MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a06df43cf78f226603a42ee45c6c676ecc9f5a6c978d3b3e18b364b116ba20fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a06df43cf78f226603a42ee45c6c676ecc9f5a6c978d3b3e18b364b116ba20fc
SHA3-384 hash: fd1a7ed271345d29978cd12e03cda9211ae7f34601e57428963343404e06344889f74dd6527fc387b739096fb1ea83c5
SHA1 hash: b1ee3f6321eedb3e50a8e079bbe1fb98e41ad83d
MD5 hash: afbc94741871347de421f6166510e144
humanhash: echo-glucose-lion-autumn
File name:vbc1.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'036'288 bytes
First seen:2022-03-17 16:16:48 UTC
Last seen:2022-03-17 18:00:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:owODzu6ar9fw2maEoZ7OWwfmSTzZ+KhYk15IcZ4vkZVR:ofG6a62mVU7zwfmJ4usnV
Threatray 1'856 similar samples on MalwareBazaar
TLSH T1DD2523FD22644A37CF7D4537E94580E61F72E667621EFF03398D28EA908B39829452D3
Reporter James_inthe_box
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
vbc1.exe
Verdict:
Malicious activity
Analysis date:
2022-03-17 16:11:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b975e752-5496-4257-a68e-af3b8fd791d5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RDPWrap
Create hunting rule
Link:
https://www.capesandbox.com/analysis/252006/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1253.20242.16930.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62335f030cd58dbd92af98b0/reports/2d0cd1b0-78ed-4802-943e-21c5c705f2fd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b269b4ed-f326-445b-a0dd-eed446b6d310
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/958915
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide user accounts
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 591394 Sample: vbc1.exe Startdate: 17/03/2022 Architecture: WINDOWS Score: 100 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 9 other signatures 2->39 7 vbc1.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\glWvsloL.exe, PE32 7->23 dropped 25 C:\Users\...\glWvsloL.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmpC1A3.tmp, XML 7->27 dropped 29 C:\Users\user\AppData\Local\...\vbc1.exe.log, ASCII 7->29 dropped 41 Uses schtasks.exe or at.exe to add and modify task schedules 7->41 43 Adds a directory exclusion to Windows Defender 7->43 45 Injects a PE file into a foreign processes 7->45 11 vbc1.exe 3 4 7->11         started        15 powershell.exe 24 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 31 146.70.76.43, 43206, 49784 TENET-1ZA United Kingdom 11->31 47 Tries to steal Mail credentials (via file / registry access) 11->47 49 Tries to harvest and steal browser information (history, passwords, etc) 11->49 51 Increases the number of concurrent connection per server for Internet Explorer 11->51 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->53 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a06df43cf78f226603a42ee45c6c676ecc9f5a6c978d3b3e18b364b116ba20fc/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-16 20:39:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
24 of 40 (60.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
8b9e7e5d218817683f481d4a20b638e64bf3c7d11d5ed1b546330f6aed2862dd
AveMariaRAT
a598b3824495f56c447a88ccfdc805f077370ae2255a999cf00464da1d53d9a0
AveMariaRAT
aaeea2518247c61576d04a680a02693dbb21cff050af2d3049f0c0636cbc478b
AveMariaRAT
c0a6b562ce71149c052ed504556f0e4c8dbe2d075aef54299e548ed33f88a3c9
AveMariaRAT
e8eb2ef1dfc772ab67f71b48da8a1979b32c6a82c7d60b6990b2b54fba99cb0b
AveMariaRAT
ff65d1fcc1f8c3b2a6c436ce6cf22de01b5b7675511023f1f3924e2adec0d57e
AveMariaRAT
+ 1'846 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer rat
Link:
https://tria.ge/reports/220317-trcxaacgcj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Warzonerat
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
146.70.76.43:43206
Unpacked files
SH256 hash:
30c43127555fc58fcd5c965fe2e90158d08812422560d31c97b850be57a9f91d
MD5 hash:
a382e41ff78f4a9763a239c14e42b71f
SHA1 hash:
d6181ea5c34750f109f466e40c8b71f58c9a647a
Link:
https://www.unpac.me/results/3917ea97-f821-441c-8287-4c8d2b90ec00/
SH256 hash:
1775c2f6b5960318c7b71018e5daad8f543da89b9b1616dad0a392b67938fb8a
MD5 hash:
6990bb007af28cec3c06bb75504e5c3a
SHA1 hash:
d01ef08f3b722f420041744778b700ac45fd94be
Link:
https://www.unpac.me/results/3917ea97-f821-441c-8287-4c8d2b90ec00/
SH256 hash:
9293e00146d4d630d51beae7fb5f8a98db891418e479e69fe0f188d8f384d5fa
MD5 hash:
9788e8be3f8b1846ae268df40cc663eb
SHA1 hash:
c83aa1ae355e57c5e2da3c49bf730082d65ef7b8
Detections:
win_ave_maria_g0
Create hunting rule
win_ave_maria_auto
Create hunting rule
Link:
https://www.unpac.me/results/3917ea97-f821-441c-8287-4c8d2b90ec00/
Parent samples :
a06df43cf78f226603a42ee45c6c676ecc9f5a6c978d3b3e18b364b116ba20fc
a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249
SH256 hash:
477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52
MD5 hash:
16a9ddc4b32981114fe4f069a4353105
SHA1 hash:
bf73849f57c150f9e2199c61427f631be2dfa595
Link:
https://www.unpac.me/results/3917ea97-f821-441c-8287-4c8d2b90ec00/
SH256 hash:
4ffb59b76867dc3ee5df8b1476a82043c8bbfa9679aa90a2e4b937292b3722b8
MD5 hash:
fc6d91ff314356715f5c76ba61240c9f
SHA1 hash:
aac8291f9af1c2e18b8302550ee4d1c96120949a
Link:
https://www.unpac.me/results/3917ea97-f821-441c-8287-4c8d2b90ec00/
SH256 hash:
f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36
MD5 hash:
6c72218c48cd68cbcb654675053a0abb
SHA1 hash:
12207fa32070f99683648d87b44410e5d3cdf2de
Link:
https://www.unpac.me/results/3917ea97-f821-441c-8287-4c8d2b90ec00/
SH256 hash:
a06df43cf78f226603a42ee45c6c676ecc9f5a6c978d3b3e18b364b116ba20fc
MD5 hash:
afbc94741871347de421f6166510e144
SHA1 hash:
b1ee3f6321eedb3e50a8e079bbe1fb98e41ad83d
Link:
https://www.unpac.me/results/3917ea97-f821-441c-8287-4c8d2b90ec00/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a06df43cf78f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a06df43cf78f226603a42ee45c6c676ecc9f5a6c978d3b3e18b364b116ba20fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/252006/
  
URLhaus
https://urlhaus.abuse.ch/url/2103674/

Comments