MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ccbfc6564f960202e0e34a71d067f4808fc644151323961b0300766f495996b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ccbfc6564f960202e0e34a71d067f4808fc644151323961b0300766f495996b
SHA3-384 hash: 00210e9a2ea44929c6381cd17c333018f3a14c7e6989c252563404f50dbd29265635a9ce9567b7e40d14cc4aa1010205
SHA1 hash: 53a18874992caf898dc291bef4d5a9937e6a4bd8
MD5 hash: 9af374dc546fd477c8affd3d0294a8ad
humanhash: stairway-november-vegan-king
File name:Purchase Order 3884.pdf.scr.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'083'392 bytes
First seen:2023-09-07 12:35:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ad2271d934650237c138775ff423f68a (1 x RemcosRAT, 1 x AveMariaRAT)
ssdeep 24576:aMf7L4HFRk6LgYTYkOZ8qJ0sJYGi1t2WnVwho:a52k
Threatray 102 similar samples on MalwareBazaar
TLSH T16E356E15B2789875E05979B2C804E7D2B8AB3ED0A94F4CCD91AE7AF61873BD1390C05F
TrID 54.3% (.EXE) InstallShield setup (43053/19/16)
16.5% (.SCR) Windows screen saver (13097/50/3)
13.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.EXE) Win32 Executable (generic) (4505/5/1)
2.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 74ecd4d2d4d6d0bc (3 x RemcosRAT, 1 x AveMariaRAT)
Reporter abuse_ch
Tags:AveMariaRAT exe RAT


Avatar
abuse_ch
AveMariaRAT C2:
194.180.48.160:4898

Intelligence

File Origin
# of uploads :
1
# of downloads :
308
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order 3884.pdf.scr.exe
Verdict:
Malicious activity
Analysis date:
2023-09-07 12:36:48 UTC
Tags:
installer dbatloader
Link:
https://app.any.run/tasks/3f28eee5-af9e-4b44-912b-4de5fbde6430

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
ModiLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/447139/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.29608.25137.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Network activity
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control keylogger lolbin masquerade
Link:
https://www.filescan.io/uploads/64f9c3b3b7dd6394f71288e5/reports/62afc089-9d2f-4365-bd0a-10a1cb60abaa/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/5ccbfc6564f960202e0e34a71d067f4808fc644151323961b0300766f495996b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ae4deaa1-0884-4618-9d91-f24714b97902
Result
Threat name:
AveMaria, DBatLoader, PrivateLoader, UAC
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1305291
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to check if Internet connection is working
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found evasive API chain checking for user administrative privileges
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected DBatLoader
Yara detected PrivateLoader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1305291 Sample: Purchase_Order_3884.pdf.scr.exe Startdate: 07/09/2023 Architecture: WINDOWS Score: 100 78 web.fe.1drv.com 2->78 80 onedrive.live.com 2->80 82 2 other IPs or domains 2->82 86 Snort IDS alert for network traffic 2->86 88 Found malware configuration 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 11 other signatures 2->92 12 Purchase_Order_3884.pdf.scr.exe 1 8 2->12         started        16 Cvvqpmhb.PIF 2->16         started        18 Cvvqpmhb.PIF 2->18         started        signatures3 process4 file5 68 C:\Users\Public\Libraries\netutils.dll, PE32+ 12->68 dropped 70 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 12->70 dropped 72 C:\Users\Public\Libraries\bhmpqvvC.bat, PE32 12->72 dropped 74 C:\Users\Public\Libraries\Cvvqpmhb.PIF, PE32 12->74 dropped 114 Contains functionality to hide user accounts 12->114 116 Drops PE files with a suspicious file extension 12->116 118 Writes to foreign memory regions 12->118 20 bhmpqvvC.bat 3 19 12->20         started        25 cmd.exe 1 12->25         started        120 Multi AV Scanner detection for dropped file 16->120 122 Allocates memory in foreign processes 16->122 124 Sample uses process hollowing technique 16->124 27 bhmpqvvC.bat 16->27         started        29 bhmpqvvC.bat 18->29         started        signatures6 process7 dnsIp8 84 194.180.48.160, 4898, 49762, 49771 LVLT-10753US Germany 20->84 60 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 20->60 dropped 62 C:\Users\user\AppData\Local\Temp\nss3.dll, PE32 20->62 dropped 64 C:\Users\user\AppData\Local\...\mozglue.dll, PE32 20->64 dropped 66 3 other files (1 malicious) 20->66 dropped 96 Detected unpacking (changes PE section rights) 20->96 98 Detected unpacking (overwrites its own PE header) 20->98 100 Contains functionality to hide user accounts 20->100 110 8 other signatures 20->110 102 Uses ping.exe to sleep 25->102 104 Drops executables to the windows directory (C:\Windows) and starts them 25->104 106 Uses ping.exe to check the status of other devices and networks 25->106 31 easinvoker.exe 25->31         started        33 PING.EXE 1 25->33         started        36 xcopy.exe 2 25->36         started        41 8 other processes 25->41 108 Tries to harvest and steal browser information (history, passwords, etc) 27->108 39 WerFault.exe 29->39         started        file9 signatures10 process11 dnsIp12 43 cmd.exe 1 31->43         started        76 127.0.0.1 unknown unknown 33->76 56 C:\Windows \System32\easinvoker.exe, PE32+ 36->56 dropped 58 C:\Windows \System32\netutils.dll, PE32+ 41->58 dropped file13 process14 signatures15 112 Adds a directory exclusion to Windows Defender 43->112 46 cmd.exe 1 43->46         started        49 conhost.exe 43->49         started        process16 signatures17 126 Adds a directory exclusion to Windows Defender 46->126 51 powershell.exe 26 46->51         started        process18 signatures19 94 DLL side loading technique detected 51->94 54 conhost.exe 51->54         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ccbfc6564f960202e0e34a71d067f4808fc644151323961b0300766f495996b/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2023-09-07 12:36:06 UTC
File Type:
PE (Exe)
Extracted files:
105
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ltf7yzle7fqcalqogstr2bt7jaepyzcbkezdsynqgadwn5evtfvq._file
Verdict:
malicious
Similar samples:
0e468c5eceadbcaa3798b2a065673d5e7b1d09880b4971bf0401eab9c8ffef95
AveMariaRAT
1cb71707945bdd125f22f53b0965eb2538c91aad7bffb2ff3d0c4209d6a3f11f
AveMariaRAT
4f1e9fb055d2edf64a82cd342bb580f3f1a2f7a2351ac8a2cddc25120bb726ac
AveMariaRAT
6362e9238ae682805b33d2503122e845994d69e1eb51f981cde99b04572cc85c
AveMariaRAT
893c5f1c39d9fc4e2922b4b3f0d14e8d7e60ebcb8c64a32a7aa711c8a13cf37f
AveMariaRAT
957d4dbe710ceb16702d6febb67cb2f55cca53a58891edb7f8a8d5b1d8122dc7
AveMariaRAT
d7d47b0b0aa55363efdf394d4c3ad4dc6e175edb80e22ae6e7b37cf3bc1d32d1
AveMariaRAT
e4688b491eef2134a09a6c4061071f2de9d71df4c07f0aef23aef84f51688d38
AveMariaRAT
f89bdf26235faffcde237bebb15da55250f780d07a87a4304651a2e6b7e7e45a
AveMariaRAT
+ 92 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat infostealer persistence rat trojan
Link:
https://tria.ge/reports/230907-psw94ahf6s/
Behaviour
Enumerates system info in registry
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
Warzone RAT payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
194.180.48.160:4898
Unpacked files
SH256 hash:
08fcab55ae1114ab9bcbad6226646ce79252e3e4ee3d6f0231297e15eef3f7e3
MD5 hash:
380920514587dbc2600ab2fb34993565
SHA1 hash:
d4198cd4730df242dec587553bfd5c8f8304e7ba
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/60fdc6c6-b52f-49ec-897e-04156e7ded3d/
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/60fdc6c6-b52f-49ec-897e-04156e7ded3d/
SH256 hash:
5ccbfc6564f960202e0e34a71d067f4808fc644151323961b0300766f495996b
MD5 hash:
9af374dc546fd477c8affd3d0294a8ad
SHA1 hash:
53a18874992caf898dc291bef4d5a9937e6a4bd8
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/60fdc6c6-b52f-49ec-897e-04156e7ded3d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5ccbfc6564f9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ccbfc6564f960202e0e34a71d067f4808fc644151323961b0300766f495996b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/447139/

Comments