MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d1f73dc28e7c2ae89a87fb4178a025f06466530de42f2de2015538f06866f60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d1f73dc28e7c2ae89a87fb4178a025f06466530de42f2de2015538f06866f60
SHA3-384 hash: e40bbae47fdee9106d1c08e03e433dba95fa40328f92ce9698725e06ea9e41ae66b3b9f2675c31aed2d4a215aff1e279
SHA1 hash: 625b4f7bc54d2c1ebc95adb9ced8e0e055f597df
MD5 hash: 9dd3314e46c696e99b607b6d36a94e41
humanhash: missouri-colorado-orange-iowa
File name:9dd3314e46c696e99b607b6d36a94e41.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:833'536 bytes
First seen:2021-09-11 09:43:47 UTC
Last seen:2021-09-11 11:16:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:vLhLpXk+b6umJBDAJeqtgpwhLJ/T0HurldF:vLhLfqBDAfgp+TN
Threatray 1'551 similar samples on MalwareBazaar
TLSH T1C7059D0077FC8F29E5EF2B39E0745A0497F9F817A6BAD79E1804E5AA1C9374089113B3
dhash icon 9e656565e5a5a585 (2 x AveMariaRAT, 2 x Matiex)
Reporter abuse_ch
Tags:AveMariaRAT exe RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9dd3314e46c696e99b607b6d36a94e41.exe
Verdict:
Malicious activity
Analysis date:
2021-09-11 09:45:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/75ab3a7b-ae95-4179-95fa-ede02dde4116

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187038/
Detection(s):
SecuriteInfo.com.Variant.Bulz.702397.32505.14539.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/50ed30e7-c6a0-4ccc-aea4-31faea6de07d
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/849125
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Changes memory attributes in foreign processes to executable or writable
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Drops PE files with benign system names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Uses powershell Test-Connection to delay payload execution;
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 481552 Sample: xO0vC5DmLB.exe Startdate: 11/09/2021 Architecture: WINDOWS Score: 100 84 byx.z86.ru 2->84 86 google.com 2->86 118 Multi AV Scanner detection for domain / URL 2->118 120 Found malware configuration 2->120 122 Malicious sample detected (through community Yara rule) 2->122 124 9 other signatures 2->124 11 xO0vC5DmLB.exe 6 2->11         started        signatures3 process4 file5 74 C:\Users\user\AppData\...\xO0vC5DmLB.exe, PE32 11->74 dropped 76 C:\Users\...\xO0vC5DmLB.exe:Zone.Identifier, ASCII 11->76 dropped 78 C:\Users\user\AppData\...\xO0vC5DmLB.exe.log, ASCII 11->78 dropped 134 Writes to foreign memory regions 11->134 136 Uses powershell Test-Connection to delay payload execution; 11->136 138 Injects a PE file into a foreign processes 11->138 15 xO0vC5DmLB.exe 11->15         started        19 powershell.exe 18 11->19         started        22 powershell.exe 18 11->22         started        24 3 other processes 11->24 signatures6 process7 dnsIp8 80 C:\ProgramData\svchost.exe, PE32 15->80 dropped 82 C:\ProgramData\svchost.exe:Zone.Identifier, ASCII 15->82 dropped 110 Multi AV Scanner detection for dropped file 15->110 112 Machine Learning detection for dropped file 15->112 114 Changes memory attributes in foreign processes to executable or writable 15->114 116 9 other signatures 15->116 26 svchost.exe 15->26         started        30 cmd.exe 15->30         started        32 explorer.exe 15->32 injected 88 google.com 19->88 34 conhost.exe 19->34         started        90 google.com 22->90 36 conhost.exe 22->36         started        92 google.com 24->92 94 google.com 24->94 96 google.com 24->96 38 conhost.exe 24->38         started        40 conhost.exe 24->40         started        42 conhost.exe 24->42         started        file9 signatures10 process11 file12 72 C:\Users\user\AppData\Local\...\svchost.exe, PE32 26->72 dropped 126 Multi AV Scanner detection for dropped file 26->126 128 Machine Learning detection for dropped file 26->128 130 Writes to foreign memory regions 26->130 132 3 other signatures 26->132 44 svchost.exe 26->44         started        48 powershell.exe 26->48         started        50 powershell.exe 26->50         started        56 3 other processes 26->56 52 reg.exe 30->52         started        54 conhost.exe 30->54         started        signatures13 process14 dnsIp15 98 byx.z86.ru 146.59.132.186, 49775, 49776, 49777 OVHFR Norway 44->98 140 System process connects to network (likely due to code injection or exploit) 44->140 142 Multi AV Scanner detection for dropped file 44->142 144 Machine Learning detection for dropped file 44->144 148 4 other signatures 44->148 58 cmd.exe 44->58         started        100 google.com 48->100 60 conhost.exe 48->60         started        102 google.com 50->102 62 conhost.exe 50->62         started        146 Creates an undocumented autostart registry key 52->146 104 192.168.2.1 unknown unknown 56->104 106 google.com 56->106 108 2 other IPs or domains 56->108 64 conhost.exe 56->64         started        66 conhost.exe 56->66         started        68 conhost.exe 56->68         started        signatures16 process17 process18 70 conhost.exe 58->70         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d1f73dc28e7c2ae89a87fb4178a025f06466530de42f2de2015538f06866f60/
Threat name:
ByteCode-MSIL.Infostealer.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-09-11 09:44:08 UTC
AV detection:
12 of 39 (30.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tupxhxbi47bk5cnip62bpcqcl4demzjq3zbpfxracvjy6bugn5qa._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
038468b4bce04705f5f08025f029ca8f327540d31f8f373892248b42750f5a00
AveMariaRAT
0741c36ad10f51f858eefc2e2f0879c9ef1ae90af61d766bd50ebcc67f4d5579
AveMariaRAT
411a7c0f381354be120c25158756008260b2ba2f3b2a83e4a514602ab09edbea
AveMariaRAT
52e2c9a43a9de0685055f60bd590f2f893882ad710f3b7e8c451985eea69ec07
AveMariaRAT
53f3667f28ccf0d21ba05eb659a6138ae1a6bc24348d2750f16261bb5b6b2121
AveMariaRAT
885e34ff7befbdcdb027a017843cbacdba7eebb34d3df2e3113cceb9adafe8b5
AveMariaRAT
9afde20b8b5405b0326cda263fc40b620730eef2076f51aaf959b2157f5f94e8
AveMariaRAT
9e2a3d4464636baff78628d870f39d1a9f3ba23da71f8c50ead2576479077702
AveMariaRAT
ed2bb22bb3dd5725d0be4c93f3ee6bb3b0424db9a38e11a825eac6a8862d0241
AveMariaRAT
+ 1'541 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer rat
Link:
https://tria.ge/reports/210911-lqhgdaechr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
byx.z86.ru:5200
Unpacked files
SH256 hash:
06c90347210469f9ae3fb48392096ea7ca57768cf9c17db64ca6e9ef117b9f21
MD5 hash:
743f0cf1381979957b620adbde9c0355
SHA1 hash:
1a2cbd90f249ec95f4d24756dc8a5e4759bb91e4
Link:
https://www.unpac.me/results/9a0dfab5-77d7-4f91-b4b6-20ac44ec6463/
SH256 hash:
986ee8480ccf76b4477946c0e0368920c2f743ad6045d3b91dd0145dbe64d92c
MD5 hash:
b9f16a6d1abba0ee42394e259953f503
SHA1 hash:
c354826522bc99a8d80ee0610056380ab1a415bf
Link:
https://www.unpac.me/results/9a0dfab5-77d7-4f91-b4b6-20ac44ec6463/
SH256 hash:
477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52
MD5 hash:
16a9ddc4b32981114fe4f069a4353105
SHA1 hash:
bf73849f57c150f9e2199c61427f631be2dfa595
Link:
https://www.unpac.me/results/9a0dfab5-77d7-4f91-b4b6-20ac44ec6463/
SH256 hash:
25e3038220d949ac560a70880006ad262718b99ee87bed5c79dbd7dabe40970c
MD5 hash:
efcc82f3c098b87dfa165b7eee7be58b
SHA1 hash:
ad2715627ecdc2d66f6937c4b3775bb13c86d234
Link:
https://www.unpac.me/results/9a0dfab5-77d7-4f91-b4b6-20ac44ec6463/
SH256 hash:
92e20805794a9aea58706634f71737746a956cabbcb742fd80ad7aa3f24ad034
MD5 hash:
f8ad66ec98586243dd0c978027dc156a
SHA1 hash:
42a1f6a90826ecd9f3af370ab63917547190347b
Detections:
win_ave_maria_g0
Create hunting rule
win_ave_maria_auto
Create hunting rule
Link:
https://www.unpac.me/results/9a0dfab5-77d7-4f91-b4b6-20ac44ec6463/
Parent samples :
9e2a3d4464636baff78628d870f39d1a9f3ba23da71f8c50ead2576479077702
52e2c9a43a9de0685055f60bd590f2f893882ad710f3b7e8c451985eea69ec07
c3eda1ec3ed1ef66e2aa1492f07a8f4ff3a5868e20dc344c3dfb1d90eec46fb2
9d1f73dc28e7c2ae89a87fb4178a025f06466530de42f2de2015538f06866f60
SH256 hash:
f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36
MD5 hash:
6c72218c48cd68cbcb654675053a0abb
SHA1 hash:
12207fa32070f99683648d87b44410e5d3cdf2de
Link:
https://www.unpac.me/results/9a0dfab5-77d7-4f91-b4b6-20ac44ec6463/
SH256 hash:
9d1f73dc28e7c2ae89a87fb4178a025f06466530de42f2de2015538f06866f60
MD5 hash:
9dd3314e46c696e99b607b6d36a94e41
SHA1 hash:
625b4f7bc54d2c1ebc95adb9ced8e0e055f597df
Link:
https://www.unpac.me/results/9a0dfab5-77d7-4f91-b4b6-20ac44ec6463/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9d1f73dc28e7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9d1f73dc28e7c2ae89a87fb4178a025f06466530de42f2de2015538f06866f60

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe 9d1f73dc28e7c2ae89a87fb4178a025f06466530de42f2de2015538f06866f60

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1484991/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/187038/

Comments