MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1c8d9b5633bd87a8281c47f6b6670b9fde46113fa6ac0513bc9fb98ac20719e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1c8d9b5633bd87a8281c47f6b6670b9fde46113fa6ac0513bc9fb98ac20719e
SHA3-384 hash: 858057e14f503212be39e9f9348a4e0b838777752fa0e534d61a4bc85a361b65ef94ba3c93fa212c0c8cbb8d88269164
SHA1 hash: 40e068e1d6012533d9f55ae9f74115d5877e8b1f
MD5 hash: 48ab7262222ff36446d4fb2efef6f056
humanhash: november-london-jig-west
File name:Scan_SKMBT-TT Ref MT103_02062022.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:951'808 bytes
First seen:2022-06-02 08:44:17 UTC
Last seen:2022-06-02 18:16:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 19aba55f177a94d47d26ad7eee6b8816 (4 x FormBook, 1 x AveMariaRAT, 1 x RemcosRAT)
ssdeep 12288:nS7+lEB3U+er3twj8fPcdUQCqAWMprn71Fh9eo57GtVSX3x7FRS8HWAWMeM7jEOX:nMxur3OGUmnq4tuZtVSn52bD/MMOd/p
Threatray 8'763 similar samples on MalwareBazaar
TLSH T151159E62F3518433C76325399C2B96A55D36BF303D28BA467BF56D4C4F3E28138292A7
TrID 58.8% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
23.2% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
10.3% (.OCX) Windows ActiveX control (116521/4/18)
3.8% (.EXE) InstallShield setup (43053/19/16)
1.2% (.EXE) Win32 Executable Delphi generic (14182/79/4)
File icon (PE):PE icon
dhash icon e0e4a3a6a4b8b8a8 (37 x Formbook, 9 x AZORult, 9 x Loki)
Reporter Anonymous
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
314
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Scan_SKMBT-TT Ref MT103_02062022.exe
Verdict:
Malicious activity
Analysis date:
2022-06-02 08:44:58 UTC
Tags:
installer
Link:
https://app.any.run/tasks/2cff5cec-a637-4473-b952-7c1cd592adbc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/276280/
Detection(s):
SecuriteInfo.com.Variant.Jaik.79321.2121.14582.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger packed remote.exe replace.exe
Link:
https://www.filescan.io/uploads/62987890961acffe543f15f7/reports/5ebc5541-f555-4733-a594-0fcc5063fb77/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1fdce643-7bce-4be6-9dc8-0d6353d842b5
Result
Threat name:
AveMaria, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1005591
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Detected unpacking (creates a PE file in dynamic memory)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain checking for user administrative privileges
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 638087 Sample: Scan_SKMBT-TT Ref MT103_020... Startdate: 02/06/2022 Architecture: WINDOWS Score: 100 38 luckyfavour2022.ddns.net 2->38 46 Multi AV Scanner detection for domain / URL 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 10 other signatures 2->52 9 Sobdabvjvs.exe 13 2->9         started        13 Scan_SKMBT-TT Ref MT103_02062022.exe 1 21 2->13         started        16 Sobdabvjvs.exe 13 2->16         started        signatures3 process4 dnsIp5 58 Multi AV Scanner detection for dropped file 9->58 60 Detected unpacking (creates a PE file in dynamic memory) 9->60 62 Found evasive API chain (may stop execution after checking mutex) 9->62 66 4 other signatures 9->66 18 Sobdabvjvs.exe 1 9->18         started        44 morientlines.com 103.11.189.121, 443, 49733, 49738 VODIEN-AS-AP-LOC2VodienInternetSolutionsPteLtdSG Singapore 13->44 34 C:\Users\Public\Libraries\Sobdabvjvs.exe, PE32 13->34 dropped 36 C:\Users\...\Sobdabvjvs.exe:Zone.Identifier, ASCII 13->36 dropped 64 Injects a PE file into a foreign processes 13->64 20 Scan_SKMBT-TT Ref MT103_02062022.exe 3 2 13->20         started        24 cmd.exe 1 13->24         started        26 Sobdabvjvs.exe 1 16->26         started        file6 signatures7 process8 dnsIp9 40 luckyfavour2022.ddns.net 45.137.22.143, 4468, 49759, 49760 ROOTLAYERNETNL Netherlands 20->40 42 192.168.2.1 unknown unknown 20->42 54 Increases the number of concurrent connection per server for Internet Explorer 20->54 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->56 28 cmd.exe 1 24->28         started        30 conhost.exe 24->30         started        signatures10 process11 process12 32 conhost.exe 28->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c1c8d9b5633bd87a8281c47f6b6670b9fde46113fa6ac0513bc9fb98ac20719e/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2022-06-02 03:26:59 UTC
File Type:
PE (Exe)
Extracted files:
83
AV detection:
19 of 26 (73.08%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yhentnldhpmhvaubyr7wwztqxh66iyit7jvmauj3zh5zrlbaogpa._file
Verdict:
malicious
Similar samples:
1469e7e8893827f956180775b581b110e8dc11995df78238a8280e61a7beb19b
AveMariaRAT
34bca356c816bb71cc7c496f8238af91033119e324be0a82067aa3b20a9bad4a
AveMariaRAT
3880fb052955a0a189467378cdfa76b830a23417a89265eb347918a99ca3ca65
AveMariaRAT
5bb36e3bc7e4af9d5e89ac458eda237272b08fdd5643be22bfbdf05761cefc75
AveMariaRAT
a45abe3d312cbd49eb1af3b5dc7f2447ad3de342dffd31fee15fd32a889881c1
AveMariaRAT
b165bdbad9821670da9ee9293016ff57e07266cf5695e69688934e00b565a4cf
AveMariaRAT
d267cdaa7f1c04a889cdd18f85c56d96dfdb5697cc1a81fa5a27d139a1f34e83
AveMariaRAT
+ 8'753 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat infostealer persistence rat trojan
Link:
https://tria.ge/reports/220602-knqjjaabdm/
Behaviour
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader Second Stage
Warzone RAT Payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
luckyfavour2022.ddns.net:4468
Unpacked files
SH256 hash:
0b4b7d7628499c9d0c62562dc64f22baf5390cd32f71e0317c259511ae85b5b6
MD5 hash:
d6e8fb9c9383709a7475144fbc74cb44
SHA1 hash:
3dc32f98eb13d725511b64924730132883ad3591
Link:
https://www.unpac.me/results/625d95de-b0f1-45c2-b882-41e91b387420/
SH256 hash:
c1c8d9b5633bd87a8281c47f6b6670b9fde46113fa6ac0513bc9fb98ac20719e
MD5 hash:
48ab7262222ff36446d4fb2efef6f056
SHA1 hash:
40e068e1d6012533d9f55ae9f74115d5877e8b1f
Link:
https://www.unpac.me/results/625d95de-b0f1-45c2-b882-41e91b387420/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c1c8d9b5633bd87a8281c47f6b6670b9fde46113fa6ac0513bc9fb98ac20719e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/276280/

Comments