MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cad851d943cb185cb15220b74b66ba5f60058d0b155c020db6b71315183f940c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cad851d943cb185cb15220b74b66ba5f60058d0b155c020db6b71315183f940c
SHA3-384 hash: 4dd5cc64db7aeb437974e8e48fcf342293133b5c598f746561b9406392e91739e0e929fee6cf3c14f00f591aeabe97c4
SHA1 hash: 58119e8e02b51e0681ac282e214e0f6d64e00446
MD5 hash: 4298cdf87b194f36ee03918c0beeb7ab
humanhash: green-romeo-orange-red
File name:ccf1a31681655d42d959f2f7655b57ef.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:100'352 bytes
First seen:2020-04-11 07:23:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b76aafdc988ade2ab3db3b02fa4c6d00 (26 x AveMariaRAT, 1 x njrat, 1 x NanoCore)
ssdeep 1536:5Csejmb+6BQyusX1UjtA0uWRf/eloc/9T1jVEyp:AtD6jSm0uWRfCogTjVEG
Threatray 438 similar samples on MalwareBazaar
TLSH 12A38D2377D1483DF67502B02ABCBE7A97FEB9750321895FA36811836E72548E926343
Reporter abuse_ch
Tags:AveMariaRAT exe GuLoader


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=143I5WQRpW2JOspSRSNEuyWGexgWT886g

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Maria.4.17072.22484.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Maria.3.30306.22950.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Mocrt
Create hunting rule
Status:
Malicious
First seen:
2020-04-11 07:35:20 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
46 of 48 (95.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zlmfdwkdzmmfzmksec3uwzv2l5qaldilcvoaednww4jrkgb7sqga._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
12fa05928175822dc4f3aacc86b8dcdab77e5f35d1a4a2f54b8762dbc6f8a236
AveMariaRAT
1e0cc4051f5ea6cb75b0df551bc5be60abc54ca51cd1611dc760aa245a0055dd
AveMariaRAT
2002e2506e59be859c12de94b1d9ddbfeeee31373684ce15f4e5b952da036a69
AveMariaRAT
4fed79d044df2a4c1c7fe6261a9b557de0c8940f5b92d853892a619537bd989f
AveMariaRAT
6998249e77f7c33821b3678fbdbc0a843ca39d80d49aa55335b48ef7c4011ad2
AveMariaRAT
6c08295f40c3b798331023edf5166fc3dc159f120eaf02db0991f6d682c7df13
AveMariaRAT
97abfa66c19a23ccabb59254cf91e13eb56d9d64df727f66034ac5a063cc566c
AveMariaRAT
b01d0e871f96ddcf4df2358b7a452c488d628829d14d5ede0a58243cdd1dbdc7
AveMariaRAT
e3ec188cee8aedebacb4156103cebe176b3521415be6de03ec98304d94963498
AveMariaRAT
eee4d211bbffe896f0de21854cb5adac6e10c85016986efd260b45c7022d7521
AveMariaRAT
+ 428 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

AveMariaRAT

Executable exe 6c96db90cd78677068e97201eb26c5b0c8a558cd8b8c25607ae181c7a009f10c

AveMariaRAT

Executable exe cad851d943cb185cb15220b74b66ba5f60058d0b155c020db6b71315183f940c

(this sample)

  
Dropped by
MD5 ccf1a31681655d42d959f2f7655b57ef
  
Dropped by
MD5 e00219f9c1a0738de3386c809a153bad
  
Dropped by
GuLoader
  
Dropped by
SHA256 6c96db90cd78677068e97201eb26c5b0c8a558cd8b8c25607ae181c7a009f10c
  
Dropped by
SHA256 ca17d5108fbe876e4265d8c16201b8c295cf370953e766c362c205d203164b26
  
URLhaus
https://urlhaus.abuse.ch/url/338329/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
DP_APIUses DP APICRYPT32.dll::CryptUnprotectData
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::ShellExecuteExA
URL_MONIKERS_APICan Download & Execute componentsurlmon.dll::URLDownloadToFileW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateRemoteThread
KERNEL32.dll::CreateProcessW
KERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::VirtualAllocEx
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
SHELL32.dll::SHCreateDirectoryExW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::LookupAccountSidW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyW
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::freeaddrinfo
WS2_32.dll::getaddrinfo
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::ChangeServiceConfigW
ADVAPI32.dll::OpenSCManagerW
ADVAPI32.dll::OpenServiceW
ADVAPI32.dll::QueryServiceConfigW
ADVAPI32.dll::StartServiceW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments