MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1a0c0da434d13c2e3eaa3562e93947267c7c6415da24d4ff4f189f0b44f4d43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1a0c0da434d13c2e3eaa3562e93947267c7c6415da24d4ff4f189f0b44f4d43
SHA3-384 hash: 6ab93bbfa5ca479385931759532ed0860e3a0916c64f4d3500e5dd405f4eed3e1dba03d644f2e72d3b85530a0fdbf27f
SHA1 hash: 9a294658d4575e6be7f0d412d22c546d2f1246fd
MD5 hash: 171af6a789273f30441cc32c11d9554f
humanhash: one-oregon-ten-michigan
File name:171af6a789273f30441cc32c11d9554f.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:602'112 bytes
First seen:2021-02-03 16:13:29 UTC
Last seen:2021-02-03 17:35:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:v+9yqdsScBX0IeQp39yIwHcD6ebO9W/Io6aatY6zuaZ7ysl79XiYNplSFqFaA:vOy/X0IeuLwS6oOwRmPzVZ7yoTplSFQ
Threatray 242 similar samples on MalwareBazaar
TLSH E4D47FE573B0AA44C5D0FF374AAA231C83FEF4DB0612A546070A8B7315B54F8E95E987
Reporter abuse_ch
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
171af6a789273f30441cc32c11d9554f.exe
Verdict:
Malicious activity
Analysis date:
2021-02-03 16:14:20 UTC
Tags:
trojan rat stealer avemaria
Link:
https://app.any.run/tasks/8f1eaf2a-704e-4f5f-8321-b27e7eca1673

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/115366/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.45669729.17530.15999.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Creating a process with a hidden window
Connection attempt to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/598083
Signature
Contains functionality to hide user accounts
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c1a0c0da434d13c2e3eaa3562e93947267c7c6415da24d4ff4f189f0b44f4d43/
Threat name:
ByteCode-MSIL.Trojan.AveMariaRAT
Create hunting rule
Status:
Malicious
First seen:
2021-02-03 01:45:55 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
19d23d06b49ced25b47d72f5338af4fa1fc533cce85dcaff4286e0da31054a38
AveMariaRAT
32ec92b57297749ae4e4cc6299579355e77573ffdf0b125d1f65ebcc62b9fbfb
AveMariaRAT
49a63eb1c6fd5d4b22396bb8a8397c3bf124c3f94d104bc2a7a304f4457b4526
AveMariaRAT
581d4ba63e52707e1839c7d2c026c847d788b8b3025046bdb491f95a431ca1f7
AveMariaRAT
5da82dd52f913ff5d416ec5479133a0f89cd5d835d2fbd964f32191f642ca9fa
AveMariaRAT
83ef26bdf4b6b513417a97c8997aa2152bc0fb0f0af9d0b30cf6a46d4959ce38
AveMariaRAT
d2397447ce64327716a26a8083375ecca1c8d59747d55c74a65759b7add30245
AveMariaRAT
d7b0f275997cb07e5a97600fb21eb19d14096352af7990797f863b74941a1603
AveMariaRAT
e2d112bd0fd186acce6eebc6ec5d389c69fd6ae1154d0f44938de68dedec29cc
AveMariaRAT
ef203882acf676c759bf86f6f60a5a570a5c84a163314462c133bb70fada63a7
AveMariaRAT
+ 232 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer rat
Link:
https://tria.ge/reports/210203-ygyg7z17p6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Warzone RAT Payload
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
c1a0c0da434d13c2e3eaa3562e93947267c7c6415da24d4ff4f189f0b44f4d43
MD5 hash:
171af6a789273f30441cc32c11d9554f
SHA1 hash:
9a294658d4575e6be7f0d412d22c546d2f1246fd
Link:
https://www.unpac.me/results/360f462a-4c6c-40e4-9277-c34722e36e55/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/c1a0c0da434d13c2e3eaa3562e93947267c7c6415da24d4ff4f189f0b44f4d43

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe c1a0c0da434d13c2e3eaa3562e93947267c7c6415da24d4ff4f189f0b44f4d43

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/986052/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/115366/

Comments