MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58f6462c0225f4ec37209add8486ef9bdcdc1d1e766096af73b3c7797ebeadb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 58f6462c0225f4ec37209add8486ef9bdcdc1d1e766096af73b3c7797ebeadb1
SHA3-384 hash: 20446105e8e829ed44953a879e09a1b514cb66fbb7290bf1b4104a0f5020de98ab2e096d5ee3d66f8c3545d9f32fac8b
SHA1 hash: 00906dca6d4134495a95283cc2c5ac458f2891fd
MD5 hash: 2411437b7a8c5e897e974b5a33e67428
humanhash: xray-chicken-connecticut-ohio
File name:Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:101'888 bytes
First seen:2022-10-19 02:39:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c5f2513605e48f2d8ea5440a870cb9e (60 x Babadeda, 6 x AveMariaRAT, 5 x CoinMiner)
ssdeep 1536:/7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfPwNOpJ0HWIhOl:z7DhdC6kzWypvaQ0FxyNTBfP6OpH
Threatray 2'974 similar samples on MalwareBazaar
TLSH T1D4A38E41F3E102F7EAF2053100A6762F973663289764A8DBC74C3D929913AD5A73D3E9
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 6cecccdcd4d0e8f0 (4 x AveMariaRAT, 1 x Smoke Loader, 1 x GuLoader)
Reporter r3dbU7z
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe
Verdict:
Suspicious activity
Analysis date:
2022-10-19 06:32:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/583dcf3f-87c9-429a-9225-bae215758fac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321554/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34587420.17402.2208.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Sending an HTTP GET request
Creating a file
Using the Windows Management Instrumentation requests
Modifying a system executable file
Launching cmd.exe command interpreter
Creating a file in the %temp% subdirectories
Running batch commands
Forced system process termination
Launching a tool to kill processes
Forced shutdown of a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/43744/overview
Behaviour
MalwareBazaar
CPUID_Instruction
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/634f638466721ebd9b2f235c/reports/a3a20f4d-ff0d-4aa5-806e-51fa30dd3d57/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4484640c-26d2-4532-b311-a088fdc7cbd8
Result
Threat name:
Babadeda
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.expl
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1093163
Signature
Antivirus detection for dropped file
Drops PE files to the startup folder
Drops script or batch files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
Yara detected Babadeda
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 725785 Sample: Sandra-Wohl-Bewerbung-Arbei... Startdate: 19/10/2022 Architecture: WINDOWS Score: 96 98 i.ibb.co 2->98 100 Snort IDS alert for network traffic 2->100 102 Antivirus detection for dropped file 2->102 104 Yara detected Babadeda 2->104 106 4 other signatures 2->106 13 Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe 8 2->13         started        signatures3 process4 process5 15 cmd.exe 1 13->15         started        18 conhost.exe 13->18         started        signatures6 112 Drops script or batch files to the startup folder 15->112 114 Uses cmd line tools excessively to alter registry or file data 15->114 116 Drops PE files to the startup folder 15->116 20 Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe 8 15->20         started        process7 process8 22 cmd.exe 3 20->22         started        25 conhost.exe 20->25         started        file9 92 C:\Users\user\AppData\Roaming\...\part1.bat, ASCII 22->92 dropped 27 cmd.exe 1 22->27         started        29 cmd.exe 1 22->29         started        31 cmd.exe 1 22->31         started        33 13 other processes 22->33 process10 dnsIp11 36 cmd.exe 2 27->36         started        40 conhost.exe 27->40         started        42 cmd.exe 1 29->42         started        44 conhost.exe 29->44         started        46 cmd.exe 1 31->46         started        48 conhost.exe 31->48         started        96 111.90.151.174, 49677, 49678, 49681 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 33->96 50 cmd.exe 33->50         started        52 cmd.exe 33->52         started        54 6 other processes 33->54 process12 file13 90 C:\Users\user\AppData\...\Ransomware.exe, PE32 36->90 dropped 108 Uses cmd line tools excessively to alter registry or file data 36->108 63 5 other processes 36->63 56 cmd.exe 42->56         started        65 5 other processes 42->65 59 cmd.exe 46->59         started        67 5 other processes 46->67 61 cmd.exe 50->61         started        69 5 other processes 50->69 71 6 other processes 52->71 73 5 other processes 54->73 signatures14 process15 file16 76 reg.exe 56->76         started        110 Uses cmd line tools excessively to alter registry or file data 59->110 78 reg.exe 59->78         started        80 reg.exe 61->80         started        82 reg.exe 63->82         started        84 Conhost.exe 63->84         started        86 reg.exe 71->86         started        94 C:\configuration\5201.exe, PE32 73->94 dropped 88 reg.exe 73->88         started        signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/58f6462c0225f4ec37209add8486ef9bdcdc1d1e766096af73b3c7797ebeadb1/
Threat name:
Win32.Backdoor.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-10-19 02:57:57 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
8 of 26 (30.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ld3emlacex2oynzatloyjbxptponyhi6ozqjnl3twpdxs7v6vwyq._file
Verdict:
unknown
Similar samples:
2278d1bca473d91247e01794a1202297bda4bce23c3a1e74c43abc67d8d7b371
AveMariaRAT
275e4c659edeeb5dd650b29253f72c8e95b7556e465253fabf8264d76abb2f02
AveMariaRAT
49cecc5851dc6ed4f7dfd13f91ade2941ea491cd7c08df9f3630de8de50e3fb4
AveMariaRAT
4fe08cc381f8f4ea6e3d8e34fddf094193ccbbcc1cae7217f0233893b9c566a2
AveMariaRAT
54d288be3de7ca248076fda266a5fcc3b5488b6d4a91f93033b1652dfe0164d3
AveMariaRAT
882d3aaa507d5340258272b1b39c8d603776eda51124e2c443ae8ea1edc2059b
AveMariaRAT
993afa5ca786935ff44f01d5495e0583034008d30d93eaac100e6d4325dfb89d
AveMariaRAT
9e2374545fd02bff5d25134c71940bf423173a9bb611f54f5db6729c8407da66
AveMariaRAT
eaf08f6d20670daa716352b18fbc7801d4dbba9e26f986cec4234947e83bba0e
AveMariaRAT
+ 2'964 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:eternity family:warzonerat evasion infostealer persistence ransomware rat trojan upx
Link:
https://tria.ge/reports/221019-c5wg4sfaej/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Modifies Control Panel
Modifies registry class
NTFS ADS
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Sets desktop wallpaper using registry
Adds Run key to start application
Checks computer location settings
Drops startup file
Loads dropped DLL
Disables Task Manager via registry modification
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Warzone RAT payload
Eternity
Modifies Windows Defender Real-time Protection settings
Modifies security service
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
111.90.151.174:5200
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4f7cb470-a188-4340-9871-0754aeb620c2
Unpacked files
SH256 hash:
e74b7a431a0a463a507f833f361bd4cc9845865e33474895d1bd8db6397098d4
MD5 hash:
129ce672adb65fbdea163346a11d7495
SHA1 hash:
40c7c6ca563e7b02364dd64271bf5aff259364a2
Link:
https://www.unpac.me/results/44f74fed-87b4-4cc8-bd7d-9de64044b495/
SH256 hash:
b1399826981a8d0af52f569e209f4b385faf808227347e2d42e1198fa6a46ce4
MD5 hash:
b239751152267f82335cc8d352e8aab0
SHA1 hash:
24efa8026dc2f3a08462ed4b2861298f655f3b17
Link:
https://www.unpac.me/results/44f74fed-87b4-4cc8-bd7d-9de64044b495/
SH256 hash:
940d427148221b6c4f51652675f7f6fbb828ea1d559d74f39e96c19c7ed073b1
MD5 hash:
89dfa27b120c5903d01618a8bfdb2f2f
SHA1 hash:
dead46c8a61d60437ba17cca19d455385e13c782
Link:
https://www.unpac.me/results/44f74fed-87b4-4cc8-bd7d-9de64044b495/
SH256 hash:
f6ed1e736a5fa95742e40b3645e244c90d90fba5c7beb831f087e7cc76ee2e34
MD5 hash:
b6828b6134d5b72e11beac6cf061f5c5
SHA1 hash:
7ecfdb9575a204620d04ba48ee0f0788afead5a8
Link:
https://www.unpac.me/results/44f74fed-87b4-4cc8-bd7d-9de64044b495/
SH256 hash:
4f41ad3e4917bcf4a93a4dbbffa3d8035d529ab086475a72c0642c12f4a3103a
MD5 hash:
66093b1a06de1a36e52456de420a52f4
SHA1 hash:
5d9b40039d91e89338469ef25c6a759b769ec8f8
Link:
https://www.unpac.me/results/44f74fed-87b4-4cc8-bd7d-9de64044b495/
SH256 hash:
fe61162d0e71ae1e6f4a83d5521d454c58d89bdcace2111a243a5a9667c1a8d0
MD5 hash:
3b87fbb1621be51a19d224eb94654340
SHA1 hash:
338504abcad7dfbc84e29273cb1db26a5a37d310
Link:
https://www.unpac.me/results/44f74fed-87b4-4cc8-bd7d-9de64044b495/
SH256 hash:
ad80064f71d273967dcf0b14b9cd6e84d79a132231d619687d9266c7807bdfe0
MD5 hash:
a35ee23aaab26afc575ac83df9572b57
SHA1 hash:
81ea38c694ce9702faddfb961f17c1bbf628a76d
Link:
https://www.unpac.me/results/44f74fed-87b4-4cc8-bd7d-9de64044b495/
SH256 hash:
e37aa72bca3cecb9bdbe51cbd81ec1143bb17163088a1379a4ccb93f5d881e76
MD5 hash:
5cac4fe734fc8454ccb847e030beee38
SHA1 hash:
34298fe220e35f614b2c837cf1dc2604ab0882d6
Link:
https://www.unpac.me/results/44f74fed-87b4-4cc8-bd7d-9de64044b495/
SH256 hash:
58f6462c0225f4ec37209add8486ef9bdcdc1d1e766096af73b3c7797ebeadb1
MD5 hash:
2411437b7a8c5e897e974b5a33e67428
SHA1 hash:
00906dca6d4134495a95283cc2c5ac458f2891fd
Link:
https://www.unpac.me/results/44f74fed-87b4-4cc8-bd7d-9de64044b495/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/58f6462c0225f4ec37209add8486ef9bdcdc1d1e766096af73b3c7797ebeadb1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe 58f6462c0225f4ec37209add8486ef9bdcdc1d1e766096af73b3c7797ebeadb1

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/321554/

Comments