MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79601a75c32e16d53ab852a8da821c1c4ea6b3996083df587b971841e51f774b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79601a75c32e16d53ab852a8da821c1c4ea6b3996083df587b971841e51f774b
SHA3-384 hash: 45f251cbd37847732c5c7bb5050ababd2b09bf37883f311017ef7fb9c73c17250f1472b70ec694e56e03995fc95e57e9
SHA1 hash: 91e4d6fc84d0368e53d4684d1ec0096d2ca8ab2b
MD5 hash: c24f4bb1f6d5197d78ff74428a077bff
humanhash: hamper-cardinal-oranges-kitten
File name:c24f4bb1f6d5197d78ff74428a077bff.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'464'320 bytes
First seen:2022-01-31 12:17:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a77b62e7744be75f9ed37f206579d5d4 (1 x AveMariaRAT)
ssdeep 12288:OYOdvUZwkqmg5TabQyTydNNAF4B0laYpB:O8E52
Threatray 3'043 similar samples on MalwareBazaar
TLSH T16D654B64A3A11115E997A7BF72B08B90C4BE3C405D6D97CF4E464AC6CA2E3F079086F7
Reporter abuse_ch
Tags:AveMariaRAT exe RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c24f4bb1f6d5197d78ff74428a077bff.exe
Verdict:
Malicious activity
Analysis date:
2022-01-31 12:57:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6b4967fe-0fea-47ab-9ecc-7ac5b4f2564d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RDPWrap
Create hunting rule
Link:
https://www.capesandbox.com/analysis/228421/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Launching a process
Creating a process with a hidden window
Creating a file
Running batch commands
Creating a process from a recently created file
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
exploit greyware shell32.dll
Link:
https://www.filescan.io/uploads/61f7d37ed9e6538232d75ab2/reports/f6636257-12ac-468f-bf4d-363240920b61/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/31200e6b-62f4-4a09-a581-983cf9ffb5c0
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/930820
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/79601a75c32e16d53ab852a8da821c1c4ea6b3996083df587b971841e51f774b/
Threat name:
Win32.Trojan.TrickbotCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-01-31 12:18:11 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
30b140a507278c68eb8a2107840d6ef7863f75d6ede142b33c3794c88cb4f26a
AveMariaRAT
52e2c9a43a9de0685055f60bd590f2f893882ad710f3b7e8c451985eea69ec07
AveMariaRAT
9e2a3d4464636baff78628d870f39d1a9f3ba23da71f8c50ead2576479077702
AveMariaRAT
d4ab1b2e0d1a1a389c3e8f40237b7f7b40ba798468e2d73abe416b927bbe8f13
AveMariaRAT
d9740755673a2b1025f0a9ea9a579657b0d22d7c00a049d113f84326d37b66bb
AveMariaRAT
edc0a4121333b0deffc1aa3d550f8a81201d9c74ec923307f582fbc8f0233778
AveMariaRAT
+ 3'033 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/220131-pf2n2shfh8/
Behaviour
Modifies data under HKEY_USERS
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops startup file
Loads dropped DLL
Executes dropped EXE
Sets service image path in registry
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
108.62.141.204:5400
Unpacked files
SH256 hash:
477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52
MD5 hash:
16a9ddc4b32981114fe4f069a4353105
SHA1 hash:
bf73849f57c150f9e2199c61427f631be2dfa595
Link:
https://www.unpac.me/results/e59f6d22-d627-4f68-9255-16642db35adf/
SH256 hash:
c6d3f10d425ac44974532e7de981ce2a9e0f59fbf23f4fa340f3ebcb2142fc9b
MD5 hash:
e86de9953e65ef28789ae90ec5975d1b
SHA1 hash:
6fda789b4a5198a3b18783dc5b57f32aaed80856
Detections:
win_ave_maria_g0
Create hunting rule
win_ave_maria_auto
Create hunting rule
Link:
https://www.unpac.me/results/e59f6d22-d627-4f68-9255-16642db35adf/
SH256 hash:
f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36
MD5 hash:
6c72218c48cd68cbcb654675053a0abb
SHA1 hash:
12207fa32070f99683648d87b44410e5d3cdf2de
Link:
https://www.unpac.me/results/e59f6d22-d627-4f68-9255-16642db35adf/
SH256 hash:
79601a75c32e16d53ab852a8da821c1c4ea6b3996083df587b971841e51f774b
MD5 hash:
c24f4bb1f6d5197d78ff74428a077bff
SHA1 hash:
91e4d6fc84d0368e53d4684d1ec0096d2ca8ab2b
Link:
https://www.unpac.me/results/e59f6d22-d627-4f68-9255-16642db35adf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/79601a75c32e16d53ab852a8da821c1c4ea6b3996083df587b971841e51f774b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe 79601a75c32e16d53ab852a8da821c1c4ea6b3996083df587b971841e51f774b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2007399/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/228421/

Comments