MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d71ee189111bc08ce384a02a16be8594ccd91c8ef5c0d1dde1ce2ef97ffdb5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	9d71ee189111bc08ce384a02a16be8594ccd91c8ef5c0d1dde1ce2ef97ffdb5c
SHA3-384 hash:	f48276fead2b9442552a91b917d2335ff3d770dfde18f9640fb10338dba1eb43c2a582e25fc055448ea9e9e00eb74b8d
SHA1 hash:	d154122b1b3bf9e5f4a651dd419ef32146641452
MD5 hash:	65ab45a78dc696699f075f57269fc55e
humanhash:	cup-sierra-lithium-cardinal
File name:	ORDERS4500215527.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	705'536 bytes
First seen:	2023-05-17 19:37:25 UTC
Last seen:	2023-05-18 11:48:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'604 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:ZNZUq1LbcAhYKq0bs61BUdfsnhviCrP62CaKyu:iBR30jPdKCrPcaK
Threatray	1'403 similar samples on MalwareBazaar
TLSH	T1ACE4E01426C7E61AC519C7FD84D2F2B003BABE876072C6470BC5BDDBB786BE94650287
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	TeamDreier
Tags:	AveMariaRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

283

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ORDERS4500215527.exe

Verdict:

No threats detected

Analysis date:

2023-05-17 19:39:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/4c229309-15c5-494d-9cde-e1cb278390e9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

WarzoneRAT

Link:

https://www.capesandbox.com/analysis/390776/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.36680.14028.20799.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

barys comodo lokibot packed

Link:

https://www.filescan.io/uploads/64652d1cca9bd33579005338/reports/3138a973-3211-406e-9718-e3b15b29e47c/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/9d71ee189111bc08ce384a02a16be8594ccd91c8ef5c0d1dde1ce2ef97ffdb5c

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/38600a5d-5b78-4487-b846-2ccafb30e598

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1235584

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9d71ee189111bc08ce384a02a16be8594ccd91c8ef5c0d1dde1ce2ef97ffdb5c/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-05-17 17:42:58 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 35 (57.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tvy64gercg6artryjibkc27ilfgm3eoi55oa2ho6dtro7f773noa._file

Verdict:

malicious

AveMariaRAT

271d3e8dfec86cdeb02be2c1d29e4717dae69d8edfb088bdf67b3da85fbacf30

AveMariaRAT

38a380b0ef5633beef842aabfa59f857cf9286a3e068987864d00b975d7e3253

AveMariaRAT

3de41e010beb4ede03eb2ef87e943b3a75402a3c13ca2033e1032ac160363768

AveMariaRAT

52f7df04cb306719eead0d602947612f3b909ef4fba8029af064891882ff4048

AveMariaRAT

5424e934a0cfc1be041d94dd908f4ebab95d19588d7ce6e7f280b162d6c3c179

AveMariaRAT

a28cb539852da2e100484ab8cee9613a28b2e68d409b99d80e27f4fb7f238b5d

AveMariaRAT

a610b0453e7e5653d3e33ffb3ee466ae3e99636d1c5178a3b462ce118d64e27a

AveMariaRAT

da1e5e998d07bc5955e623316800479e2cfe58fa00679491669ad288b3d48a9b

AveMariaRAT

f8725762bcc5a3d83234fd7a55cba1a002af80ecfe0eca2972899f49fa12934d

AveMariaRAT

+ 1'393 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/230517-ycdbqafc6x/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

6fa806468abf9a72166db0d657f04c083c228bef2ecd434c10f5b0ce9963f309

MD5 hash:

ca90623c3575f4747522b4f34e3d05e1

SHA1 hash:

dd356c47eb5bb3306aa8639c98d87c5b8df03ea8

Link:

https://www.unpac.me/results/e85bb760-4ec7-4fec-a028-ddd91beace31/

SH256 hash:

66936deaf5eae8f44b9f8564cec35dce5ebd7f59e584c5b0dcbfeeaf8578855c

MD5 hash:

1a88383448306c74bb0166082a9c980d

SHA1 hash:

d84481d86f21707433f9586274536bee6e0ae57e

Detections:

Warzone

win_ave_maria_auto

win_ave_maria_g0

Link:

https://www.unpac.me/results/e85bb760-4ec7-4fec-a028-ddd91beace31/

SH256 hash:

477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52

MD5 hash:

16a9ddc4b32981114fe4f069a4353105

SHA1 hash:

bf73849f57c150f9e2199c61427f631be2dfa595

Link:

https://www.unpac.me/results/e85bb760-4ec7-4fec-a028-ddd91beace31/

SH256 hash:

6c8915f7b1efd38dd8f9169bc357a4978de6b7fa8ba94f3f167df7f392a81b7d

MD5 hash:

269013efe65635dcc50a04ce5a279a19

SHA1 hash:

aaa8c0a3f1299b1d5d0e22888b11b97a58988c01

Link:

https://www.unpac.me/results/e85bb760-4ec7-4fec-a028-ddd91beace31/

SH256 hash:

7efd20094899e623450f09fc6b9c69f4f5b1fcfb40a47ce380231dc6525e6a99

MD5 hash:

8c586cef4acef68908914cb372228178

SHA1 hash:

7fd3d70f7c94324c185d7e4714db885bed2252db

Link:

https://www.unpac.me/results/e85bb760-4ec7-4fec-a028-ddd91beace31/

SH256 hash:

be47532a7f5e413bcd3f7bb38504f3f1a4b6b713e9ff53c19a623dccc1fbec11

MD5 hash:

6549064c392b049e064415c9f5a9c81f

SHA1 hash:

1a91686f4503b8ad13a54a59f7c0ac515c8e0122

Link:

https://www.unpac.me/results/e85bb760-4ec7-4fec-a028-ddd91beace31/

SH256 hash:

f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36

MD5 hash:

6c72218c48cd68cbcb654675053a0abb

SHA1 hash:

12207fa32070f99683648d87b44410e5d3cdf2de

Link:

https://www.unpac.me/results/e85bb760-4ec7-4fec-a028-ddd91beace31/

SH256 hash:

9d71ee189111bc08ce384a02a16be8594ccd91c8ef5c0d1dde1ce2ef97ffdb5c

MD5 hash:

65ab45a78dc696699f075f57269fc55e

SHA1 hash:

d154122b1b3bf9e5f4a651dd419ef32146641452

Link:

https://www.unpac.me/results/e85bb760-4ec7-4fec-a028-ddd91beace31/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.38

Link:

https://yomi.yoroi.company/submissions/9d71ee189111bc08ce384a02a16be8594ccd91c8ef5c0d1dde1ce2ef97ffdb5c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

exe 9d71ee189111bc08ce384a02a16be8594ccd91c8ef5c0d1dde1ce2ef97ffdb5c

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/390776/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample