MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f6de85e6ac6ca0e2a0e1912f3d950c3765425d076e87627c9a58b033747c5af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	9f6de85e6ac6ca0e2a0e1912f3d950c3765425d076e87627c9a58b033747c5af
SHA3-384 hash:	a8c86fb7656ce1f211590197bf5292dbdf9a7acfccbe293000c4bcce7b7613b964c4d26a9a8bf9730a3d48180aea8294
SHA1 hash:	89a58723de7565bda85eebab7130c44c07fa3c95
MD5 hash:	35344d1fcd9ffa45919867c070bd338e
humanhash:	connecticut-music-blue-zebra
File name:	FADTOP098765400.exe
Download:	download sample
Signature	AveMariaRAT Alert Create hunting rule
File size:	788'617 bytes
First seen:	2023-11-01 06:27:27 UTC
Last seen:	2023-11-01 08:16:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f4639a0b3116c2cfc71144b88a929cfd (96 x GuLoader, 53 x Formbook, 37 x VIPKeylogger)
ssdeep	12288:RfL0y6hGqeyfhzX5KU6ZF2ft7qS0jo/q6vNu4fX5nbdAwWkTHo:RfL0bh7ey+Ot7Zi6LfpbdAjWo
Threatray	11 similar samples on MalwareBazaar
TLSH	T182F43354E0245543EA7213399C285E271AF6903B22F98B0A8B6C3C9C76BF799C57F343
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	d2e8ecb2b2a2b282 (106 x AgentTesla, 106 x Formbook, 24 x RedLineStealer)
Reporter	abuse_ch
Tags:	AveMariaRAT exe

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

310

Origin country :

NL

Vendor Threat Intelligence

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/457518/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Trojan.Loader.1550.7771.12663.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file in the %AppData% subdirectories

Сreating synchronization primitives

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process by context flags manipulation

Dragonfly

Gathering data

FileScan.IO Likely Malicious

Verdict:

Likely Malicious

Threat level:

  7.5/10

Confidence:

89%

Tags:

control installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/6541eff8746262825556b6ec/reports/68cc651f-6024-4636-bc5b-b57ef52681ed/overview

Hybrid Analysis Malware

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/9f6de85e6ac6ca0e2a0e1912f3d950c3765425d076e87627c9a58b033747c5af

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Conti

Malware family:

Conti

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/789d0241-44b7-4cbb-a5e9-0baa438137f0

Joe Sandbox Remcos

Result

Threat name:

Remcos

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1335261

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Generic Dropper

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

100%

Verdict:

Malware

File Type:

PE

Link:

https://malprob.io/report/9f6de85e6ac6ca0e2a0e1912f3d950c3765425d076e87627c9a58b033747c5af

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9f6de85e6ac6ca0e2a0e1912f3d950c3765425d076e87627c9a58b033747c5af/

ReversingLabs TitaniumCloud Win32.Trojan.FormBook

Threat name:

Win32.Trojan.FormBook

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-10-19 21:57:00 UTC

File Type:

PE (Exe)

Extracted files:

3

AV detection:

26 of 38 (68.42%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=t5w6qxtky3fa4kqodejphwkqyn3fijoqo3uhmj6juwfqgn2hywxq._file

Threatray avemaria

Verdict:

malicious

Label(s):

avemaria

Alert

Create hunting rule

Similar samples:

280945c850b2ee81256b36dacdec35b2bbc147c3cba57b344cd50bf464d74f97

AveMariaRAT

579436ed344fb30bf3a831868b541e55c61c4289275821d2f14c4bc71afc930b

AveMariaRAT

5a7df187972e8ac7ffd69cfd57e9ec4490a36b915cb8beaeee8cceac12ab76c8

AveMariaRAT

925fa028b1511d9fb57e7f69efebff4c34228222af3adc11cfc45d930e9f6983

AveMariaRAT

c2eb1b14cffec35b06db95366ea2306ab8a0886c8ca14d76e6903c84ee11d04c

AveMariaRAT

d566a5a84fd3148976960bd8b6c39f6a9dde3601b2f58ff81d743a9dba291249

AveMariaRAT

+ 1 additional samples on MalwareBazaar

Hatching Triage Suspicious

Result

Malware family:

n/a

Score:

  7/10

Tags:

persistence

Link:

https://tria.ge/reports/231101-g8cxdsbf3x/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Executes dropped EXE

Loads dropped DLL

UnpacMe win_mofksys_auto

Unpacked files

SH256 hash:

b306a37e5e6c539f4b62740866770880335029c36ada3706485d491eb826be44

MD5 hash:

5461cf48d3152fbec33e10555ed4bcce

SHA1 hash:

b688915ffbbb467bff4eba63268372013f2f7307

Detections:

win_mofksys_auto

Alert

Create hunting rule

Link:

https://www.unpac.me/results/9ce7ffa4-6c7c-42d6-822d-1fcce057d40e/

SH256 hash:

9f6de85e6ac6ca0e2a0e1912f3d950c3765425d076e87627c9a58b033747c5af

MD5 hash:

35344d1fcd9ffa45919867c070bd338e

SHA1 hash:

89a58723de7565bda85eebab7130c44c07fa3c95

Link:

https://www.unpac.me/results/9ce7ffa4-6c7c-42d6-822d-1fcce057d40e/

VMRay Remcos

Malware family:

Remcos

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9f6de85e6ac6/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9f6de85e6ac6ca0e2a0e1912f3d950c3765425d076e87627c9a58b033747c5af

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

exe 9f6de85e6ac6ca0e2a0e1912f3d950c3765425d076e87627c9a58b033747c5af

(this sample)

  

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/457518/