MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7107f4965f48165708f028a5541e4b945fb9fac1546c8a069752c2ad43065079. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7107f4965f48165708f028a5541e4b945fb9fac1546c8a069752c2ad43065079
SHA3-384 hash: bdbf72112fb31158120b3e2a5695ddf554616ba38e3779bb8d70816300abd3fd609025408b08b1305438a2468a62c777
SHA1 hash: 7da8121ccbb9637ac4a1bb91623f80ddbd637f1a
MD5 hash: fc9ab5efc029ffa2549d0f07c5d3d4fe
humanhash: fanta-timing-jersey-single
File name:fc9ab5efc029ffa2549d0f07c5d3d4fe.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'227'264 bytes
First seen:2021-02-10 12:49:49 UTC
Last seen:2021-02-10 14:33:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:A/Bixb7avnulX/r/p1tTYI10agIpxCqTg:A/Ep7a2PTdaab
Threatray 29 similar samples on MalwareBazaar
TLSH 5345D011FB60CB44C118BB3BCD42825D23F1ECD36F61E55F6EE53BEA2A325405A6E285
Reporter abuse_ch
Tags:AveMariaRAT exe RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fc9ab5efc029ffa2549d0f07c5d3d4fe.exe
Verdict:
Malicious activity
Analysis date:
2021-02-10 12:51:26 UTC
Tags:
trojan stealer rat avemaria
Link:
https://app.any.run/tasks/6c7bc500-0f4f-47d0-adc0-134634635aa9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116511/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42841.26376.19702.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Running batch commands
Launching a process
Sending a UDP request
Creating a process from a recently created file
Creating a file
Creating a file in the %temp% directory
Setting a keyboard event handler
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/604455
Signature
Drops PE files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 351258 Sample: 16jO7if3Yv.exe Startdate: 10/02/2021 Architecture: WINDOWS Score: 72 30 Multi AV Scanner detection for dropped file 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 Machine Learning detection for sample 2->34 36 Machine Learning detection for dropped file 2->36 7 16jO7if3Yv.exe 15 7 2->7         started        11 notepaaaaddsssi.exe 14 3 2->11         started        process3 file4 22 C:\Users\user\AppData\...\notepaaaaddsssi.exe, PE32 7->22 dropped 24 C:\...\notepaaaaddsssi.exe:Zone.Identifier, ASCII 7->24 dropped 26 C:\Users\user\AppData\...\16jO7if3Yv.exe.log, ASCII 7->26 dropped 38 Drops PE files to the startup folder 7->38 40 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->40 13 cmd.exe 1 7->13         started        15 notepaaaaddsssi.exe 2 7->15         started        signatures5 process6 dnsIp7 18 conhost.exe 13->18         started        20 reg.exe 1 1 13->20         started        28 192.168.2.1 unknown unknown 15->28 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7107f4965f48165708f028a5541e4b945fb9fac1546c8a069752c2ad43065079/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-09 04:13:41 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oed7jfs7jalfochqfcsvihslsrp3t6wbkrwiubuxklbk2qygkb4q._file
Verdict:
suspicious
Similar samples:
0a32bf464b79ecb571397121f359c05b1cbbc7e1af2e3bcc10d65a2ff9808bc1
AveMariaRAT
261881b9a0b2810582a67284f52bb08f2da1567353648ca01032b581345d5854
AveMariaRAT
2d5141d5ec7c57f0f6eebc72dae6152f25b24516c86bb8797a9a5dba8e447f49
AveMariaRAT
56cc437c8d3f955ae569373ed5322129298818f77bfc2d728af9473fed554509
AveMariaRAT
5bbde3f5d6db7f3be36f4f0f08c86fd412a1c6085c5be438be7f1e9e181e3683
AveMariaRAT
705d1bef79134efe898b490d096aecb9c0acbdc889fae25e8f2d88db9429001c
AveMariaRAT
7801d40fed7d2a6ec57aae8e1e5bf403e8fa0945c0bf2d5bb70722627eb8bfae
AveMariaRAT
edfb07ec10ae322bbba31f0239c009ccd95f7a1f1f07e6bf7fb1499dda801b76
AveMariaRAT
ee0b28949b01044f151f04743d49f6310a70de7339ad4936afd79b5c8a724025
AveMariaRAT
f5aa4fe1049ed94dbf22ad1427013a30762ebd9ac2a89726f9f313b087e2a4a0
AveMariaRAT
+ 19 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence ransomware rat
Link:
https://tria.ge/reports/210210-82eqrskarn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Warzone RAT Payload
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
7107f4965f48165708f028a5541e4b945fb9fac1546c8a069752c2ad43065079
MD5 hash:
fc9ab5efc029ffa2549d0f07c5d3d4fe
SHA1 hash:
7da8121ccbb9637ac4a1bb91623f80ddbd637f1a
Link:
https://www.unpac.me/results/bd38e5fa-92f6-4b4e-a4f9-7c114167ae58/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7107f4965f48165708f028a5541e4b945fb9fac1546c8a069752c2ad43065079

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe 7107f4965f48165708f028a5541e4b945fb9fac1546c8a069752c2ad43065079

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/116511/
  
URLhaus
https://urlhaus.abuse.ch/url/990168/
  
Delivery method
Distributed via web download

Comments