MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cab0b398ecbf051d2fefcd25624c8f2b8119d52304c4e9836ede3b5391119fe6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cab0b398ecbf051d2fefcd25624c8f2b8119d52304c4e9836ede3b5391119fe6
SHA3-384 hash: 5525e786a393db53035ee47e3e0ecc1537359ef7d22d71e3878d913ad85d6e94f036c06ad080874ebbec1145b8af3e5c
SHA1 hash: 2805d1510ca6f4afb790cbe80882728835c8b8de
MD5 hash: 09e6d5e0da51bc83f8b3b998cd79de92
humanhash: bravo-ohio-shade-carolina
File name:09e6d5e0da51bc83f8b3b998cd79de92
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:937'984 bytes
First seen:2022-01-25 12:29:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 60001c6e865a4f78d5ea9add6c0c27e1 (1 x Formbook, 1 x AveMariaRAT)
ssdeep 24576:Vn0w79689uLrDdAh2JmkN4JE5maQ3uKT7vzGeO:Vnd/uZaCpeugC
Threatray 2'433 similar samples on MalwareBazaar
TLSH T195158E22A2914433D4331A388D5B93BD682ABE012D6DFD4B77F8AE4C5E3A7407525F93
File icon (PE):PE icon
dhash icon b2b0f1ecccce9e98 (2 x Formbook, 1 x DBatLoader, 1 x AveMariaRAT)
Reporter zbetcheckin
Tags:32 AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ #600019939189_24-01-202.xlsx
Verdict:
Malicious activity
Analysis date:
2022-01-25 10:04:38 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/f6c1e5ef-d00a-415e-a8ad-51c825d102a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/222439/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.35148.29551.6238.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Query of malicious DNS domain
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5099/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe keylogger packed remote.exe replace.exe
Link:
https://www.filescan.io/uploads/61efed520f8c757253e71e02/reports/38a27ca8-e28c-48f3-a552-a0dd67e07f97/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ce08b423-f340-40f7-b91e-355fd71a4fe0
Result
Threat name:
AveMaria DBatLoader UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/927079
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Found evasive API chain checking for user administrative privileges
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected DBatLoader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 559559 Sample: RaZB5gY6jZ Startdate: 25/01/2022 Architecture: WINDOWS Score: 100 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 10 other signatures 2->54 8 RaZB5gY6jZ.exe 1 23 2->8         started        13 Cklvnfrdtl.exe 13 2->13         started        15 Cklvnfrdtl.exe 14 2->15         started        process3 dnsIp4 44 goloramltd.com 203.191.33.96, 443, 49757, 49758 CYBERNET-BD-ASGrameenCybernetLtdBangladeshASforloca Bangladesh 8->44 32 C:\Users\user\Contacts\propsys.dll, PE32+ 8->32 dropped 34 C:\Users\user\Contacts\Cklvnfrdtl.exe, PE32 8->34 dropped 36 C:\Users\...\Cklvnfrdtl.exe:Zone.Identifier, ASCII 8->36 dropped 38 C:\Users\user\Contacts\ComputerDefaults.exe, PE32+ 8->38 dropped 64 Writes to foreign memory regions 8->64 66 Allocates memory in foreign processes 8->66 68 Creates a thread in another existing process (thread injection) 8->68 70 Injects a PE file into a foreign processes 8->70 17 logagent.exe 3 4 8->17         started        21 cmd.exe 1 8->21         started        46 192.168.2.1 unknown unknown 13->46 72 Multi AV Scanner detection for dropped file 13->72 23 logagent.exe 13->23         started        file5 signatures6 process7 dnsIp8 42 ugblackblessing2022.ddns.net 45.137.22.79, 4528, 49770 ROOTLAYERNETNL Netherlands 17->42 56 Contains functionality to inject threads in other processes 17->56 58 Contains functionality to steal Chrome passwords or cookies 17->58 60 Contains functionality to steal e-mail passwords 17->60 62 4 other signatures 17->62 25 cmd.exe 4 21->25         started        28 conhost.exe 21->28         started        signatures9 process10 file11 40 C:\Windows \System32\ComputerDefaults.exe, PE32+ 25->40 dropped 30 conhost.exe 25->30         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cab0b398ecbf051d2fefcd25624c8f2b8119d52304c4e9836ede3b5391119fe6/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2022-01-24 07:34:51 UTC
