MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5dd2674c9f116740c0132fca0553257cd52d8785a7ff47dd6d361b30a9634189. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5dd2674c9f116740c0132fca0553257cd52d8785a7ff47dd6d361b30a9634189
SHA3-384 hash: 70f22f01ab4ca3f736d1f7eff349efb1bb0b029f30760952c58f081ca055918add1fd5362c8b86f42f0f9c9a32b88d85
SHA1 hash: 8f9a0938d2c81ecf4c0168cc29b631c11d313671
MD5 hash: fcb29ef0cd81bcf73f7961824e0a5e56
humanhash: august-echo-east-king
File name:b57896922aee76a4a0be52f564270496.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:103'936 bytes
First seen:2020-04-03 14:08:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 879635b629affd65258851469f9bf6f9 (31 x AveMariaRAT)
ssdeep 1536:lvqIPE8ddFD1frrq7gVxoNGPNJKF1m+xVE0/bK:cI8CxFVxAMNJKu+xVE0TK
Threatray 428 similar samples on MalwareBazaar
TLSH 41A39D2377D14439F67102B02CB97E79CABFFE340221855B972456876B31994EA263A3
Reporter abuse_ch
Tags:AveMariaRAT exe GuLoader


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=1yXu0osNm1etzzbZi0M5TrJyLRKwyS9bN

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Maria.4.17072.22484.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Maria.3.30306.22950.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Agentb
Create hunting rule
Status:
Malicious
First seen:
2020-04-03 14:35:35 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
27 of 30 (90.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lxjgote7cftubqatf7fakuzfptks3b4fu77upxlngyntbkldigeq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
1433b4d3248aed590bdbc1295cc755490176aa3c300d1c56373736272ddd8dcb
AveMariaRAT
17f254df13906b735315c9a4377b950ba059eff2636ce4a710af5dd3a1ea4535
AveMariaRAT
1abd6deadaaa0e8386b1df2aeceacf637894adcb1d42762d1b141bcde569bc6f
AveMariaRAT
6b03acf7658af95975077de9cb4b5acaac1d2ed23f0c419ea13f39d25387bdce
AveMariaRAT
7a21a7a3639f98f4d6d5f4e838aa26cd26586a06ad9cb580aa5b23c4c8051901
AveMariaRAT
7f29131cb5f28ccbd60dbdf39b6b3c79a974d4a3950aac1d1c0f7edd68193c03
AveMariaRAT
7f62e5e2d0cfbe0740718588465b71a701fe3e188a8a4755baacbdc6fb41d52c
AveMariaRAT
9c83b050047ab4b9ca6c23e46b7d77ffc9c5207cc5981aac77c6c392abb7aff9
AveMariaRAT
b4dacfa5ab0ebae0bcc9b7b3f5519072e933d4ff20904d6504a0a032f708bdf8
AveMariaRAT
cb5c24e649bfdd00c9d03e8c16dfda3f1101fb531b94fd57922339a12e22a0d6
AveMariaRAT
+ 418 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

AveMariaRAT

Executable exe 775188796115cd4ed9c6a6782ac0e2512c0759616395fc0e6193e63850adb4e0

AveMariaRAT

Executable exe 5dd2674c9f116740c0132fca0553257cd52d8785a7ff47dd6d361b30a9634189

(this sample)

  
Dropped by
MD5 b57896922aee76a4a0be52f564270496
  
Dropped by
MD5 825cd1b0673dcc0a7dc1210230117ef8
  
Dropped by
GuLoader
  
Dropped by
SHA256 775188796115cd4ed9c6a6782ac0e2512c0759616395fc0e6193e63850adb4e0
  
Dropped by
SHA256 59ead168d7224952c0abf3ab144857631346aefe1ec233ea45fdc4b7a7f1a388
  
URLhaus
https://urlhaus.abuse.ch/url/334511/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::InitializeSecurityDescriptor
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CoInitializeSecurity
DP_APIUses DP APICRYPT32.dll::CryptUnprotectData
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::SetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::ShellExecuteExA
SHELL32.dll::ShellExecuteExW
URL_MONIKERS_APICan Download & Execute componentsurlmon.dll::URLDownloadToFileW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateRemoteThread
KERNEL32.dll::CreateProcessW
KERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::VirtualAllocEx
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WinExec
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
SHELL32.dll::SHCreateDirectoryExW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::LookupAccountSidW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyExW
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::freeaddrinfo
WS2_32.dll::getaddrinfo
WS2_32.dll::InetNtopW
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::ChangeServiceConfigW
ADVAPI32.dll::OpenSCManagerW
ADVAPI32.dll::OpenServiceW
ADVAPI32.dll::QueryServiceConfigW
ADVAPI32.dll::StartServiceW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments