MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdc5a66a0d41085b7694c31057c6947653c37b425a6841e99a9b86c5a10887ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bdc5a66a0d41085b7694c31057c6947653c37b425a6841e99a9b86c5a10887ac
SHA3-384 hash: 917d01836de1e50f2aea33dc5a1bd9c1dcab9a251905498e2fa6c87429a41382c4c663f84fcc3bbe35bb712b8821675b
SHA1 hash: b0c7e1b2006cee0a54df0618d824779bb80f8eb2
MD5 hash: 0da06576f0eaa6eba134bf3059b09355
humanhash: papa-fanta-diet-saturn
File name:PRE ALERT CONTAINER NO 112(HPCU4511046).exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:462'336 bytes
First seen:2022-11-09 21:27:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:JREurhYE0t70LTRzctH52cPUxvBLrlFgGUlgyiH:3vz0t70Ll3PjgGb
Threatray 547 similar samples on MalwareBazaar
TLSH T1F3A4ADB8D50C9CC9E564A7BC7F0876B2A29148F550EBE8D832FF969EC0B50360F53562
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter GovCERT_CH
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PRE ALERT CONTAINER NO 112(HPCU4511046).exe
Verdict:
No threats detected
Analysis date:
2022-11-09 21:28:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/21384b8e-64a8-49f7-8d08-bab9e7be19a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/331449/
Detection(s):
SecuriteInfo.com.Win64.TrojanX-gen.20582.11068.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Changing a file
Creating a file
Sending a custom TCP request
DNS request
Network activity
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the User Account Control
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/636c1b634834ec1f25eec2a7/reports/4ed2d6dd-75cb-4e15-85e9-19862aee8321/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e7f056c4-1abc-4abf-a5e4-8702395ef169
Result
Threat name:
AveMaria, UACMe
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1109751
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Creates autostart registry keys with suspicious names
Disables UAC (registry)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected UAC Bypass using CMSTP
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 742425 Sample: PRE ALERT CONTAINER NO 112(... Startdate: 09/11/2022 Architecture: WINDOWS Score: 100 29 Snort IDS alert for network traffic 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 11 other signatures 2->35 7 PRE ALERT CONTAINER NO 112(HPCU4511046).exe 2 1 2->7         started        10 PRE ALERT CONTAINER NO 112(HPCU4511046).exe 1 2->10         started        13 PRE ALERT CONTAINER NO 112(HPCU4511046).exe 1 2->13         started        process3 file4 37 Creates autostart registry keys with suspicious names 7->37 39 Adds a directory exclusion to Windows Defender 7->39 41 Disables UAC (registry) 7->41 15 powershell.exe 21 7->15         started        27 PRE ALERT CONTAINE...PCU4511046).exe.log, CSV 10->27 dropped 17 powershell.exe 19 10->17         started        19 powershell.exe 20 13->19         started        signatures5 process6 process7 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        25 conhost.exe 19->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bdc5a66a0d41085b7694c31057c6947653c37b425a6841e99a9b86c5a10887ac/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-11-09 11:23:33 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xxc2m2qnieefw5uuymifpruuozj4g62cljued2m2todmliiiq6wa._file
Verdict:
unknown
Similar samples:
06a71366813620e612dfc0f0e7f293712b6b10546db85bc065705d14db007a2d
AveMariaRAT
34259ebe24b406dd57d293d68a2d035f25e229a5f65cd9eef0215e40331a3d21
AveMariaRAT
362e42c3177269fc66fc65605ae7d03fe78347f9b3d9c10709d7b09e868afa87
AveMariaRAT
4f28d606adaacc365adde510380b2d5111339ecca6fc7e996d68e6ebb66d29b8
AveMariaRAT
560a2b36202c7ffffb40372f390dddc776a8fb0d3deef44e7c7b4cbb02a61138
AveMariaRAT
87a7b708cf5f194568ce728a77c5778078720d6ff6346ea269f0a5427398ad60
AveMariaRAT
8aa601cbb8b4ac57f68738444ca04d146662ce65656110ae0f804baef1c242f5
AveMariaRAT
cc25f86e8cd330e2752c8de224da8f59d4efde286f7018a23f55334fdc2e8175
AveMariaRAT
ebc1c03760f08f8e264c69a6515c4dfd91698ad720f625c02b389a5081380e9b
AveMariaRAT
+ 537 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat collection evasion infostealer persistence rat trojan
Link:
https://tria.ge/reports/221109-1ba63sccd4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks whether UAC is enabled
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Windows security modification
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Warzone RAT payload
UAC bypass
WarzoneRat, AveMaria
Windows security bypass
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6818175e-d015-4a82-b14c-01d6c45cb57e
Unpacked files
SH256 hash:
bdc5a66a0d41085b7694c31057c6947653c37b425a6841e99a9b86c5a10887ac
MD5 hash:
0da06576f0eaa6eba134bf3059b09355
SHA1 hash:
b0c7e1b2006cee0a54df0618d824779bb80f8eb2
Link:
https://www.unpac.me/results/23541349-21ac-4351-8607-727f259e7107/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/bdc5a66a0d41085b7694c31057c6947653c37b425a6841e99a9b86c5a10887ac

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe bdc5a66a0d41085b7694c31057c6947653c37b425a6841e99a9b86c5a10887ac

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/331449/

Comments