MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3eda1ec3ed1ef66e2aa1492f07a8f4ff3a5868e20dc344c3dfb1d90eec46fb2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3eda1ec3ed1ef66e2aa1492f07a8f4ff3a5868e20dc344c3dfb1d90eec46fb2
SHA3-384 hash: d6602f7f6bc9bb434a61fd084df3128ea6b560fd18f6de3e920f97c07018c756a272c03663c3de6642bc777a6e9bae83
SHA1 hash: 86d094d5086c53b3d185e0843c68faf16bf15896
MD5 hash: de6b46d86d773ad0ea18e3d7762a0279
humanhash: angel-mars-ten-romeo
File name:de6b46d86d773ad0ea18e3d7762a0279
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:335'360 bytes
First seen:2021-08-25 09:25:02 UTC
Last seen:2021-08-25 11:35:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:7ZbDfHRF2kvlg7cwdJVGVgyXY9dY7tGjOnUSwg0JqK0ZxIro:7d5FXC4wdPGfo9dY70DJqKi
Threatray 1'134 similar samples on MalwareBazaar
TLSH T1FD6422207A7AD2B3E77E43BA1E3104409372AE757091E6813CD909DAA5BBF508907F4F
dhash icon f0f0f2b2e834b498 (29 x AgentTesla, 12 x AveMariaRAT, 8 x RedLineStealer)
Reporter zbetcheckin
Tags:32 AveMariaRAT exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
de6b46d86d773ad0ea18e3d7762a0279
Verdict:
Malicious activity
Analysis date:
2021-08-25 09:27:00 UTC
Tags:
trojan stealer rat avemaria
Link:
https://app.any.run/tasks/02f81bb3-2451-4cef-b028-a15c7d69c9c2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182241/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.15890.24185.30667.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
DNS request
Using the Windows Management Instrumentation requests
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c0c3e5a0-5977-4853-9560-d775c5646554
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/838919
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 471347 Sample: jJ5Q87YeEC Startdate: 25/08/2021 Architecture: WINDOWS Score: 56 21 Multi AV Scanner detection for submitted file 2->21 23 .NET source code contains potential unpacker 2->23 25 Machine Learning detection for sample 2->25 7 jJ5Q87YeEC.exe 3 2->7         started        process3 process4 9 powershell.exe 19 7->9         started        11 powershell.exe 16 7->11         started        13 powershell.exe 16 7->13         started        process5 15 conhost.exe 9->15         started        17 conhost.exe 11->17         started        19 conhost.exe 13->19         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c3eda1ec3ed1ef66e2aa1492f07a8f4ff3a5868e20dc344c3dfb1d90eec46fb2/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-25 08:36:56 UTC
AV detection:
14 of 43 (32.56%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
043544fc666b260b348dbd6c004ac8a76c62418e34b3330e6d0a1fac1dfc3f9f
AveMariaRAT
0d873887f2b308fd3881ea4fe102f661b822e8da5122c64871c4ae2033332ced
AveMariaRAT
4db3fd1342c99f9fdd38dafa68b9f13d4928b62fea7d7c0b6891982b312c14c9
AveMariaRAT
54d90bf7f12a3b1369e8ef4f708a58fed9d7950e1a87c9d5d805b974a148ce9e
AveMariaRAT
691c75376ade3956492197d79853cab8eb38dca6dc2a7c2be3d4f28f445a3d2b
AveMariaRAT
7c226fda60b190a13b95e0e5e992506ec7214ef9789e2117b4ee11981dad3158
AveMariaRAT
885e34ff7befbdcdb027a017843cbacdba7eebb34d3df2e3113cceb9adafe8b5
AveMariaRAT
9fe95a6421cbcedfcd831733d3b4a0711f8fd245034b67f0fb059d070adbb49a
AveMariaRAT
e3f01ed8d12f734d433783b0fe727e25e1a9a982a38e50fe72734c75c146df07
AveMariaRAT
ef1ac3f12332198e1ef6f01698658258289a63e08ff17b1ddba89e229b8f19b7
AveMariaRAT
+ 1'124 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer rat spyware stealer
Link:
https://tria.ge/reports/210825-kdmh4jw13j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
byx.z86.ru:5200
Unpacked files
SH256 hash:
fdc75b3b41291348a60ab81c86b326a072cc65d115b2fa7aa5f7e5eb99bc2fb7
MD5 hash:
7c68db7965c721b6f1ff91f23e50b229
SHA1 hash:
ee803af5847a271ec819d5b7217c240bd33b542c
Link:
https://www.unpac.me/results/f4ce5c5c-8022-4308-b788-0ca53ea42104/
SH256 hash:
477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52
MD5 hash:
16a9ddc4b32981114fe4f069a4353105
SHA1 hash:
bf73849f57c150f9e2199c61427f631be2dfa595
Link:
https://www.unpac.me/results/f4ce5c5c-8022-4308-b788-0ca53ea42104/
SH256 hash:
6199ab51571934dc462d0ea6c37cde88fa58dbd743e0c6d137187a0fa48df17b
MD5 hash:
9f6f1920eb1796953055875ee3a73d05
SHA1 hash:
46e3c0715f34a02b4341c65f76b4e2e6d1f803da
Link:
https://www.unpac.me/results/f4ce5c5c-8022-4308-b788-0ca53ea42104/
SH256 hash:
92e20805794a9aea58706634f71737746a956cabbcb742fd80ad7aa3f24ad034
MD5 hash:
f8ad66ec98586243dd0c978027dc156a
SHA1 hash:
42a1f6a90826ecd9f3af370ab63917547190347b
Detections:
win_ave_maria_g0
Create hunting rule
win_ave_maria_auto
Create hunting rule
Link:
https://www.unpac.me/results/f4ce5c5c-8022-4308-b788-0ca53ea42104/
Parent samples :
9e2a3d4464636baff78628d870f39d1a9f3ba23da71f8c50ead2576479077702
52e2c9a43a9de0685055f60bd590f2f893882ad710f3b7e8c451985eea69ec07
c3eda1ec3ed1ef66e2aa1492f07a8f4ff3a5868e20dc344c3dfb1d90eec46fb2
9d1f73dc28e7c2ae89a87fb4178a025f06466530de42f2de2015538f06866f60
SH256 hash:
f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36
MD5 hash:
6c72218c48cd68cbcb654675053a0abb
SHA1 hash:
12207fa32070f99683648d87b44410e5d3cdf2de
Link:
https://www.unpac.me/results/f4ce5c5c-8022-4308-b788-0ca53ea42104/
SH256 hash:
c3eda1ec3ed1ef66e2aa1492f07a8f4ff3a5868e20dc344c3dfb1d90eec46fb2
MD5 hash:
de6b46d86d773ad0ea18e3d7762a0279
SHA1 hash:
86d094d5086c53b3d185e0843c68faf16bf15896
Link:
https://www.unpac.me/results/f4ce5c5c-8022-4308-b788-0ca53ea42104/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c3eda1ec3ed1ef66e2aa1492f07a8f4ff3a5868e20dc344c3dfb1d90eec46fb2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe c3eda1ec3ed1ef66e2aa1492f07a8f4ff3a5868e20dc344c3dfb1d90eec46fb2

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/182241/
  
URLhaus
https://urlhaus.abuse.ch/url/1562804/

Comments


Avatar
zbet commented on 2021-08-25 09:25:02 UTC

url : hxxps://www.uplooder.net/f/tl/71/d4e93a39abc9d7cf9aeff8360d2b31ad/svchost.exe