File Type:
PE (Exe)
Extracted files:
72
AV detection:
32 of 43 (74.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zkylhghmx4cr2l7pzuswetepfoartvjdatcota3o3y5vheirt7ta._file
Verdict:
malicious
Similar samples:
0d9facf6b7073de4e3db19eb64e80589d98cfe35b66942191390a891bb8b241c
AveMariaRAT
5f5d1f324ed8dc18d76f200a176d40ab2ae48e336f33c2f7b5d047d682f3260a
AveMariaRAT
623027463a2ef70f60ff6a0991019847a3fb24da3b633b52da4a99a77c99f92b
AveMariaRAT
70d04c9ec5f8c5f8a5c1cd82ad19eee2ddd26145848bc2ffe90d1b51645cac2e
AveMariaRAT
800b4455105a08833332092017909f9dd47bd4ebfb1cbddbe0b95658d03b8d64
AveMariaRAT
a7018ff4aaaaebda06615da54ab7d3dcfe06ffda501254eb9654aa27152629bb
AveMariaRAT
e03a7b921d3ebd2e5d1f850933f956813abf8abd23d42451f2df9b32e1f8c178
AveMariaRAT
edba3ca498110106418658167533034aeb929276fe81de80c6de1a6bb95120e0
AveMariaRAT
f9bd3a815beaf9e995e521edd22d17a06e5e1c4b1c2fdfa39f3837983716a70c
AveMariaRAT
+ 2'423 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat collection infostealer persistence rat trojan
Link:
https://tria.ge/reports/220125-pphbrsfhh5/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Accesses Microsoft Outlook profiles
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
ModiLoader Second Stage
Warzone RAT Payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
ugblackblessing2022.ddns.net:4528
Unpacked files
SH256 hash:
9cebbcef1bd6016dfebf4c69f4c49501d914d5a8607777eba952d7ad40346f9a
MD5 hash:
322f2da5c29542aaecc9ee17e1fe7f00
SHA1 hash:
734c432e2595d53c82ee28604f909d3390018dd8
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/c9dccc01-9f74-42c3-b8c9-492535870112/
Parent samples :
a7d0cff6a05994c0ae576fa842e44a101879317f62466923f1d96adee2c4a898
770c04c7c3a53d584af17e38e8e3fe5767d431e26ca59b4dc20de71045354295
c1bd90e8816e506f387b5552b7487423da84b9818cf4e94f175ed7206cffe4f5
b93811479bf82f08e97be19c596166482cdb2b31b8762c8c310307dfd6dab61e
bed2b6abf700b607d4f856c63832bae23f4120a8786b5af4cbdaa0d8525a47bc
0d9facf6b7073de4e3db19eb64e80589d98cfe35b66942191390a891bb8b241c
3add41c98717984fa6f6d1bff7b1506024e2d91932b60a43810498c44daaef86
ddfc4415217ec461350071b0965a1132ad43472bdc15980da23c46d8f1da188e
b5cea089bb899e75deef98dc1569dc3af17a070f6fa594377b49299d63bbbd8f
7b2232160ba59858c112d6dcb2252701cdb5c1e38b216fb046bd13718c2716ce
b83152fc7fc7aa9950add1de9c3d12e107e3b6eb481c1a368018ed26d3792cdc
0ba0cd39397ce42a5a678b0ef803f99267dc16de6383f61107e298633e23e436
f69c67cbf4e8f7e6d0f9157de994b80e6eb0f7b251dcc461940d51659055640f
5508d3fe5c41c4dec4a7570f0d60af3b6ba8cb9251ee1eae91e8fc061c3f58ef
cab0b398ecbf051d2fefcd25624c8f2b8119d52304c4e9836ede3b5391119fe6
4e837a08dd24b1f710c6fce10f974a49141decf103d6aeb290c0d36bba75121b
7a5846b1a7c0bbada0892d8b315bef3b4682192268da9ea779e98449681dd7ed
94ca0af32ea93d62fa355e450747ae9755c5dcd09e7b4186cd5bd04d7fc56565
0183d2fd44e215d6dc408bec45db9767a765767737b737032ff97e75adca46cd
5a04697834016e869389ef0d6a08656669cf5597fe0a6378a993250d311482e3
01e537ab28cea013b9a08939057369aa9369e8ff009231cb95101dc24348bb2e
76389098be8a410aaf6b21297912f6ef745db6e8a2f2aaaddda8685bd91091c3
662c7dc1c6b6fbc7cb4622876c0b0b2a42dba7081adede8a65182aef085f7082
7793e93512bcef7b9d90de59ef17b8771ecc9da854da2f4c8b3be8ba3c5a2c20
SH256 hash:
cab0b398ecbf051d2fefcd25624c8f2b8119d52304c4e9836ede3b5391119fe6
MD5 hash:
09e6d5e0da51bc83f8b3b998cd79de92
SHA1 hash:
2805d1510ca6f4afb790cbe80882728835c8b8de
Link:
https://www.unpac.me/results/c9dccc01-9f74-42c3-b8c9-492535870112/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cab0b398ecbf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cab0b398ecbf051d2fefcd25624c8f2b8119d52304c4e9836ede3b5391119fe6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe cab0b398ecbf051d2fefcd25624c8f2b8119d52304c4e9836ede3b5391119fe6

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/222439/
  
URLhaus
https://urlhaus.abuse.ch/url/2004764/

Comments


Avatar
zbet commented on 2022-01-25 12:29:41 UTC

url : hxxp://198.144.176.240/mad/jam.exe