MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a9f7b86d93a84e03f6cf6dd71f1f5dac02fa4c6b778e74421a29fa0e45ba5ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a9f7b86d93a84e03f6cf6dd71f1f5dac02fa4c6b778e74421a29fa0e45ba5ea
SHA3-384 hash: 9f2e89270841eef6543bda0e675f490033fa7c854d3d23e016bb87c55ba31e5a034d0e025340a81e61fdd1182c39cb2d
SHA1 hash: 763bb28812935034cc2d58a7b8d0da43e573cb74
MD5 hash: 853192e452519de7da3e388d14dbb619
humanhash: salami-sweet-triple-four
File name:SecuriteInfo.com.W32.AIDetectNet.01.17511.21282
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:684'544 bytes
First seen:2022-05-25 10:40:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:49eGZFF/VTQWWJ8wGEpQRIM9GhbFTG/msR2MJujKTfF1q3L/8gQ4vVvrmCagobNY:mjXFwNpQRYrTtU2MJeKbF83LwAdrVKFq
Threatray 2'981 similar samples on MalwareBazaar
TLSH T17AE4E0AC326472DFC467C9728AA81C74EA617576830BC207E02316AD9E5DAD7CF215F3
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
280
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
avemaria
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.W32.AIDetectNet.01.17511.21282
Verdict:
Malicious activity
Analysis date:
2022-05-25 10:47:23 UTC
Tags:
stealer warzone trojan rat avemaria
Link:
https://app.any.run/tasks/b074c3b6-8ef8-41b5-9ff5-62de00212665

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274470/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/628e07d4054dcf0ecaec3794/reports/c3de4032-84d5-4263-b30a-db8493947000/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ab9015b5-d3ba-4b56-b833-3eb0110c7166
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1001484
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Creates an undocumented autostart registry key
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 633983 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 25/05/2022 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 11 other signatures 2->47 8 SecuriteInfo.com.W32.AIDetectNet.01.17511.exe 7 2->8         started        process3 file4 31 C:\Users\user\AppData\Roaming\LSlOtRFql.exe, PE32 8->31 dropped 33 C:\Users\...\LSlOtRFql.exe:Zone.Identifier, ASCII 8->33 dropped 35 C:\Users\user\AppData\Local\...\tmp8CFB.tmp, XML 8->35 dropped 37 SecuriteInfo.com.W...et.01.17511.exe.log, ASCII 8->37 dropped 49 Uses schtasks.exe or at.exe to add and modify task schedules 8->49 51 Adds a directory exclusion to Windows Defender 8->51 12 SecuriteInfo.com.W32.AIDetectNet.01.17511.exe 3 4 8->12         started        16 powershell.exe 25 8->16         started        18 schtasks.exe 1 8->18         started        signatures5 process6 dnsIp7 39 kkemopes.ddns.net 91.193.75.212, 20321, 49756 DAVID_CRAIGGG Serbia 12->39 55 Tries to steal Mail credentials (via file / registry access) 12->55 57 Tries to harvest and steal browser information (history, passwords, etc) 12->57 59 Increases the number of concurrent connection per server for Internet Explorer 12->59 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->61 20 cmd.exe 1 12->20         started        22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        signatures8 process9 process10 26 reg.exe 1 1 20->26         started        29 conhost.exe 20->29         started        signatures11 53 Creates an undocumented autostart registry key 26->53
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5a9f7b86d93a84e03f6cf6dd71f1f5dac02fa4c6b778e74421a29fa0e45ba5ea/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-05-25 09:27:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lkpxxbwzhkcoap3m63oxd4pv3lac7jggw54oorbbukp2bzc3uxva._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
17db20ebfbce957562eb47a2a0db1a052df6352613d554fe707fae58b8975f81
AveMariaRAT
1c01c5a95d637bd542273db79548f463e2821fda9c82d972050754b68c0025e2
AveMariaRAT
28899cd77a674fd8fc103e44aa12ce58b76dadcdcdecca0637c774df8dbdc61c
AveMariaRAT
2d59fe70ac77719864809b6386552a5e1c6470b496c80f36f7a8ff1ce3cf469d
AveMariaRAT
3e61ff7da9c135135af8936d7fb362a285b02c6431c8614eda55d2cce3bf3ff7
AveMariaRAT
5004dccfea55cb7c7338390ef12adf835341473d9e850e9232aee6e7c7b6f1f6
AveMariaRAT
bc6f0afa356c9ffebad19431fd6a7ce3c845c946e030191099b115cb59daee3c
AveMariaRAT
e961ac85380ccd346de98c4a55e10b837b9a77b7d31ec7a312b61b484e32c932
AveMariaRAT
f5f15c0824e07bfb0838592f6d542c1d3b236c158b23df1392b7562fb94ef1d4
AveMariaRAT
fb9d0187ef58360b6877dc38f0509030b2e7d57d060deae2bb6e3233dda8f47d
AveMariaRAT
+ 2'971 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat collection infostealer rat spyware stealer
Link:
https://tria.ge/reports/220525-mq39hsdgdr/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
kkemopes.ddns.net:20321
Unpacked files
SH256 hash:
477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52
MD5 hash:
16a9ddc4b32981114fe4f069a4353105
SHA1 hash:
bf73849f57c150f9e2199c61427f631be2dfa595
Link:
https://www.unpac.me/results/80d4388a-3616-4366-8e7f-a3f59d37bc7c/
SH256 hash:
4d5a679e8983f6b60a7200d9f5fc995801fcd51b363122039ea7721e9ddc76d2
MD5 hash:
1dc035377243de40d24427c9a7571757
SHA1 hash:
b0ab58edf1009d8bfa990a53e0efc4770e52a728
Link:
https://www.unpac.me/results/80d4388a-3616-4366-8e7f-a3f59d37bc7c/
SH256 hash:
68b41a93f5955dcf1af857d8b6f9d0e7e83ddf405ab69f4fbe620d43731a9005
MD5 hash:
ecd3963d1697d8f71f9313f2a1f39007
SHA1 hash:
ae08420ec50edf8588e385e1d626728e480a75c7
Detections:
win_ave_maria_g0
Create hunting rule
win_ave_maria_auto
Create hunting rule
Link:
https://www.unpac.me/results/80d4388a-3616-4366-8e7f-a3f59d37bc7c/
SH256 hash:
9b10fd9fcb93b9987953fd722a5375829c876e533f70731cd8aaa8ebcc1da100
MD5 hash:
ad151aec7ac2c472552cc5f2f40294c3
SHA1 hash:
a6ff7bfdada2a8439905c74b395dc310aab571c2
Link:
https://www.unpac.me/results/80d4388a-3616-4366-8e7f-a3f59d37bc7c/
SH256 hash:
f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36
MD5 hash:
6c72218c48cd68cbcb654675053a0abb
SHA1 hash:
12207fa32070f99683648d87b44410e5d3cdf2de
Link:
https://www.unpac.me/results/80d4388a-3616-4366-8e7f-a3f59d37bc7c/
SH256 hash:
c720d8d87e5744ef459c160ae3ae85984519c5cee89d4acd3d4156f929ebcca2
MD5 hash:
86f922d84e1b89f646bc23cb3d878a9c
SHA1 hash:
b61f4401c1a144d704988cf4e55dd9a71f8d8263
Link:
https://www.unpac.me/results/80d4388a-3616-4366-8e7f-a3f59d37bc7c/
SH256 hash:
ea81ca4c3a7f4e7bf5b4320c33a56bc27ba8c7b7c81300f32dfca00b8a96eaa4
MD5 hash:
62ac1b8a5860d9c2e4472f45e4a3a763
SHA1 hash:
511edf7f39482213bcb0790ae7ab5d96082b71f2
Link:
https://www.unpac.me/results/80d4388a-3616-4366-8e7f-a3f59d37bc7c/
SH256 hash:
5a9f7b86d93a84e03f6cf6dd71f1f5dac02fa4c6b778e74421a29fa0e45ba5ea
MD5 hash:
853192e452519de7da3e388d14dbb619
SHA1 hash:
763bb28812935034cc2d58a7b8d0da43e573cb74
Link:
https://www.unpac.me/results/80d4388a-3616-4366-8e7f-a3f59d37bc7c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5a9f7b86d93a84e03f6cf6dd71f1f5dac02fa4c6b778e74421a29fa0e45ba5ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/274470/

Comments