MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c571866e6cfa9a8779df245f0763e3b73b022d33c8999c65fba5e35963c28232. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	c571866e6cfa9a8779df245f0763e3b73b022d33c8999c65fba5e35963c28232
SHA3-384 hash:	2cbefd8c1d0ae6367c1ac2f16d36916de26823fb2a2a1675fae7f9a3f805bae00bb3e2ef3fa608b17d67148f49c8cdb2
SHA1 hash:	51d061f034377050f34a3e31d3dc2ef6a919fab2
MD5 hash:	57be4342ef5817ad21c6437b5c4daeee
humanhash:	sweet-victor-mobile-william
File name:	Purchase order 26865.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	51'448 bytes
First seen:	2022-04-05 08:21:14 UTC
Last seen:	2022-04-05 08:40:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	768:WwoOFb6ujFr2i2GzOnbqFmNIrzzj1WCOiaKG4yLL+DgSYTXUj1PlAPX:xDZ2KOWFboCXaxPLLDSYTXUpPKX
Threatray	8'134 similar samples on MalwareBazaar
TLSH	T1BF33BF55B7578231C9293F3184D4E9811B3AE3C25637CA2D308E633D9F933CB9B92A64
Reporter	Anonymous
Tags:	AveMariaRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

210

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

avemaria

ID:

File name:

Purchase order 26865.exe

Verdict:

Malicious activity

Analysis date:

2022-04-05 08:25:10 UTC

Tags:

trojan stealer rat avemaria

Link:

https://app.any.run/tasks/3a22e73f-b55c-4319-98cb-e783d9523eaf

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/260885/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.39427914.12449.9283.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe obfuscated overlay packed packed

Link:

https://www.filescan.io/uploads/624bfc3040ce5db9f40c533f/reports/aeefa58c-e9db-48d1-941a-fc4861ab8e06/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4319f2ee-3e21-477a-95e4-e81d8cfe6f68

Result

Threat name:

AveMaria UACMe

Detection:

malicious

Classification:

phis.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/970709

Signature

.NET source code contains potential unpacker

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to hide user accounts

Contains functionality to inject threads in other processes

Contains functionality to steal Chrome passwords or cookies

Creates a thread in another existing process (thread injection)

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Increases the number of concurrent connection per server for Internet Explorer

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected AveMaria stealer

Yara detected UACMe UAC Bypass tool

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c571866e6cfa9a8779df245f0763e3b73b022d33c8999c65fba5e35963c28232/

Threat name:

ByteCode-MSIL.Trojan.Injuke

Status:

Malicious

First seen:

2022-04-04 21:05:42 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yvyym3tm7knio6o7erpqoy7dw45qeljtzcmzyzp3uxrvsy6cqiza._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

09acaed1582d4f3da067862bc15fb60d54d8e65c2a64bd2432d354941daf716f

AveMariaRAT

541edd0b23eb209ff5c4dba556e429099a86e6aa2d1ac57213dffb43bc5d0f2a

AveMariaRAT

6458542795cc0a40d4ab238e2be5fb15546d5ca38e52d1f9c7d4157dca27679a

AveMariaRAT

80fa88690cc6490e1eb7f735ff4421fc5f813505d41987747ac4c5a9e268272d

AveMariaRAT

abc5f306aae4ed8a42216e5b16b14b312eac674877724fe3b9beb56b8e6cfb47

AveMariaRAT

e5640f5e5b21c3d726e0893a9d5388c289acf3fe532aef046896e36e39c71a06

AveMariaRAT

ef998f6576a87ce8cbb4bcfe6d0f66a60e66cbff63e051080004973e4387cae5

AveMariaRAT

f72d78438de45cac03cd9145af801de62abc023cf0a7766b3eb0802c2de26b99

AveMariaRAT

+ 8'124 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/220405-j9j37scac8/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

c571866e6cfa9a8779df245f0763e3b73b022d33c8999c65fba5e35963c28232

MD5 hash:

57be4342ef5817ad21c6437b5c4daeee

SHA1 hash:

51d061f034377050f34a3e31d3dc2ef6a919fab2

Link:

https://www.unpac.me/results/f18086b0-6b79-4fbd-b52c-902e0eee10df/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/c571866e6cfa/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/c571866e6cfa9a8779df245f0763e3b73b022d33c8999c65fba5e35963c28232

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/260885/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample