MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6bb5c773ad10d84dfbfe5d765286e1e13aed4538128084b531147a34d94b5d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 17

Intelligence 17 IOCs YARA 12 File information Comments

SHA256 hash:	a6bb5c773ad10d84dfbfe5d765286e1e13aed4538128084b531147a34d94b5d3
SHA3-384 hash:	236cd4d9c643275822ca17f9e21adcae5fa4ec70b6249b6c519d01fed7209858b4279e88451165d45e8e0610c0cfbbb5
SHA1 hash:	26f665f17081cf9217ab2e155daa41f67bdc009b
MD5 hash:	a835914540d636d21b4e8d4d4f951d7a
humanhash:	glucose-kansas-spaghetti-bluebird
File name:	TT-Copy_hsbcsf_00002-PDF.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	833'536 bytes
First seen:	2023-02-13 15:01:39 UTC
Last seen:	2023-02-13 16:35:16 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:eYIDfyMmwxVGaAOKYd/wOWukIl3QgGIwZ1lxCjzjDOGi9pjZEXkmC:ZITyMmwxVTvWPhLlif6Gi9p+Um
Threatray	2'936 similar samples on MalwareBazaar
TLSH	T19105D0276F34E867C55C47B820A35F10D2B5D65E7223A78A07B6906CBCF37C09E16A87
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	7071f0b2b2f07170 (1 x AgentTesla, 1 x AveMariaRAT)
Reporter	abuse_ch
Tags:	AveMariaRAT exe HSBC RAT

Intelligence

File Origin

# of uploads :

# of downloads :

231

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

avemaria

ID:

File name:

TT-Copy_hsbcsf_00002-PDF.exe

Verdict:

Malicious activity

Analysis date:

2023-02-13 15:09:10 UTC

Tags:

trojan stealer rat avemaria warzone

Link:

https://app.any.run/tasks/00866c0d-5675-4edb-b5ba-e455408bd2c8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

WarzoneRAT

Link:

https://www.capesandbox.com/analysis/365122/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.6072.10846.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Creating a process from a recently created file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63ea50ec55a8f3b96191bd5e/reports/446ad07e-da7d-47a7-a3db-a0a878e3b20a/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/a6bb5c773ad10d84dfbfe5d765286e1e13aed4538128084b531147a34d94b5d3

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AVE_MARIA

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2b01b16f-8065-4073-8ea1-99abcbe90dd4

Result

Threat name:

AveMaria

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1173643

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Contains functionality to hide user accounts

Hides that the sample has been downloaded from the Internet (zone.identifier)

Increases the number of concurrent connection per server for Internet Explorer

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AveMaria stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

avemaria

Link:

https://mwdb.cert.pl/sample/a6bb5c773ad10d84dfbfe5d765286e1e13aed4538128084b531147a34d94b5d3/

Threat name:

Win32.Trojan.Injuke

Status:

Malicious

First seen:

2023-02-13 15:02:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

14 of 26 (53.85%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=u25vy5z22egyjx574xlwkkdodyj25vctqeuaqs2tcfd2gtmuwxjq._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

17db20ebfbce957562eb47a2a0db1a052df6352613d554fe707fae58b8975f81

AveMariaRAT

28899cd77a674fd8fc103e44aa12ce58b76dadcdcdecca0637c774df8dbdc61c

AveMariaRAT

2d59fe70ac77719864809b6386552a5e1c6470b496c80f36f7a8ff1ce3cf469d

AveMariaRAT

3e61ff7da9c135135af8936d7fb362a285b02c6431c8614eda55d2cce3bf3ff7

AveMariaRAT

4971385527e6ce21165b8b519928f83c20e9e32488dcb4309c3241e0721e1f85

AveMariaRAT

933aa9ff331533ee82a1d70637f87f67df0e2510799f30e0bab35bc75c0a48d0

AveMariaRAT

ebf28d6d6c383d000cb0dd42ccbc8ba44542e8bfd683168af69d6b090b642989

AveMariaRAT

fb9d0187ef58360b6877dc38f0509030b2e7d57d060deae2bb6e3233dda8f47d

AveMariaRAT

+ 2'926 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat collection infostealer rat spyware stealer

Link:

https://tria.ge/reports/230213-seflzadd7t/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

91.192.100.45:7192

Unpacked files

SH256 hash:

477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52

MD5 hash:

16a9ddc4b32981114fe4f069a4353105

SHA1 hash:

bf73849f57c150f9e2199c61427f631be2dfa595

Link:

https://www.unpac.me/results/b80d2c2f-0a92-4fe3-8476-bde353fd191a/

SH256 hash:

2b5744dbc01710bc489c85416b22c8939f9e1b28d268806ba80a0bc33ea71904

MD5 hash:

e3dfdc652c0907b23d9f182bf29d0e9f

SHA1 hash:

9f3a73dd8c1c017504a34ba280841c1eee95d69e

Detections:

Warzone

win_ave_maria_auto

win_ave_maria_g0

Link:

https://www.unpac.me/results/b80d2c2f-0a92-4fe3-8476-bde353fd191a/

SH256 hash:

2194ce94ab8471454cbf82f44cdf93f20a3e96f49384af08ebd99d264fabe57c

MD5 hash:

8940da19761d5cb16a7ef82ef25ddd63

SHA1 hash:

7f947e6ae131573fabec292d84ff865001d4339a

Link:

https://www.unpac.me/results/b80d2c2f-0a92-4fe3-8476-bde353fd191a/

SH256 hash:

41f0fcb5a786070be12f3532b6ea260ec440a0a66a50c887c27ade78770ffb30

MD5 hash:

ff1d6f3d842e6005ace5f20778d6769f

SHA1 hash:

2e957bd3e11035ec5b01405335f40c0c5ca1429d

Link:

https://www.unpac.me/results/b80d2c2f-0a92-4fe3-8476-bde353fd191a/

SH256 hash:

f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36

MD5 hash:

6c72218c48cd68cbcb654675053a0abb

SHA1 hash:

12207fa32070f99683648d87b44410e5d3cdf2de

Link:

https://www.unpac.me/results/b80d2c2f-0a92-4fe3-8476-bde353fd191a/

SH256 hash:

04c46ecfeba370024ad71a31831ccfcd02c87f17fc6453fdce0fc428152d2913

MD5 hash:

35935d4643283ec8fe73c187e35dba8e

SHA1 hash:

109e65161bd57d3a3d4df69a49ef8b3eda6dc9d1

Link:

https://www.unpac.me/results/b80d2c2f-0a92-4fe3-8476-bde353fd191a/

SH256 hash:

a6bb5c773ad10d84dfbfe5d765286e1e13aed4538128084b531147a34d94b5d3

MD5 hash:

a835914540d636d21b4e8d4d4f951d7a

SHA1 hash:

26f665f17081cf9217ab2e155daa41f67bdc009b

Link:

https://www.unpac.me/results/b80d2c2f-0a92-4fe3-8476-bde353fd191a/

Malware family:

Warzone

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a6bb5c773ad1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a6bb5c773ad10d84dfbfe5d765286e1e13aed4538128084b531147a34d94b5d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding command execution via IExecuteCommand COM object

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_WarzoneRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AveMaria/WarzoneRAT

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_AveMaria_31d2bce9 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/365122/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample