MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 649acc4a8ec45c2b3d6e217e3818db8174eb3a3bd923d8b907f6164fd42bb751. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 649acc4a8ec45c2b3d6e217e3818db8174eb3a3bd923d8b907f6164fd42bb751
SHA3-384 hash: 7a9a9b3a8954ea353e9df581fd1bee0fe66f9c3502237fb4442490bd99eec27b2a868bdac5e7dc70c1d7de2ec202fa83
SHA1 hash: 0d741335168b048e9e2501eab68f40b9f87e8442
MD5 hash: 47d7e183d9ab341eb6493543fa9d418c
humanhash: finch-lamp-angel-pluto
File name:PO'S 6102021.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:412'101 bytes
First seen:2021-10-27 05:22:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:VBlL//a6KEuusgUljpPpxgvsVEp54aQiKuoY:DpzEusdljVpxgvsqp54qrx
Threatray 2'501 similar samples on MalwareBazaar
TLSH T1F0949B2374BCD4E6F85D3CF05A2957269AB52D820234F157D26FBEE9E8B3293D1052C2
File icon (PE):PE icon
dhash icon 31b09c969698b033 (55 x AgentTesla, 27 x AveMariaRAT, 15 x Formbook)
Reporter lowmal3
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.47259649.11565.31069.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6178e237db358dd15edebc6c/reports/d4534a9a-c485-4cc4-8885-211914dfbdb0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2486276b-9d47-4517-891b-e267ada66a70
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/877504
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/649acc4a8ec45c2b3d6e217e3818db8174eb3a3bd923d8b907f6164fd42bb751/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2021-10-26 18:54:41 UTC
AV detection:
15 of 45 (33.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=msnmysuoyrocwploef7dqgg3qf2owor33er5roih6yle7vblw5iq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
364aedff57905c2b2828c999f3d08db45d75854cd0beb44f3331dff02714e03c
AveMariaRAT
3fac732646ab12565cfd2dbdab89d71b26fad16db25a6143dfb11bf6da3bce26
AveMariaRAT
52e2c9a43a9de0685055f60bd590f2f893882ad710f3b7e8c451985eea69ec07
AveMariaRAT
85b125dd1a4f4b71bee8596b964c5b0d6e40c9f179fba745d0e10e2c637f7f64
AveMariaRAT
9454554ff02715a0e17bde7743b9fa2eb0795058d02c178b148d2c090396dfba
AveMariaRAT
995c82e7ea2a4f8882876f17fe0e3cacb47860744d48f250bdee6a7e9b01f0f7
AveMariaRAT
9e2a3d4464636baff78628d870f39d1a9f3ba23da71f8c50ead2576479077702
AveMariaRAT
f4d3d1d7abd51b08b3bad84d718cb3beaf9d0513422ce276ea2cc2617c3cf889
AveMariaRAT
+ 2'491 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat collection infostealer rat spyware stealer
Link:
https://tria.ge/reports/211027-f25hdsafh2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads user/profile data of web browsers
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
192.3.53.82:1007
Unpacked files
SH256 hash:
649acc4a8ec45c2b3d6e217e3818db8174eb3a3bd923d8b907f6164fd42bb751
MD5 hash:
47d7e183d9ab341eb6493543fa9d418c
SHA1 hash:
0d741335168b048e9e2501eab68f40b9f87e8442
Link:
https://www.unpac.me/results/aeaf9161-c8d1-4169-96a4-077f09e9d198/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/649acc4a8ec4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.37
Link:
https://yomi.yoroi.company/submissions/649acc4a8ec45c2b3d6e217e3818db8174eb3a3bd923d8b907f6164fd42bb751

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 649acc4a8ec45c2b3d6e217e3818db8174eb3a3bd923d8b907f6164fd42bb751

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments