MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc584053d88f795417a45c3f1eec2ccd26d42187ee6363f765a9af5e3f8ab8f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	cc584053d88f795417a45c3f1eec2ccd26d42187ee6363f765a9af5e3f8ab8f8
SHA3-384 hash:	733656705b86b7bb6f4d244f6b872053c5d3c0e83a8091614153820a01436bf84392416d03f2c072b30fe9aa4a32ccab
SHA1 hash:	70ab5b83940a6c82b3c8df31ca9fe52b7eb0b0c1
MD5 hash:	26cdd64ec438643a623b79bfba398c36
humanhash:	yellow-seventeen-fourteen-six
File name:	payment-1636969441877_Page_1.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	1'064'448 bytes
First seen:	2022-04-21 08:18:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d4cf2d38c8388bbe93ed7c0af7fb2d41 (3 x Formbook, 3 x DBatLoader, 2 x AveMariaRAT)
ssdeep	24576:NODWeYzvYu8Qtm12YI/vrnqpM5mxY5pIOBz:NSWNcY3tl
Threatray	9'053 similar samples on MalwareBazaar
TLSH	T13D357D12AF485433D5721E789D4FA7B85825BD01F92498822EF59D4CFFFA3D23829683
TrID	40.4% (.EXE) InstallShield setup (43053/19/16) 13.3% (.EXE) Win32 Executable Delphi generic (14182/79/4) 12.3% (.SCR) Windows screen saver (13101/52/3) 9.8% (.EXE) Win64 Executable (generic) (10523/12/4) 9.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
File icon (PE):
dhash icon	e0e4a3a6a4b8b8a8 (37 x Formbook, 9 x AZORult, 9 x Loki)
Reporter	lowmal3
Tags:	AveMariaRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

238

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

payment-1636969441877_Page_1.exe

Verdict:

Malicious activity

Analysis date:

2022-04-21 07:48:37 UTC

Tags:

installer

Link:

https://app.any.run/tasks/4db45a6c-abdf-4dd4-aef3-96cf56809718

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/265362/

Detection(s):

SecuriteInfo.com.Trojan7000000f1.25929.28523.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Running batch commands

Creating a process with a hidden window

Launching cmd.exe command interpreter

Launching the process to interact with network services

Launching a process

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe greyware keylogger replace.exe

Link:

https://www.filescan.io/uploads/6261137cffe27d51192146dd/reports/41ea68ee-5c03-4e08-ab91-c8fefecc3ede/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/aeb0957b-ab02-4d20-8bff-004c0e19a6ff

Result

Threat name:

DBatLoader

Detection:

malicious

Classification:

troj

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/980561

Signature

Antivirus / Scanner detection for submitted sample

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Initial sample is a PE file and has a suspicious name

Multi AV Scanner detection for submitted file

Yara detected DBatLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cc584053d88f795417a45c3f1eec2ccd26d42187ee6363f765a9af5e3f8ab8f8/

Threat name:

Win32.Packed.Rattler

Status:

Malicious

First seen:

2022-04-21 08:19:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

1/5

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

4e3b7e84edc257cfc5c6d581272695e2ef520f47b6fa8e179960d52f0f0a3140

AveMariaRAT

6458542795cc0a40d4ab238e2be5fb15546d5ca38e52d1f9c7d4157dca27679a

AveMariaRAT

6a388696745c133ba5ea711f6413c3c10c082df2d70ca70b2f015c5f83c53c75

AveMariaRAT

7391303e2231d2f0143f8b0e86df253054e461a52279139fb800180d32271dbb

AveMariaRAT

a1e72ad944e02ee8ada1e6b4b98217e7eeb8fa0c0c19aeebaf7401e2f35ee54d

AveMariaRAT

d385c24887eb6e83869c401aefa83135165cd196e5b959e369c5d520c71ab016

AveMariaRAT

f43ec67b5158f58273a216cbc49003c55b8f0e6316a3390823348924e38507be

AveMariaRAT

faa817223ef389f3ee864d27cf1ec44f2c09b51686b0957cd344fe18e5144635

AveMariaRAT

+ 9'043 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:modiloader family:warzonerat infostealer persistence rat trojan

Link:

https://tria.ge/reports/220421-j7vf6adhe4/

Behaviour

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Adds Run key to start application

ModiLoader Second Stage

Warzone RAT Payload

ModiLoader, DBatLoader

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

20.91.186.187:6880

Unpacked files

SH256 hash:

f0b40f8f7e36da9257b6df7c2a2b6a008be050cf5fdcd477a0415c6c96b4b9f5

MD5 hash:

c1a72ee7162580adf97d03f8b7acaf29

SHA1 hash:

2e9f9d3f24cd773ac1ed82172292e88e799d177b

Detections:

win_dbatloader_w0

Link:

https://www.unpac.me/results/9246dd28-bd2d-4bb9-899e-193f05c5d1fd/

Parent samples :

2629af672d7f5ec9b0b7a7b6a96ff8af2d9eb7373db348c8b083445c50421112
6299e5f3946878e16130c6454bcd90bf319b3dcf8bd13d9a56bb867ba82eb655
24c74b5b6f19d272cab19ed5d4bb3c6b7fa9db43d2df3f9354def90775066b1e
072be58dfb68730e96a5b6486075247394bec03a30aec93c192164ccfd3785b2
6a388696745c133ba5ea711f6413c3c10c082df2d70ca70b2f015c5f83c53c75
092dc171cc93d9bb792de744ee8bb6abaa3356797037b9ac2303f275dcffbf6a
25f95bec948dd2f304c9a68b61e057d3f7ac656ec3b9849c87c0751949e858e8
044d1ec37b42a658ce379de6461deb9dda53c38b34a6220341fa0d7bfae5a023
fc0b13dfb3d15b6226be48c805de735bb642088787246e36cfc271544ace3bdf
cc584053d88f795417a45c3f1eec2ccd26d42187ee6363f765a9af5e3f8ab8f8
cfcb582f27759f71355afb97888cb83edf78c7a526e8d23eb850641ec74da153
f1d3084dca9df75e2d4bcffe18c1923ed5298b5dce5221b4d8201ee8c6b2dae4
02a4cf01a65e70746623eeef46cd1c31646c23f667a90dd7ad3823772364500d
87ffd4cb4adf6c300a521038f7309d0ed3194fa8da73da8237c7c500013ef0b4
3ff19b47194fe17cb6ca63ffb6b2f30e27b0c306d6645c0b9fcb8770bba157ab
50d0c37267fc4b803c156b1d494741bc9bdaa7b16d9dac19b8f8af4c9fd57e7f
870e8d111b67ac2aaa21010b2697028f606fcdf9f96baa8e005d7c58c5480737
dd05a4434fa1628a9aaec17768bb9f05c5d2d658b5d307e54cfa5fbc70d6aba4
a7fa9a27a755046bbe877013da9d3942a249119df07f13aaf10c4f5cb3ccbb64
daeb62156a7c6451ff54258c1ec83ec4870c9a506f0d6a2c1c6b338b1a411945
69506d94e34defa3a35ad549bcb235b2001579de3910a80565b114ea6db7f6d4
916d4770ebe51677667bb3c11ae7e13799090f1410415cf33230bd97935e3e04
207a1808479cbee739fbbda12d33d058df18012c5687482de24eb9d0ff6f705d
3a07d1cbc8052ba733faaacff6b69858057ad8efc52583a78fcd98f6e96be88f
984107429953e79b5635db4f49e63c0d0b3a9a03be60e5f48d5da2e1ee3fae64
9d2383ab12abb52a372d372a049ae4cd6f17f6952930c5e76a7e9618e2c7b43c
eac6427faa4ba824dda50c1c814dd4eb5cd6970aba9ddbefdf59d19625568934
5a116045f9e40be64ae46a63626844ed4dcc5a921485b681ebdbd217664e1342
149f35c9dccbb1f3118657af9168f338ad983a38f33a26a5691af1e763ef9376
9c0b72d2c38a900a44211ca320eca39ec1418398cdd502bf79eeebfd8651589a
f4d727c60299b2b64b39555050087d37cd4ab81ddc2f568985bbde562f8cbd66
150935662d729e862eaf1e72dc86f91c651cb993bd2c856181b036adc911fe23
7f32e1239c02178ac62a8d55cbf0c0676ca548f5324b80fe619146900ebae206
5408d35cb677b99fe0405b8397bed961e53124c62a7514dd303d5dab02964606
b27d35dd842dcd66106c110830710fd322d5a1ab012d7220ee4ab888719bc70d
ef01d3891c05f7aa29a855eebbe64ec94b5f81f44f891de1f3b4fecdbf0b836d
f45631af90cc92248765d036f48dc97b24475874b91d86b761d4aefb69c307fb
f4ec04cb1edb890bbc61499cb05c08c097af275e92c4902e82cac60b2a244f71
f6cae91cd0b80a4ac59a965baba0d156df61355ac69ea20cbd8273914663cdba
670dc6c50f025390d4664a37eed3b731a4fafa8f524396a08ca1993d2e700d4c
6a99b41ddd5b5461d9f2ee7771b34cbaf283e4ef1431b83b91d90d65079a8b6d
acb46b4fd93915d42ccc2362118807861186bd1d49de254ff450656ba079b11b

SH256 hash:

cc584053d88f795417a45c3f1eec2ccd26d42187ee6363f765a9af5e3f8ab8f8

MD5 hash:

26cdd64ec438643a623b79bfba398c36

SHA1 hash:

70ab5b83940a6c82b3c8df31ca9fe52b7eb0b0c1

Link:

https://www.unpac.me/results/9246dd28-bd2d-4bb9-899e-193f05c5d1fd/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cc584053d88f795417a45c3f1eec2ccd26d42187ee6363f765a9af5e3f8ab8f8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

exe cc584053d88f795417a45c3f1eec2ccd26d42187ee6363f765a9af5e3f8ab8f8

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/265362/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample