MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 883108e1491ab90780fa3b43ed1580e29786287fdca5cae1a49eea6ec91d90fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MaksRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 883108e1491ab90780fa3b43ed1580e29786287fdca5cae1a49eea6ec91d90fd
SHA3-384 hash: cf818b5b934925f2e577e01a3e814f3df0d92042c49e31147910326218fc504d3fbaea466f499b8ea0ce2a2226b038b9
SHA1 hash: 980361ae35e22412ecc460db6fa90d4b3a10cecc
MD5 hash: f95cbd8909254e547055f53768f37e22
humanhash: rugby-neptune-berlin-april
File name:MavenRAT.jar
Download: download sample
Signature MaksRAT
Create hunting rule
File size:19'832 bytes
First seen:2025-12-08 12:44:32 UTC
Last seen:Never
File type:Java file jar
MIME type:application/zip
ssdeep 384:5vmmxbslHU0Tw0fQg3Fj6t5Os3SThJgvdqNBconCa6mYKZwMTlu0l:8mIUgjvhCWh6vIKonMCwMTo0l
TLSH T1C892E17BADFE5580D92A27F468022099381F01F83CE59BC2C585541A24A85B9D7BD359
TrID 77.1% (.JAR) Java Archive (13500/1/2)
22.8% (.ZIP) ZIP compressed archive (4000/1)
Magika jar
Reporter smica83
Tags:avocado-gay jar maksrat

Intelligence

File Origin
# of uploads :
1
# of downloads :
43
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_883108e1491ab90780fa3b43ed1580e29786287fdca5cae1a49eea6ec91d90fd.zip
Verdict:
No threats detected
Analysis date:
2025-12-08 12:48:38 UTC
Tags:
java
Link:
https://app.any.run/tasks/4fc53243-473b-44e3-aaf4-5fd611e58712

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/42997/
Detection(s):
SecuriteInfo.com.Java.Obfus-1.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Java.Obfus-11.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6936c866881313558a2b7fcc
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6936c862bba50eaf0426df0b/reports/37cef40b-7eb4-498e-bc42-5012253c2ec3/overview
Verdict:
Suspicious
Labled as:
JAVA/AVI.PWS.Agent
Link:
https://www.hybrid-analysis.com/sample/883108e1491ab90780fa3b43ed1580e29786287fdca5cae1a49eea6ec91d90fd
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/883108e1491ab90780fa3b43ed1580e29786287fdca5cae1a49eea6ec91d90fd
Verdict:
Malicious
File Type:
jar
First seen:
2025-12-07T07:16:00Z UTC
Last seen:
2025-12-09T09:42:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.Win32.Greedy.sb Trojan-Dropper.Win32.Dapato.sb Trojan.Java.SAgent.sb HEUR:Trojan-PSW.Java.Stealer.gen Trojan.Java.Agent.vk Trojan.Java.Agent.vj Trojan-PSW.Win64.Stealer.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Pycoon.sb
Link:
https://opentip.kaspersky.com/883108e1491ab90780fa3b43ed1580e29786287fdca5cae1a49eea6ec91d90fd/results?tab=lookup
Result
Threat name:
Discord Token Stealer, Maks Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1828766
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Excessive usage of taskkill to terminate processes
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Sigma detected: Suspicious Processes Spawned by Java.EXE
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected Discord Token Stealer
Yara detected Maks Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1828766 Sample: MavenRAT.jar Startdate: 08/12/2025 Architecture: WINDOWS Score: 100 85 www.mavenrat.xyz 2->85 87 www.makslove.xyz 2->87 89 4 other IPs or domains 2->89 103 Antivirus detection for URL or domain 2->103 105 Antivirus detection for dropped file 2->105 107 Multi AV Scanner detection for submitted file 2->107 111 11 other signatures 2->111 12 cmd.exe 2 2->12         started        15 cmd.exe 2->15         started        17 cmd.exe 2->17         started        signatures3 109 Performs DNS queries to domains with low reputation 87->109 process4 signatures5 119 Uses cmd line tools excessively to alter registry or file data 12->119 19 java.exe 21 12->19         started        23 conhost.exe 12->23         started        25 conhost.exe 15->25         started        27 javaw.exe 15->27         started        29 conhost.exe 17->29         started        31 javaw.exe 17->31         started        process6 dnsIp7 91 www.foldacces.online 104.198.24.41, 4031, 4032, 49692 GOOGLEUS United States 19->91 93 repo1.maven.org.cdn.cloudflare.net 104.18.18.12, 443, 49690 CLOUDFLARENETUS United States 19->93 79 C:\...\downloaded7731599870748421425.jar, Java 19->79 dropped 33 java.exe 35 19->33         started        file8 process9 file10 71 sqlite-3.45.3.0-89...7a32-sqlitejdbc.dll, PE32 33->71 dropped 73 C:\Users\...\moddll8245206284107241386.dll, PE32+ 33->73 dropped 75 C:\Users\...\moddll2220560299266399374.dll, PE32+ 33->75 dropped 77 2 other malicious files 33->77 dropped 95 Uses cmd line tools excessively to alter registry or file data 33->95 97 Tries to harvest and steal browser information (history, passwords, etc) 33->97 99 Writes to foreign memory regions 33->99 101 2 other signatures 33->101 37 javaw.exe 5 33->37         started        40 cmd.exe 1 33->40         started        42 cmd.exe 1 33->42         started        44 18 other processes 33->44 signatures11 process12 signatures13 113 Suspicious powershell command line found 37->113 46 powershell.exe 37->46         started        115 Excessive usage of taskkill to terminate processes 40->115 48 taskkill.exe 1 40->48         started        50 conhost.exe 40->50         started        52 taskkill.exe 1 42->52         started        54 conhost.exe 42->54         started        117 Uses cmd line tools excessively to alter registry or file data 44->117 56 conhost.exe 44->56         started        58 conhost.exe 44->58         started        60 conhost.exe 44->60         started        62 23 other processes 44->62 process14 process15 64 java.exe 46->64         started        67 conhost.exe 46->67         started        dnsIp16 81 avocado.gay 172.67.203.124 CLOUDFLARENETUS United States 64->81 83 127.0.0.1 unknown unknown 64->83 69 conhost.exe 64->69         started        process17
Score:
0%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/883108e1491ab90780fa3b43ed1580e29786287fdca5cae1a49eea6ec91d90fd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/883108e1491ab90780fa3b43ed1580e29786287fdca5cae1a49eea6ec91d90fd/
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.Stealer
Link:
https://tip.neiki.dev/file/883108e1491ab90780fa3b43ed1580e29786287fdca5cae1a49eea6ec91d90fd
Threat name:
ByteCode-JAVA.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-12-07 01:03:14 UTC
File Type:
Binary (Archive)
Extracted files:
4
AV detection:
8 of 23 (34.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rayqrykjdk4qpah2hnb62fma4klymkd73ss4vynet3vg5si5sd6q._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
credential_access defense_evasion discovery execution persistence stealer
Link:
https://tria.ge/reports/251208-py9glsvrg1/
Behaviour
Enumerates system info in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Drops file in Windows directory
Adds Run key to start application
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Uses browser remote debugging
Malware family:
MaksRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/883108e1491a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/883108e1491ab90780fa3b43ed1580e29786287fdca5cae1a49eea6ec91d90fd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/42997/

Comments