MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b7b7e7ad9b106a5508583f1b60e3a3d7385bf0d6592ca816839f6633f5e8045. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b7b7e7ad9b106a5508583f1b60e3a3d7385bf0d6592ca816839f6633f5e8045
SHA3-384 hash: a3fde90ab069b0c5ae526c2c44c47b400d715bbd9c871da7f32261161067059f76794c60fc35d3ca383cb18988f797da
SHA1 hash: 1776231663c3ef9f3b16099fc18d653935c4854f
MD5 hash: 7ae416c5b51197963eb03237d2b730e6
humanhash: south-blue-wisconsin-hydrogen
File name:be79631f7d592e3a890663691c90c11c.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:103'936 bytes
First seen:2020-03-31 21:15:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 879635b629affd65258851469f9bf6f9 (31 x AveMariaRAT)
ssdeep 1536:lvqIPE8ddFD1frrq7gVxoNGPNJKF1m+xVE0/bK:cI8CxFVxAMNJKu+xVE0TK
Threatray 457 similar samples on MalwareBazaar
TLSH 55A39D2377D14439F67102B02CB97F79CABFFE380221855BD72456876B31994EA263A3
Reporter abuse_ch
Tags:AveMariaRAT exe GuLoader


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=1GnqwtuS80x5C7HfQ25hmAd4hm_kwaERD

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Maria.4.17072.22484.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Maria.3.30306.22950.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Agentb
Create hunting rule
Status:
Malicious
First seen:
2020-03-31 21:35:27 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pn5x46wzwedkkuefqpy3mdr2hvzylpynmwjmvalihh3ggp26qbcq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
21c5dfaf16a6b6fb850af64a34db2eac7263835048a6041533967de282a42caf
AveMariaRAT
4b13bb36220d46ab9fa89c4163c8ec571fe0c113af00773d0968fa51c4056bbd
AveMariaRAT
4fe45a8e07fc28eb30222f08219ca2bb8832220a97ff56333193bd422a876f0c
AveMariaRAT
62a9e0bc56c03b9ad7ff3ff1242415b95c29b10c2699a55c4d8940338e18887e
AveMariaRAT
8fbd0e656a1ee90b82591111e01fb0e8b7a3d3e711e0d5165d05a5d844b8c03f
AveMariaRAT
9cbb4a330c540c4632d8640472dafa3f204b1765ff09b15716b76de1d48ebbfc
AveMariaRAT
b5b64f85cdeb5432018e22087fce4b6dc1e56593e8416335f471d4eac1e2b8cf
AveMariaRAT
c72cde3224e01da2283065c5a94d252f528c132019eb2f2656c86a7caa1006c2
AveMariaRAT
e1457c29de4acf85b9420e78bb22d8c84e674a1bce55a9a8070bb4ef4bd883d2
AveMariaRAT
f58206c0e3f90670105f3d92f49e4f3e4dd36970697f24de762862f24ea130cf
AveMariaRAT
+ 447 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ed0771cbd1d5785eae5fdc6da1490083ef270df4b644f65f77736148fcdf224a

AveMariaRAT

Executable exe 7b7b7e7ad9b106a5508583f1b60e3a3d7385bf0d6592ca816839f6633f5e8045

(this sample)

  
Dropped by
MD5 be79631f7d592e3a890663691c90c11c
  
Dropped by
MD5 540008c989394c0c2c6fd9daadb3db84
  
Dropped by
GuLoader
  
Dropped by
SHA256 ed0771cbd1d5785eae5fdc6da1490083ef270df4b644f65f77736148fcdf224a
  
Dropped by
SHA256 243bc73127b846529817d9c04fb595d3d51f6a5fe74d8f7888cbb194b5b5f921
  
URLhaus
https://urlhaus.abuse.ch/url/333076/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::InitializeSecurityDescriptor
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CoInitializeSecurity
DP_APIUses DP APICRYPT32.dll::CryptUnprotectData
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::SetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::ShellExecuteExA
SHELL32.dll::ShellExecuteExW
URL_MONIKERS_APICan Download & Execute componentsurlmon.dll::URLDownloadToFileW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateRemoteThread
KERNEL32.dll::CreateProcessW
KERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::VirtualAllocEx
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WinExec
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
SHELL32.dll::SHCreateDirectoryExW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::LookupAccountSidW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyExW
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::freeaddrinfo
WS2_32.dll::getaddrinfo
WS2_32.dll::InetNtopW
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::ChangeServiceConfigW
ADVAPI32.dll::OpenSCManagerW
ADVAPI32.dll::OpenServiceW
ADVAPI32.dll::QueryServiceConfigW
ADVAPI32.dll::StartServiceW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments