MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7772e6959c773d04203373a3adcff3bc81b667726cf4f7155c9135331b21760. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b7772e6959c773d04203373a3adcff3bc81b667726cf4f7155c9135331b21760
SHA3-384 hash: 0bd13dfc4a845e7cc9a658b852f53990317d310aa1950f2e4346848698938080b93b57bca97603fd8cdd11e380cf74d3
SHA1 hash: 662ebf818c49a600d122fe367b24e4d2998259e9
MD5 hash: 67402da400ada59436a91b26a1bdf358
humanhash: robert-jupiter-beryllium-cola
File name:GHK-0987654567890.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:788'660 bytes
First seen:2023-11-01 06:27:30 UTC
Last seen:2023-11-01 08:16:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f4639a0b3116c2cfc71144b88a929cfd (106 x GuLoader, 53 x Formbook, 40 x VIPKeylogger)
ssdeep 24576:RfL0hKAOj09taoR5KYEL78IVU/i9MWLT1NIQJH6Yz:dw9IhL/8z3kxJH6Yz
Threatray 12 similar samples on MalwareBazaar
TLSH T15AF42321F2908CDBC8F98B7229397A6F4EB65CA4FE44386D7BC07715A0516914B9FF02
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d2e8ecb2b2a2b282 (106 x AgentTesla, 106 x Formbook, 24 x RedLineStealer)
Reporter abuse_ch
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
320
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/457519/
Detection(s):
SecuriteInfo.com.Trojan.Loader.1550.4456.16754.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
89%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/6541eff9a6fa5eab936c7523/reports/1afd7151-472c-4a2f-8ca6-0859950bd932/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/b7772e6959c773d04203373a3adcff3bc81b667726cf4f7155c9135331b21760
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Conti
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/57a30f6d-a538-4c08-9fb4-70db7a64df6e
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1335254
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Generic Dropper
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1335254 Sample: GHK-0987654567890.exe Startdate: 01/11/2023 Architecture: WINDOWS Score: 100 39 Multi AV Scanner detection for domain / URL 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 7 other signatures 2->45 7 GHK-0987654567890.exe 17 2->7         started        10 nwwrbbkgg.exe 2->10         started        13 nwwrbbkgg.exe 2->13         started        process3 file4 31 C:\Users\user\AppData\Local\...\physpnmmi.exe, PE32 7->31 dropped 15 physpnmmi.exe 1 2 7->15         started        47 Multi AV Scanner detection for dropped file 10->47 49 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 10->49 51 Maps a DLL or memory area into another process 10->51 19 nwwrbbkgg.exe 2 10->19         started        21 nwwrbbkgg.exe 2 13->21         started        23 nwwrbbkgg.exe 13->23         started        25 nwwrbbkgg.exe 13->25         started        signatures5 process6 file7 33 C:\Users\user\AppData\...\nwwrbbkgg.exe, PE32 15->33 dropped 35 Multi AV Scanner detection for dropped file 15->35 37 Maps a DLL or memory area into another process 15->37 27 physpnmmi.exe 1 3 15->27         started        29 physpnmmi.exe 15->29         started        signatures8 process9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b7772e6959c773d04203373a3adcff3bc81b667726cf4f7155c9135331b21760
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b7772e6959c773d04203373a3adcff3bc81b667726cf4f7155c9135331b21760/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-10-18 11:27:12 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w53s42kzy5z5aqqdg45dvxh7hpebwztxe3hu64kvzejvgmnsc5qa._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
280945c850b2ee81256b36dacdec35b2bbc147c3cba57b344cd50bf464d74f97
AveMariaRAT
579436ed344fb30bf3a831868b541e55c61c4289275821d2f14c4bc71afc930b
AveMariaRAT
5a7df187972e8ac7ffd69cfd57e9ec4490a36b915cb8beaeee8cceac12ab76c8
AveMariaRAT
925fa028b1511d9fb57e7f69efebff4c34228222af3adc11cfc45d930e9f6983
AveMariaRAT
9f6de85e6ac6ca0e2a0e1912f3d950c3765425d076e87627c9a58b033747c5af
AveMariaRAT
d566a5a84fd3148976960bd8b6c39f6a9dde3601b2f58ff81d743a9dba291249
AveMariaRAT
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/231101-g8c76abf3y/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
b7772e6959c773d04203373a3adcff3bc81b667726cf4f7155c9135331b21760
MD5 hash:
67402da400ada59436a91b26a1bdf358
SHA1 hash:
662ebf818c49a600d122fe367b24e4d2998259e9
Link:
https://www.unpac.me/results/302622eb-2143-40a0-b160-e9780885431d/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b7772e6959c7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b7772e6959c773d04203373a3adcff3bc81b667726cf4f7155c9135331b21760

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe b7772e6959c773d04203373a3adcff3bc81b667726cf4f7155c9135331b21760

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/457519/

Comments