097a88f81f0d311fd0c30
SHA1 hash:
1860be4ed1c42cfa7317cf6cb2ff9a80eae982c8
Link:
https://www.unpac.me/results/a138d6fe-ebee-4384-a5ca-76d04e2264bf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/54d288be3de7ca248076fda266a5fcc3b5488b6d4a91f93033b1652dfe0164d3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe 54d288be3de7ca248076fda266a5fcc3b5488b6d4a91f93033b1652dfe0164d3

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/321551/

Comments