MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7ef9f5137720932895dbc0e1231e71451eace1e82f2baac3e208c969ec1e966. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b7ef9f5137720932895dbc0e1231e71451eace1e82f2baac3e208c969ec1e966
SHA3-384 hash: c11e5d4af5a7c80a1881af87cf4eb91766963e3f82ea6197839332291ff63b8287df8aa62ec005e6b90365fa56fa9ff6
SHA1 hash: ad06b3b5025b8dc5bfbfbe01de15ea2d7898c64c
MD5 hash: a24fc1476d5da0d06ebcb6924a02bb18
humanhash: uranus-queen-august-steak
File name:a24fc1476d5da0d06ebcb6924a02bb18.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'111'040 bytes
First seen:2021-06-03 16:56:23 UTC
Last seen:2021-06-03 17:51:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'832 x AgentTesla, 19'769 x Formbook, 12'296 x SnakeKeylogger)
ssdeep 24576:7tujR144jWgSCFEBNk8AMgPEmRol6NCErJYj:8jMSZl8AB1+CCj
Threatray 3'226 similar samples on MalwareBazaar
TLSH C635E02AB7917A9AC1090F3AC867098493F190477373F76FB8F537D40E2562A672F606
Reporter abuse_ch
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6031a48b46df7f0f0902658301276bd0f5f0cb61f0a5c07bd28d7a6805f0c5fa.zip
Verdict:
Malicious activity
Analysis date:
2021-06-03 16:25:29 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader rat remcos trojan
Link:
https://app.any.run/tasks/f591228c-77ec-4555-99c1-7b86f9285bd5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/164478/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Creating a file
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Setting a keyboard event handler
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Sending a UDP request
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Sending an HTTP GET request
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Connection attempt to an infection source
Unauthorized injection to a recently created process by context flags manipulation
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Imminent Nanocore Remcos AveMaria UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/796868
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to hide user accounts
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Contains functionality to steal Firefox passwords or cookies
Detected Imminent RAT
Detected Nanocore Rat
Detected Remcos RAT
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected AveMaria stealer
Yara detected Imminent
Yara detected Nanocore RAT
Yara detected Remcos RAT
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 429264 Sample: 68Aj4oxPok.exe Startdate: 03/06/2021 Architecture: WINDOWS Score: 100 58 multipleentry90dayscontroller.homingbeacon.net 2->58 72 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->72 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 25 other signatures 2->78 9 68Aj4oxPok.exe 15 14 2->9         started        signatures3 process4 file5 50 C:\Windows\firefox\Outlook w.exe, PE32 9->50 dropped 52 C:\Users\user\AppData\...\firefoxxx.exe, PE32 9->52 dropped 54 C:\Users\user\AppData\Local\...\skype n.exe, PE32 9->54 dropped 56 3 other malicious files 9->56 dropped 84 Drops executables to the windows directory (C:\Windows) and starts them 9->84 86 Drops PE files to the startup folder 9->86 88 Drops executable to a common third party application directory 9->88 90 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->90 13 firefox.exe 1 2 9->13         started        17 firefoxxx.exe 14 5 9->17         started        20 Outlook w.exe 3 4 9->20         started        22 skype n.exe 9 9->22         started        signatures6 process7 dnsIp8 66 bressonseencrounder.mangospot.net 194.5.98.144, 1894, 1984, 49725 DANILENKODE Netherlands 13->66 92 Antivirus detection for dropped file 13->92 94 Machine Learning detection for dropped file 13->94 96 Contains functionality to detect virtual machines (IN, VMware) 13->96 106 4 other signatures 13->106 46 C:\Users\user\AppData\...\firefoxxxx.exe, PE32 17->46 dropped 98 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->98 100 Injects a PE file into a foreign processes 17->100 24 firefoxxx.exe 17->24         started        28 firefoxxxx.exe 17->28         started        30 firefoxxxx.exe 17->30         started        32 6 other processes 17->32 68 seencroundercontroller.webredirect.org 20->68 102 Increases the number of concurrent connection per server for Internet Explorer 20->102 104 Installs a global keyboard hook 20->104 70 multipleentry90dayscontroller.homingbeacon.net 22->70 48 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 22->48 dropped file9 signatures10 process11 dnsIp12 60 safeduringthecoronavirus.duckdns.org 24->60 62 www.iptrackeronline.com 104.26.0.222, 443, 49742, 49743 CLOUDFLARENETUS United States 24->62 64 192.168.2.1 unknown unknown 24->64 80 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->80 82 Multi AV Scanner detection for dropped file 28->82 34 firefoxxxx.exe 28->34         started        36 firefoxxxx.exe 30->36         started        38 firefoxxxx.exe 32->38         started        40 firefoxxxx.exe 32->40         started        42 firefoxxxx.exe 32->42         started        44 2 other processes 32->44 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b7ef9f5137720932895dbc0e1231e71451eace1e82f2baac3e208c969ec1e966/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-06-03 16:57:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
168
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
avemaria
Create hunting rule
nanocorerat
Create hunting rule
Similar samples:
0cbbdd2c9615f4d2de4e0232ace6b69889a54538444838ac6616a5aa39109c98
AveMariaRAT
0dc8b267631d1894fbc6644468e5a9d9b9543257e0a85c271af230c757831496
AveMariaRAT
2df55ccbab067e73a2fa36685a48b14d0897f845b7ff25abd75f609fd0dbe415
AveMariaRAT
418b4dcbffc1a5a307147cccf7476293945dd18a12ae9c00ef2b942884a8427a
AveMariaRAT
4471de15ce9e9b3bee5bc77b26e67fe91b6be5e51d7ef8e174b30a6c3e32e43a
AveMariaRAT
55f6e402d458c2d35fca88a85bc8891d997730198cdfea1313bb66c3107394aa
AveMariaRAT
5b474ca6fc8158bd6f14d53bca8962f25db3392dfe324f49ddf376610bd785e4
AveMariaRAT
5e106d7b95627d982862e8d97f9b057632427008df0b994cd4b99e17c41a4c26
AveMariaRAT
7a388ead62a8f818b36c9c9a1938c2172c4fa05edfc71307980131c53c69d054
AveMariaRAT
cac57f9210fa4d8fb970249750db6886d99f31e503cdeb6e4641bf1c0055afe7
AveMariaRAT
+ 3'216 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:imminent family:nanocore family:remcos family:warzonerat botnet:hostuniversal agilenet evasion infostealer keylogger rat spyware stealer trojan
Link:
https://tria.ge/reports/210603-n4l7xmzdg6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Drops startup file
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Warzone RAT Payload
Imminent RAT
NanoCore
Remcos
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
bressonseencrounder.mangospot.net:1984
seencroundercontroller.webredirect.org:1894
multipleentry90dayscontroller.homingbeacon.net:54980
universalchampionis.zapto.org:54980
Unpacked files
SH256 hash:
b7ef9f5137720932895dbc0e1231e71451eace1e82f2baac3e208c969ec1e966
MD5 hash:
a24fc1476d5da0d06ebcb6924a02bb18
SHA1 hash:
ad06b3b5025b8dc5bfbfbe01de15ea2d7898c64c
Link:
https://www.unpac.me/results/4f6cdd44-2b80-481d-bb8e-e5a059afcc68/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/b7ef9f5137720932895dbc0e1231e71451eace1e82f2baac3e208c969ec1e966

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe b7ef9f5137720932895dbc0e1231e71451eace1e82f2baac3e208c969ec1e966

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1320550/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/164478/

Comments