MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a70453a6b4f6a5dfd956507dcb364fa07bd6517f87ee23ed6d703f7ec1f6599. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a70453a6b4f6a5dfd956507dcb364fa07bd6517f87ee23ed6d703f7ec1f6599
SHA3-384 hash: d95bc13e987c3c2afc906f20703f49650de36331c0190f6c153eb8bc52deb51c325d2350807dcbdddf1416c4d68440ae
SHA1 hash: ddf46550655ca7c075496821d90fb7f5706ee9d7
MD5 hash: cae675beb80ed1fae88d407271ed397e
humanhash: fish-xray-montana-wyoming
File name:REQUEST FOR OFFER (University of Parma) 9-02-23·pdf.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:577'696 bytes
First seen:2023-02-09 11:04:14 UTC
Last seen:2023-02-09 13:08:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e2a592076b17ef8bfb48b7e03965a3fc (385 x GuLoader, 58 x RemcosRAT, 40 x AgentTesla)
ssdeep 12288:GkyEGBEcfVj2sEjQS0Y+N8v2ocCSivrlicgs7LVpr6O:eHBbVKsIQSY8vcKGshx6O
TLSH T1A0C42317AAB18452C7A3C2311EA86023FBA33D3350954E5B2B86BF9879B4B44C51DF77
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8ee2f0b8cc3b3b80 (5 x AveMariaRAT, 1 x GuLoader)
Reporter JAMESWT_WT
Tags:AveMariaRAT exe signed

Code Signing Certificate

Organisation:Dougie
Issuer:Dougie
Algorithm:sha256WithRSAEncryption
Valid from:2022-08-12T22:26:48Z
Valid to:2025-08-11T22:26:48Z
Serial number: -487372c713e1b7cd
Thumbprint Algorithm:SHA256
Thumbprint: 1678036ce63605c4688232dddf3ec64a7e9a347a2dcba362c2af4378928edf30
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
198
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
REQUEST FOR OFFER (University of Parma) 9-02-23·pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-02-09 11:05:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8d0dd321-0b14-4392-8fe0-6c48d2c3acf6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/362708/
Detection(s):
SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.s.27703.19664.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% subdirectories
Delayed reading of the file
Creating a file in the %temp% subdirectories
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/67097/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63e4d361c7ca3840b5a15461/reports/30bfd965-4281-4f84-b6ad-8a1f23226ded/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/5a70453a6b4f6a5dfd956507dcb364fa07bd6517f87ee23ed6d703f7ec1f6599
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f4a2cdca-4624-4931-8e67-d3bbe046d4a4
Result
Threat name:
AveMaria, GuLoader, UACMe
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1169936
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Creates files in alternative data streams (ADS)
Drops PE files to the document folder of the user
Drops script or batch files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides user accounts
Increases the number of concurrent connection per server for Internet Explorer
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected GuLoader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 802734 Sample: REQUEST FOR OFFER (Universi... Startdate: 09/02/2023 Architecture: WINDOWS Score: 100 84 forcema002.duckdns.org 2->84 86 googlehosted.l.googleusercontent.com 2->86 88 2 other IPs or domains 2->88 100 Snort IDS alert for network traffic 2->100 102 Malicious sample detected (through community Yara rule) 2->102 104 Multi AV Scanner detection for dropped file 2->104 106 10 other signatures 2->106 12 REQUEST FOR OFFER (University of Parma) 9-02-23#U00b7pdf.exe 32 2->12         started        16 Windows8.exe 19 2->16         started        18 rdpvideominiport.sys 2->18         started        20 2 other processes 2->20 signatures3 process4 file5 76 C:\Users\user\AppData\...\CCUpdate.exe, PE32 12->76 dropped 78 C:\Users\user\AppData\Local\...\System.dll, PE32 12->78 dropped 132 Tries to detect Any.run 12->132 22 REQUEST FOR OFFER (University of Parma) 9-02-23#U00b7pdf.exe 5 14 12->22         started        80 C:\Users\user\AppData\Local\...\System.dll, PE32 16->80 dropped 27 WerFault.exe 21 16->27         started        signatures6 process7 dnsIp8 94 googlehosted.l.googleusercontent.com 142.250.184.225, 443, 49786, 49803 GOOGLEUS United States 22->94 96 drive.google.com 142.250.185.206, 443, 49785, 49802 GOOGLEUS United States 22->96 68 C:\Users\user\Documents\Windows8.exe, PE32 22->68 dropped 70 C:\Users\user\...\Documents:ApplicationData, PE32 22->70 dropped 72 C:\Users\...\Windows8.exe:Zone.Identifier, ASCII 22->72 dropped 74 2 other malicious files 22->74 dropped 116 Creates files in alternative data streams (ADS) 22->116 118 Adds a directory exclusion to Windows Defender 22->118 120 Tries to detect Any.run 22->120 122 2 other signatures 22->122 29 Windows8.exe 19 22->29         started        33 powershell.exe 23 22->33         started        file9 signatures10 process11 file12 82 C:\Users\user\AppData\Local\...\System.dll, PE32 29->82 dropped 134 Multi AV Scanner detection for dropped file 29->134 136 Adds a directory exclusion to Windows Defender 29->136 138 Tries to detect Any.run 29->138 35 Windows8.exe 28 29->35         started        40 conhost.exe 33->40         started        signatures13 process14 dnsIp15 90 forcema002.duckdns.org 84.38.130.203, 49806, 8234 DATACLUBLV Latvia 35->90 92 127.0.0.1 unknown unknown 35->92 60 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 35->60 dropped 62 C:\Users\user\AppData\Local\Temp\nss3.dll, PE32 35->62 dropped 64 C:\Users\user\AppData\Local\...\mozglue.dll, PE32 35->64 dropped 66 6 other files (3 malicious) 35->66 dropped 108 Hides user accounts 35->108 110 Tries to harvest and steal browser information (history, passwords, etc) 35->110 112 Writes to foreign memory regions 35->112 114 4 other signatures 35->114 42 20.exe 35->42         started        46 powershell.exe 35->46         started        48 cmd.exe 35->48         started        file16 signatures17 process18 dnsIp19 98 239.255.255.250 unknown Reserved 42->98 124 Antivirus detection for dropped file 42->124 126 Multi AV Scanner detection for dropped file 42->126 128 Uses netsh to modify the Windows network and firewall settings 42->128 130 Modifies the windows firewall 42->130 50 netsh.exe 42->50         started        52 WerFault.exe 42->52         started        54 conhost.exe 46->54         started        56 conhost.exe 48->56         started        signatures20 process21 process22 58 conhost.exe 50->58         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5a70453a6b4f6a5dfd956507dcb364fa07bd6517f87ee23ed6d703f7ec1f6599/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ljyekotlj5vf37mvmud5zm3e7id32zix7b7oepww24b7p3a7mwmq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:warzonerat downloader infostealer persistence rat
Link:
https://tria.ge/reports/230209-m6vmbahg58/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Drops startup file
Executes dropped EXE
Loads dropped DLL
Guloader,Cloudeye
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb
MD5 hash:
17ed1c86bd67e78ade4712be48a7d2bd
SHA1 hash:
1cc9fe86d6d6030b4dae45ecddce5907991c01a0
Link:
https://www.unpac.me/results/4cdda76e-dd50-4e4f-954a-13d5a4bd7b1d/
SH256 hash:
194f9df745d5146d334b0e7c8e4afef13cff0f02da3f68bcee8845d26bedb037
MD5 hash:
fd4bc4a2c95d26f61ecb26672415221f
SHA1 hash:
ef1f60af264a21b191beaf2c5ca0204630f1dd1c
Link:
https://www.unpac.me/results/4cdda76e-dd50-4e4f-954a-13d5a4bd7b1d/
SH256 hash:
5a70453a6b4f6a5dfd956507dcb364fa07bd6517f87ee23ed6d703f7ec1f6599
MD5 hash:
cae675beb80ed1fae88d407271ed397e
SHA1 hash:
ddf46550655ca7c075496821d90fb7f5706ee9d7
Link:
https://www.unpac.me/results/4cdda76e-dd50-4e4f-954a-13d5a4bd7b1d/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5a70453a6b4f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.02
Link:
https://yomi.yoroi.company/submissions/5a70453a6b4f6a5dfd956507dcb364fa07bd6517f87ee23ed6d703f7ec1f6599

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/362708/

Comments