MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c30dae34afc93b726cb4fa4b1a658921a29a7de38a21ceb50c6add38fae0ce4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c30dae34afc93b726cb4fa4b1a658921a29a7de38a21ceb50c6add38fae0ce4
SHA3-384 hash: f45dad2feacb6489527b735c5151bfdc4ddcd74fb88e03d0fd2b3d4257f9ede21a8308f412df0e835c61e89ed3866866
SHA1 hash: 852515886d60cdb1171833b21a2d22e3e4120744
MD5 hash: 2f03f812c5df758e332a6978022f0820
humanhash: uniform-tennessee-coffee-carolina
File name:2f03f812c5df758e332a6978022f0820
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'306'624 bytes
First seen:2021-06-24 00:32:42 UTC
Last seen:2021-06-24 03:43:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:2lVU9t4dmJZMVpIODn/7JO8TqHEvvfp/OfLd/:2lSILDJOmvv
Threatray 52 similar samples on MalwareBazaar
TLSH 8E556CAD325072DFC867CC76CAA81C68EB90757B530BE243905325EDAA4D99BDF140F2
Reporter zbetcheckin
Tags:32 AveMariaRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2f03f812c5df758e332a6978022f0820
Verdict:
Malicious activity
Analysis date:
2021-06-24 00:35:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ce3dfa48-8865-4b25-9b38-e26a8e43e8ec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46522316.28186.31084.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dad98d5c-2ade-41af-9d6f-da21860c0b6f
Result
Threat name:
WebMonitor RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
99 / 100
Link:
https://www.joesandbox.com/analysis/806990
Signature
Antivirus / Scanner detection for submitted sample
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Creates autostart registry keys with suspicious names
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Yara detected AntiVM3
Yara detected WebMonitor RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439399 Sample: Z2YNNlDA9o Startdate: 24/06/2021 Architecture: WINDOWS Score: 99 59 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->59 61 Antivirus / Scanner detection for submitted sample 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 4 other signatures 2->65 7 Z2YNNlDA9o.exe 3 2->7         started        11 WebMonitor-3e67.exe 3 2->11         started        13 WebMonitor-3e67.exe 2 2->13         started        15 WebMonitor-3e67.exe 2 2->15         started        process3 file4 39 C:\Users\user\AppData\...\Z2YNNlDA9o.exe.log, ASCII 7->39 dropped 71 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->71 73 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->73 75 Contain functionality to detect virtual machines 7->75 81 3 other signatures 7->81 17 Z2YNNlDA9o.exe 2 12 7->17         started        77 Tries to detect virtualization through RDTSC time measurements 11->77 79 Injects a PE file into a foreign processes 11->79 21 WebMonitor-3e67.exe 11->21         started        23 WebMonitor-3e67.exe 13->23         started        25 WebMonitor-3e67.exe 13->25         started        27 WebMonitor-3e67.exe 15->27         started        29 WebMonitor-3e67.exe 15->29         started        signatures5 process6 dnsIp7 41 ntp.se 194.58.200.20, 123, 50714, 52124 NTP-SEAnycastedNTPservicesfromNetnodIXPsSE Sweden 17->41 43 rita398.wm01.to 45.153.186.90, 443, 49732, 49735 MVPShttpswwwmvpsnetEU Bulgaria 17->43 49 3 other IPs or domains 17->49 67 Creates autostart registry keys with suspicious names 17->67 69 Installs a global keyboard hook 17->69 31 WerFault.exe 21->31         started        35 WerFault.exe 21->35         started        45 sdns.se 23->45 47 890b388cfacba47625ad235a873718a6.se 23->47 37 WerFault.exe 27->37         started        signatures8 process9 dnsIp10 51 192.168.2.1 unknown unknown 31->51 53 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 31->53 55 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 31->55 57 Tries to evade analysis by execution special instruction which cause usermode exception 31->57 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7c30dae34afc93b726cb4fa4b1a658921a29a7de38a21ceb50c6add38fae0ce4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-20 22:07:59 UTC
AV detection:
28 of 46 (60.87%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0d2cf62b947967dcece71936fe76d44d03d97f11c6ec580c67f33761a99ef708
AveMariaRAT
1167a7d5a6192107c841eee3d1292914e2ddbe6b661f2c2c41f1c1977ac97372
AveMariaRAT
25321bc3e274b62ff03c184cd1a058645d41f842ce0b368019912ada6b3f34df
AveMariaRAT
2c2b9e423c5ae9ef99565d76a6d7d4b6d5e394f523539b447a633c803e9372a3
AveMariaRAT
4a2d48d163b550561583e4e5811dc43cb67045e7a9816c30fb8fde4af8dd06d5
AveMariaRAT
8246f2b18a1592cc2a37c001e2415412f5e63d14220324ae8356981e25a4ba76
AveMariaRAT
968cf1954069babdf367259271ba34fc1e149a18255c45fc8138d0da2b3dd413
AveMariaRAT
b4fbe906439597a3d05b94f3a7001069687e598cabc9a82e47d6c43046be10a5
AveMariaRAT
e2f7e2ca58c527be8332bcea02a3e593eda09429bb30ce5ced6ef26724388f01
AveMariaRAT
f285822ef8c947a87e556858a8332ed26edda052e597c67a7831753c376e01b4
AveMariaRAT
+ 42 additional samples on MalwareBazaar
Result
Malware family:
webmonitor
Create hunting rule
Score:
  10/10
Tags:
family:webmonitor backdoor infostealer persistence rat upx
Link:
https://tria.ge/reports/210624-w5n98xjqnn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
UPX packed file
RevcodeRat, WebMonitorRat
Unpacked files
SH256 hash:
db7f159f12ac70a9cd7259c92e6d339653f51e6b5f5327400325d253b20c7875
MD5 hash:
0db3054496e364d8c328f5b26d46cdf5
SHA1 hash:
40aed2da4898140f15593c7cb91b427be0823219
Link:
https://www.unpac.me/results/0b62df69-6aa3-40df-89e7-edb3a015c711/
SH256 hash:
7c30dae34afc93b726cb4fa4b1a658921a29a7de38a21ceb50c6add38fae0ce4
MD5 hash:
2f03f812c5df758e332a6978022f0820
SHA1 hash:
852515886d60cdb1171833b21a2d22e3e4120744
Link:
https://www.unpac.me/results/0b62df69-6aa3-40df-89e7-edb3a015c711/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7c30dae34afc93b726cb4fa4b1a658921a29a7de38a21ceb50c6add38fae0ce4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe 7c30dae34afc93b726cb4fa4b1a658921a29a7de38a21ceb50c6add38fae0ce4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1393046/

Comments