MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a376ca2da651be706ec99682ddc8f37412b3cf8f094d23e561798a7371c158ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Riskware.Generic


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a376ca2da651be706ec99682ddc8f37412b3cf8f094d23e561798a7371c158ea
SHA3-384 hash: 56a4a168b4a9580e7085f735fd84e73035373dd8cc7a7c496d6b2e68a3303bfb42556e5f00711f679c133b9223fc5f13
SHA1 hash: ae5aff1b912a68d24ec672d875d8774944850d40
MD5 hash: ca11898dd34052a0cb5a6d2a74f552c1
humanhash: asparagus-carolina-india-twenty
File name:a376ca2da651be706ec99682ddc8f37412b3cf8f094d23e561798a7371c158ea
Download: download sample
Signature Riskware.Generic
Create hunting rule
File size:3'024'627 bytes
First seen:2020-11-13 16:15:39 UTC
Last seen:2024-07-24 19:51:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 676f4bc1db7fb9f072b157186a10179e (1'400 x AveMariaRAT, 37 x Riskware.Generic, 2 x njrat)
ssdeep 24576:g197AAmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHN:g197AAmw4gxeOw46fUbNecCCFbNecK
Threatray 4'247 similar samples on MalwareBazaar
TLSH 05E59DDA7A7E20DBCA2344B2E00F162760E8FC676701276B6777AE568487341D587B0F
Reporter seifreed
Tags:Riskware.Generic

Intelligence

File Origin
# of uploads :
2
# of downloads :
66
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Packer.PrivateExeProte-16
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Ursu-6793772-0
Create hunting rule

Win.Malware.Ursu-6914170-0
Create hunting rule

Win.Malware.Ursu-6914171-0
Create hunting rule

Win.Malware.Cerber-6989221-0
Create hunting rule

Win.Malware.Cryptinject-9785242-0
Create hunting rule

Win.Trojan.Ulise-9792178-0
Create hunting rule

Win.Trojan.Ulise-9792179-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Forced system process termination
Creating a window
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/534309
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to hide user accounts
Contains functionality to inject code into remote processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a376ca2da651be706ec99682ddc8f37412b3cf8f094d23e561798a7371c158ea/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-13 16:33:13 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=un3mulngkg7ha3wjs2bn3shtoqjlht4pbfgshzlbpgfhg4obldva._file
Verdict:
malicious
Similar samples:
03dfe6cedcfce8418e60ff61cd7a730c9ec52c383b2e5ccad5c67d0b1168146d
Riskware.Generic
29a8bb0d606638f82c551a30c1f986b0d2cf7ad5797edbd36ca9d7244165407f
Riskware.Generic
42840c6f2f68898fa2e8b7dc128ccc2f095b87caebb86945726e8a2c77b2a4a8
Riskware.Generic
516f5903f415000d759c5dbd52f83703646cc531decf0b4a48466f828cc7fc04
Riskware.Generic
5e97b9bb0dfe0f7bedbb583e6c98e76ad524249308021d96ed55daa56ef81c3b
Riskware.Generic
8a23a6db2c8886b0d56f69b4139ad8278b49cf2aaa19729ef3d90171d9419f7b
Riskware.Generic
afaa982e0a5e8068776c47cc5b12919f973f27850d3a0e812ad9ed9b366f0cd2
Riskware.Generic
b8fb56d3c66d2b6280cf2be3fb58de14e9103989429d78861bd712479424c4f6
Riskware.Generic
d2d0474348e3216b8fb0b673bb8455a267e647bff41b10cc8a9461e16b4766b4
Riskware.Generic
f5e621d29e3f1bc96a68b44c139e62d6e37513373faaada2a11eb5b40123c3a6
Riskware.Generic
+ 4'237 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat evasion infostealer persistence rat upx
Link:
https://tria.ge/reports/201113-flkzz2v66j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
UPX packed file
Warzone RAT Payload
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
a376ca2da651be706ec99682ddc8f37412b3cf8f094d23e561798a7371c158ea
MD5 hash:
ca11898dd34052a0cb5a6d2a74f552c1
SHA1 hash:
ae5aff1b912a68d24ec672d875d8774944850d40
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/0963d352-2ac8-408f-8a29-29c4352c9c35/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments