MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 882d3aaa507d5340258272b1b39c8d603776eda51124e2c443ae8ea1edc2059b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 882d3aaa507d5340258272b1b39c8d603776eda51124e2c443ae8ea1edc2059b
SHA3-384 hash: 7522d916671e60649d12de8cccb9347fe86d34a62bb971816bb6c8026efbe8af89cefc92f2eee1f84013e192d31b4464
SHA1 hash: 452a05e881a94a0a27d7c8f3258832b2813a2783
MD5 hash: c5d1844bc3c837f0b05279a9d4d9c2ad
humanhash: asparagus-oranges-bravo-kitten
File name:Sandra-Wohl-Bewerbung-Lebenslauf.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:101'888 bytes
First seen:2022-10-19 02:39:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c5f2513605e48f2d8ea5440a870cb9e (60 x Babadeda, 6 x AveMariaRAT, 5 x CoinMiner)
ssdeep 1536:/7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfEwrOpJ0HWIZOl:z7DhdC6kzWypvaQ0FxyNTBfEAOpX
Threatray 2'974 similar samples on MalwareBazaar
TLSH T150A37E41F3E142F7EAF2053100A6766FD73662289724A8DBC74C3E529913AD1A73D3E9
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 6cecccdcd4d0e8f0 (4 x AveMariaRAT, 1 x Smoke Loader, 1 x GuLoader)
Reporter r3dbU7z
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Sandra-Wohl-Bewerbung-Lebenslauf.exe
Verdict:
Malicious activity
Analysis date:
2022-10-19 06:22:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6f9bc5c4-53ec-40dc-9ba5-b9056ef56435

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321555/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34587420.17402.2208.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Running batch commands
Forced system process termination
Launching a process
Sending an HTTP GET request
Creating a file
Using the Windows Management Instrumentation requests
Modifying a system executable file
Launching cmd.exe command interpreter
Launching a tool to kill processes
Forced shutdown of a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/43745/overview
Behaviour
MalwareBazaar
CPUID_Instruction
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/634f6385b5f60e72b8c77293/reports/7417cbff-cb1c-467e-8642-bb17757377f5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/fe1ad7e2-4729-4493-8863-f54442187671
Result
Threat name:
Babadeda
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.expl
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1093162
Signature
Antivirus detection for dropped file
Drops PE files to the startup folder
Drops script or batch files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
Yara detected Babadeda
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 725784 Sample: Sandra-Wohl-Bewerbung-Leben... Startdate: 19/10/2022 Architecture: WINDOWS Score: 96 100 i.ibb.co 2->100 102 Snort IDS alert for network traffic 2->102 104 Antivirus detection for dropped file 2->104 106 Yara detected Babadeda 2->106 108 4 other signatures 2->108 13 Sandra-Wohl-Bewerbung-Lebenslauf.exe 8 2->13         started        signatures3 process4 process5 15 cmd.exe 1 13->15         started        18 conhost.exe 13->18         started        signatures6 114 Drops script or batch files to the startup folder 15->114 116 Uses cmd line tools excessively to alter registry or file data 15->116 118 Drops PE files to the startup folder 15->118 20 Sandra-Wohl-Bewerbung-Lebenslauf.exe 8 15->20         started        process7 process8 22 cmd.exe 3 20->22         started        25 conhost.exe 20->25         started        file9 94 C:\Users\user\AppData\Roaming\...