MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 881d6c8268114fdc57d0dd11f2fc136576371043198154ba3265276a0dc32493. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 881d6c8268114fdc57d0dd11f2fc136576371043198154ba3265276a0dc32493
SHA3-384 hash: df0c2ded80804bce9204fb72b08bc1073560d70ea9df3b5acf2409398c203f09cc1459ac4398daf8bc3474ab5637bcf2
SHA1 hash: 1be34ba744f706013a974a61546284f57222e29e
MD5 hash: 13d8ea42addda515eb35e885f088bf31
humanhash: monkey-diet-indigo-india
File name:Ordine rif 250777183798991180.vbs
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:87'114 bytes
First seen:2025-08-12 07:44:14 UTC
Last seen:2025-08-19 08:47:46 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 768:YMMkMkMMkBMMkMkMMk6r5X+k4e/0AAh+XQ:YMMkMkMMkBMMkMkMMk6rAr
TLSH T1AB836816BAEF0109B0B26F459FA361B65B2B7EB5243CC49811CD160D4FD3941D8E2BBB
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika vba
Reporter abuse_ch
Tags:AveMariaRAT ktc2005-com vbs

Intelligence

File Origin
# of uploads :
5
# of downloads :
438
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/20324/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689af0ebc633abe3908e2f20
Tags:
xtreme shell sage
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/689af17a397fd3ce6fa5c488/reports/eb1577f6-4bf3-4db8-88c5-27bc975e36b5/overview
Verdict:
Malicious
Labled as:
VBS/Obfuscated.CW trojan
Link:
https://www.hybrid-analysis.com/sample/881d6c8268114fdc57d0dd11f2fc136576371043198154ba3265276a0dc32493
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1755133
Signature
Adds a directory exclusion to Windows Defender
AI detected malicious Powershell script
Bypasses PowerShell execution policy
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Encrypted powershell cmdline option found
Found evasive API chain (may stop execution after checking mutex)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses powershell cmdlets to delay payload execution
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1755133 Sample: Ordine rif 250777183798991180.vbs Startdate: 12/08/2025 Architecture: WINDOWS Score: 100 130 ktc2005.com 2->130 132 andrefelipedonascime1753562407700.0461178.meusitehostgator.com.br 2->132 158 Suricata IDS alerts for network traffic 2->158 160 Malicious sample detected (through community Yara rule) 2->160 162 Multi AV Scanner detection for submitted file 2->162 164 13 other signatures 2->164 12 wscript.exe 1 2->12         started        15 cmd.exe 2->15         started        17 cmd.exe 2->17         started        19 3 other processes 2->19 signatures3 process4 signatures5 182 VBScript performs obfuscated calls to suspicious functions 12->182 184 Suspicious powershell command line found 12->184 186 Wscript starts Powershell (via cmd or directly) 12->186 188 3 other signatures 12->188 21 powershell.exe 7 12->21         started        24 powershell.exe 15->24         started        26 conhost.exe 15->26         started        28 powershell.exe 17->28         started        30 conhost.exe 17->30         started        32 powershell.exe 19->32         started        34 powershell.exe 19->34         started        36 conhost.exe 19->36         started        38 conhost.exe 19->38         started        process6 signatures7 170 Suspicious powershell command line found 21->170 172 Encrypted powershell cmdline option found 21->172 174 Self deletion via cmd or bat file 21->174 180 3 other signatures 21->180 40 powershell.exe 14 19 21->40         started        44 conhost.exe 21->44         started        176 Writes to foreign memory regions 24->176 178 Injects a PE file into a foreign processes 24->178 46 MSBuild.exe 24->46         started        49 powershell.exe 24->49         started        53 2 other processes 24->53 51 powershell.exe 28->51         started        55 2 other processes 28->55 57 3 other processes 32->57 59 3 other processes 34->59 process8 dnsIp9 134 andrefelipedonascime1753562407700.0461178.meusitehostgator.com.br 104.18.42.56, 443, 49685, 49686 CLOUDFLARENETUS United States 40->134 122 C:\Users\user\AppData\Local\...\qnsdl_01.ps1, Unicode 40->122 dropped 61 powershell.exe 25 40->61         started        200 Contains functionality to hide user accounts 46->200 202 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 46->202 66 powershell.exe 49->66         started        68 powershell.exe 49->68         started        74 3 other processes 49->74 70 powershell.exe 51->70         started        76 3 other processes 51->76 72 powershell.exe 57->72         started        78 3 other processes 57->78 80 3 other processes 59->80 file10 signatures11 process12 dnsIp13 140 ktc2005.com 161.248.200.150, 443, 49687 BPL-ASNUS unknown 61->140 124 C:\Users\user\AppData\LocalLow\...\kexdv.ps1, ASCII 61->124 dropped 126 C:\Users\user\AppData\LocalLow\...\feqhl.ps1, Unicode 61->126 dropped 128 C:\Users\user\AppData\LocalLow\...\amiew.ps1, ASCII 61->128 dropped 204 Self deletion via cmd or bat file 61->204 206 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 61->206 208 Uses powershell cmdlets to delay payload execution 61->208 210 Adds a directory exclusion to Windows Defender 61->210 82 powershell.exe 61->82         started        85 cmd.exe 61->85         started        87 cmd.exe 61->87         started        89 7 other processes 61->89 file14 signatures15 process16 signatures17 142 Writes to foreign memory regions 82->142 144 Injects a PE file into a foreign processes 82->144 91 MSBuild.exe 82->91         started        95 powershell.exe 82->95         started        146 Suspicious powershell command line found 85->146 148 Wscript starts Powershell (via cmd or directly) 85->148 150 Uses powershell cmdlets to delay payload execution 85->150 97 powershell.exe 85->97         started        99 powershell.exe 87->99         started        152 Uses ping.exe to sleep 89->152 154 Uses ping.exe to check the status of other devices and networks 89->154 156 Loading BitLocker PowerShell Module 89->156 101 PING.EXE 1 89->101         started        103 PING.EXE 1 89->103         started        105 PING.EXE 1 89->105         started        107 WmiPrvSE.exe 89->107         started        process18 dnsIp19 136 23.95.62.27, 49691, 5050 AS-COLOCROSSINGUS United States 91->136 190 Found evasive API chain (may stop execution after checking mutex) 91->190 192 Contains functionality to inject threads in other processes 91->192 194 Contains functionality to steal Chrome passwords or cookies 91->194 198 3 other signatures 91->198 109 powershell.exe 95->109         started        111 powershell.exe 95->111         started        113 powershell.exe 95->113         started        120 3 other processes 95->120 196 Suspicious powershell command line found 97->196 115 powershell.exe 97->115         started        118 powershell.exe 99->118         started        138 127.0.0.1 unknown unknown 101->138 signatures20 process21 signatures22 166 Creates autostart registry keys with suspicious values (likely registry only malware) 115->166 168 Creates multiple autostart registry keys 115->168
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/881d6c8268114fdc57d0dd11f2fc136576371043198154ba3265276a0dc32493
Verdict:
inconclusive
YARA:
1 match(es)
Link:
https://app.malva.re/file/13d8ea42addda515eb35e885f088bf31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/881d6c8268114fdc57d0dd11f2fc136576371043198154ba3265276a0dc32493/
Verdict:
Malicious
Threat:
Trojan.Win32.SAgent
Link:
https://tip.neiki.dev/file/881d6c8268114fdc57d0dd11f2fc136576371043198154ba3265276a0dc32493
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-08-11 13:06:48 UTC
File Type:
Text (VBS)
AV detection:
7 of 24 (29.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=raowzaticfh5yv6q3ui7f7atmv3doecddgavjorsmutwudodesjq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution
Link:
https://tria.ge/reports/250812-jmjh6afr3z/
Behaviour
Enumerates system info in registry
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Hide Artifacts: Ignore Process Interrupts
Indicator Removal: File Deletion
Network Share Discovery
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/881d6c8268114fdc57d0dd11f2fc136576371043198154ba3265276a0dc32493

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/20324/

Comments