MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249
SHA3-384 hash: e39a345e90a8d914cc417f32339ad79e47ea6eb5963aaae5c7ab3a1f9c26e45af9b9a89ee9d99511ca027ab367360acd
SHA1 hash: 5ab5d8f5eedd6bec3c970ed1220c2d93ff9da802
MD5 hash: 5ccd86fc97c9a218f4d4deaf40474fe8
humanhash: nine-oranges-colorado-football
File name:5ccd86fc97c9a218f4d4deaf40474fe8.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'122'816 bytes
First seen:2022-03-18 11:40:16 UTC
Last seen:2022-03-18 14:32:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:B389mI12NKtXeoGwtu16bTg98qVl7s1wxNvFUtTNiHZP6iv:B3EmI1CKl2wtAl9mwWtcyu
Threatray 1'792 similar samples on MalwareBazaar
TLSH T170351299BF344627E16E57F2909306C09BB0F2552006D79EEE82B4ED1D9B7C44E9F223
Reporter abuse_ch
Tags:AveMariaRAT exe RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/252553/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.26954.7433.27052.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger obfuscated packed replace.exe shell32.dll
Link:
https://www.filescan.io/uploads/62346fbb0cd58dbd92b6278f/reports/47dc682d-c489-4595-9b81-0bd8afa91276/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/806a4188-eb41-4d5f-8f24-c61f5b5f1efe
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/959477
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide user accounts
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 591958 Sample: xHcqSleCzN.exe Startdate: 18/03/2022 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus detection for URL or domain 2->37 39 13 other signatures 2->39 7 xHcqSleCzN.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\...\PJyjqaDnYyPE.exe, PE32 7->23 dropped 25 C:\Users\...\PJyjqaDnYyPE.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmp16B5.tmp, XML 7->27 dropped 29 C:\Users\user\AppData\...\xHcqSleCzN.exe.log, ASCII 7->29 dropped 41 Uses schtasks.exe or at.exe to add and modify task schedules 7->41 43 Adds a directory exclusion to Windows Defender 7->43 45 Injects a PE file into a foreign processes 7->45 11 xHcqSleCzN.exe 3 4 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 31 146.70.76.43, 43206, 49776 TENET-1ZA United Kingdom 11->31 47 Tries to steal Mail credentials (via file / registry access) 11->47 49 Tries to harvest and steal browser information (history, passwords, etc) 11->49 51 Increases the number of concurrent connection per server for Internet Explorer 11->51 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->53 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-18 01:35:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
171ff6b3d368a4c40980281ba104d126a2afc86a143bd9c510c3ba6ce5235ddc
AveMariaRAT
a06df43cf78f226603a42ee45c6c676ecc9f5a6c978d3b3e18b364b116ba20fc
AveMariaRAT
a306a3946f4b31aa9c89320318bd2060a71077850d735ec94fe1cef950d0d9d3
AveMariaRAT
aaeea2518247c61576d04a680a02693dbb21cff050af2d3049f0c0636cbc478b
AveMariaRAT
b670e88aaa879c857f3afa2ef2474b1b75659e23f13a3bde679290b6dca13e30
AveMariaRAT
f8221d4ffae4d38465210c76fd7705734eb37ced44b1caffc3d65618515f2204
AveMariaRAT
+ 1'782 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer rat
Link:
https://tria.ge/reports/220318-nte7jahgdr/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Warzonerat
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
146.70.76.43:43206
Unpacked files
SH256 hash:
9293e00146d4d630d51beae7fb5f8a98db891418e479e69fe0f188d8f384d5fa
MD5 hash:
9788e8be3f8b1846ae268df40cc663eb
SHA1 hash:
c83aa1ae355e57c5e2da3c49bf730082d65ef7b8
Detections:
win_ave_maria_g0
Create hunting rule
win_ave_maria_auto
Create hunting rule
Link:
https://www.unpac.me/results/e352808b-b0ad-466b-8dfb-f52e0a53543e/
Parent samples :
a06df43cf78f226603a42ee45c6c676ecc9f5a6c978d3b3e18b364b116ba20fc
a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249
SH256 hash:
477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52
MD5 hash:
16a9ddc4b32981114fe4f069a4353105
SHA1 hash:
bf73849f57c150f9e2199c61427f631be2dfa595
Link:
https://www.unpac.me/results/e352808b-b0ad-466b-8dfb-f52e0a53543e/
SH256 hash:
6ff21c090296e9fd3ec2b17e03e184e2396adf4013b2a4f4c9dea5bd7aff38f7
MD5 hash:
7c3fb3e3d91e338ae917c4cb46895e71
SHA1 hash:
ba577b8ccb3c6bbc5e9e3a838aec98859cd4dbaa
Link:
https://www.unpac.me/results/e352808b-b0ad-466b-8dfb-f52e0a53543e/
SH256 hash:
c7173db4bb7bad27b893fe313f91dc3d5e7fa41135cc10a6c109bfec299664df
MD5 hash:
a8d923b1b0d3a6532a6c6727abd870a4
SHA1 hash:
a2be3a02876bbe342065e4789827b5846b21b2c9
Link:
https://www.unpac.me/results/e352808b-b0ad-466b-8dfb-f52e0a53543e/
SH256 hash:
5fa1c93a144062a55a2c031f0b58548a9579c209378ddf6bbb87bb56718a4d6d
MD5 hash:
5a2d78b2c4358d7cdbc92f0dfe237cd8
SHA1 hash:
3ab5e55c7565a1c8f86ad8a88ad216f0f25e79a2
Link:
https://www.unpac.me/results/e352808b-b0ad-466b-8dfb-f52e0a53543e/
SH256 hash:
f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36
MD5 hash:
6c72218c48cd68cbcb654675053a0abb
SHA1 hash:
12207fa32070f99683648d87b44410e5d3cdf2de
Link:
https://www.unpac.me/results/e352808b-b0ad-466b-8dfb-f52e0a53543e/
SH256 hash:
a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249
MD5 hash:
5ccd86fc97c9a218f4d4deaf40474fe8
SHA1 hash:
5ab5d8f5eedd6bec3c970ed1220c2d93ff9da802
Link:
https://www.unpac.me/results/e352808b-b0ad-466b-8dfb-f52e0a53543e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a33967b25289/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2103672/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/252553/

Comments