\part1.bat, ASCII 22->94 dropped 27 cmd.exe 1 22->27         started        29 cmd.exe 22->29         started        31 cmd.exe 22->31         started        33 13 other processes 22->33 process10 dnsIp11 36 cmd.exe 2 27->36         started        40 conhost.exe 27->40         started        42 cmd.exe 29->42         started        44 conhost.exe 29->44         started        46 cmd.exe 31->46         started        48 conhost.exe 31->48         started        98 111.90.151.174, 49715, 49716, 49717 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 33->98 50 cmd.exe 33->50         started        52 cmd.exe 33->52         started        54 6 other processes 33->54 process12 file13 92 C:\Users\user\AppData\...\Ransomware.exe, PE32 36->92 dropped 110 Uses cmd line tools excessively to alter registry or file data 36->110 56 cmd.exe 1 36->56         started        63 5 other processes 36->63 59 cmd.exe 42->59         started        65 6 other processes 42->65 61 Conhost.exe 44->61         started        67 6 other processes 46->67 69 6 other processes 50->69 71 5 other processes 52->71 73 6 other processes 54->73 signatures14 process15 file16 112 Uses cmd line tools excessively to alter registry or file data 56->112 76 reg.exe 56->76         started        78 reg.exe 59->78         started        80 Conhost.exe 63->80         started        82 reg.exe 67->82         started        84 reg.exe 69->84         started        86 reg.exe 71->86         started        96 C:\configuration\5201.exe, PE32 73->96 dropped 88 reg.exe 73->88         started        90 Conhost.exe 73->90         started        signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/882d3aaa507d5340258272b1b39c8d603776eda51124e2c443ae8ea1edc2059b/
Threat name:
Win32.Trojan.Warzonerat
Create hunting rule
Status:
Malicious
First seen:
2022-10-19 02:57:57 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rawtvksqpvjuajmcoky3hhenma3xn3nfcesofrcdv2hkd3ocawnq._file
Verdict:
unknown
Similar samples:
2278d1bca473d91247e01794a1202297bda4bce23c3a1e74c43abc67d8d7b371
AveMariaRAT
275e4c659edeeb5dd650b29253f72c8e95b7556e465253fabf8264d76abb2f02
AveMariaRAT
49cecc5851dc6ed4f7dfd13f91ade2941ea491cd7c08df9f3630de8de50e3fb4
AveMariaRAT
4fe08cc381f8f4ea6e3d8e34fddf094193ccbbcc1cae7217f0233893b9c566a2
AveMariaRAT
54d288be3de7ca248076fda266a5fcc3b5488b6d4a91f93033b1652dfe0164d3
AveMariaRAT
58f6462c0225f4ec37209add8486ef9bdcdc1d1e766096af73b3c7797ebeadb1
AveMariaRAT
993afa5ca786935ff44f01d5495e0583034008d30d93eaac100e6d4325dfb89d
AveMariaRAT
9e2374545fd02bff5d25134c71940bf423173a9bb611f54f5db6729c8407da66
AveMariaRAT
eaf08f6d20670daa716352b18fbc7801d4dbba9e26f986cec4234947e83bba0e
AveMariaRAT
+ 2'964 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:eternity family:warzonerat evasion infostealer persistence ransomware rat trojan upx
Link:
https://tria.ge/reports/221019-c5wswaedh6/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Modifies Control Panel
Modifies registry class
NTFS ADS
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Sets desktop wallpaper using registry
Adds Run key to start application
Checks computer location settings
Drops startup file
Loads dropped DLL
Disables Task Manager via registry modification
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Warzone RAT payload
Eternity
Modifies Windows Defender Real-time Protection settings
Modifies security service
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
111.90.151.174:5200
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/12f77f5f-ca27-4d98-81da-7c5da56939ae
Unpacked files
SH256 hash:
6a0746b9522a062012cd1d8201fb3cf395bbc67e8feef1c1ec41661fb66d0424
MD5 hash:
9a9f89aa249132e1b2b8f168e0c3f670
SHA1 hash:
90a7bce3411aff43fbe5debfecf6a4a374d44a3c
Link:
https://www.unpac.me/results/1a3c5fbf-e7a6-4625-ba10-979ab996c412/
SH256 hash:
34e83cb82a3ccc8d794a76ed4aedf729e2bcac7ccb8a8e9cbcfb0a44ffb5a5d4
MD5 hash:
82a971d4bea362323b76cdc09032facd
SHA1 hash:
6cee59b1450e968e66be1d0e3e50b42c4db65129
Link:
https://www.unpac.me/results/1a3c5fbf-e7a6-4625-ba10-979ab996c412/
SH256 hash:
c7f96eefd37ade5e3991acb8877977077d4dad7da01776c762c1d650588b3d3b
MD5 hash:
bd7b4498f7330681c5730bdf9a2327b3
SHA1 hash:
3fd6bdefcf0c6c05eefba78232434c0fd334b100
Link:
https://www.unpac.me/results/1a3c5fbf-e7a6-4625-ba10-979ab996c412/
SH256 hash:
0f64f442674bcf1ff66c2ec718132d596ec4eb81bdd23efd2885410cb267e1f4
MD5 hash:
137b5bc44c9d0fd683039742ec8bc19a
SHA1 hash:
3363a1d9ee07df4f8c1b35f85155fd4017a403a7
Link:
https://www.unpac.me/results/1a3c5fbf-e7a6-4625-ba10-979ab996c412/
SH256 hash:
afa084d15edf527f612c6fa9244d25d22f8275c727346fd87fa3849277cd2a4e
MD5 hash:
31240643c47c94ae6e6c6c72af8214b9
SHA1 hash:
c949638c2e34e8f5b8afe89433acf50a0828b4c3
Link:
https://www.unpac.me/results/1a3c5fbf-e7a6-4625-ba10-979ab996c412/
SH256 hash:
750c36953066ef22703dd3345225c1256dcba7a3d34210b13ef4ef97a67c14f5
MD5 hash:
03c085a721b6f7e1ee4772d1583f6979
SHA1 hash:
a46338b45370beadbd8e1f777f53335ca1692741
Link:
https://www.unpac.me/results/1a3c5fbf-e7a6-4625-ba10-979ab996c412/
SH256 hash:
e68989a936205a2b94e8411e21739b70f0ea87c0bbc6f30427e5896582d164f5
MD5 hash:
9c7387cc6e0c8d6f5e83db08c9d1f26a
SHA1 hash:
41b84b21312258b022de28fc9860ec09f34349d3
Link:
https://www.unpac.me/results/1a3c5fbf-e7a6-4625-ba10-979ab996c412/
SH256 hash:
00b9c0120df0595184523a3620ef9b3c3e11fc0e61d366d7eeabb646647cfceb
MD5 hash:
bd1f243ee2140f2f6118a7754ea02a63
SHA1 hash:
cdf7dd7dd1771edcc473037af80afd7e449e30d9
Link:
https://www.unpac.me/results/1a3c5fbf-e7a6-4625-ba10-979ab996c412/
SH256 hash:
ad80064f71d273967dcf0b14b9cd6e84d79a132231d619687d9266c7807bdfe0
MD5 hash:
a35ee23aaab26afc575ac83df9572b57
SHA1 hash:
81ea38c694ce9702faddfb961f17c1bbf628a76d
Link:
https://www.unpac.me/results/1a3c5fbf-e7a6-4625-ba10-979ab996c412/
SH256 hash:
e37aa72bca3cecb9bdbe51cbd81ec1143bb17163088a1379a4ccb93f5d881e76
MD5 hash:
5cac4fe734fc8454ccb847e030beee38
SHA1 hash:
34298fe220e35f614b2c837cf1dc2604ab0882d6
Link:
https://www.unpac.me/results/1a3c5fbf-e7a6-4625-ba10-979ab996c412/
SH256 hash:
882d3aaa507d5340258272b1b39c8d603776eda51124e2c443ae8ea1edc2059b
MD5 hash:
c5d1844bc3c837f0b05279a9d4d9c2ad
SHA1 hash:
452a05e881a94a0a27d7c8f3258832b2813a2783
Link:
https://www.unpac.me/results/1a3c5fbf-e7a6-4625-ba10-979ab996c412/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/882d3aaa507d5340258272b1b39c8d603776eda51124e2c443ae8ea1edc2059b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe 882d3aaa507d5340258272b1b39c8d603776eda51124e2c443ae8ea1edc2059b

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/321555/

Comments