MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cebf1665279b1ce695f105bfe9710012793c5dce9e06b53b778d66eeb553c5ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cebf1665279b1ce695f105bfe9710012793c5dce9e06b53b778d66eeb553c5ab
SHA3-384 hash: 8ce1c337d63799f71dcc676e3a8f0f49d2389d11d54c946f108b4dff0e0199ef802f6d31507f963b0613e275054c8e69
SHA1 hash: 531b916099a0c94ea5d17ab344214ef1292c3a7c
MD5 hash: b5611df0f2ad9a0214a32a8503d30417
humanhash: fillet-glucose-saturn-wyoming
File name:Sandra-Wohl-Bewerbung-Zeugnis.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:101'888 bytes
First seen:2022-10-19 02:39:32 UTC
Last seen:2022-10-19 14:47:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c5f2513605e48f2d8ea5440a870cb9e (60 x Babadeda, 6 x AveMariaRAT, 5 x CoinMiner)
ssdeep 1536:/7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfowoOpJ0HWI7HOl:z7DhdC6kzWypvaQ0FxyNTBfonOpOO
Threatray 2'975 similar samples on MalwareBazaar
TLSH T18EA38E41F3E102F7EAF2053100A6766F9736A238972498DBC74C3D929913AD5A73D3E9
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 6cecccdcd4d0e8f0 (4 x AveMariaRAT, 1 x Smoke Loader, 1 x GuLoader)
Reporter r3dbU7z
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Sandra-Wohl-Bewerbung-Zeugnis.exe
Verdict:
Malicious activity
Analysis date:
2022-10-19 06:17:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/26525b0e-9150-4c9d-bfa6-2622ca6a1ede

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321556/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34587420.17402.2208.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Forced system process termination
Searching for the window
Launching a process
Sending an HTTP GET request
Creating a file
Using the Windows Management Instrumentation requests
Modifying a system executable file
Launching cmd.exe command interpreter
Launching a tool to kill processes
Forced shutdown of a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/43746/overview
Behaviour
MalwareBazaar
CPUID_Instruction
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/634f638666721ebd9b2f235e/reports/6da81070-b88b-4f03-a1bd-e18e165fc39c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/64dcaaa2-16b5-426c-b26d-2bb6f41528e4
Result
Threat name:
Babadeda
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.expl
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1093161
Signature
Antivirus detection for dropped file
Drops PE files to the startup folder
Drops script or batch files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
Yara detected Babadeda
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 725783 Sample: Sandra-Wohl-Bewerbung-Zeugnis.exe Startdate: 19/10/2022 Architecture: WINDOWS Score: 96 96 i.ibb.co 2->96 98 Snort IDS alert for network traffic 2->98 100 Antivirus detection for dropped file 2->100 102 Yara detected Babadeda 2->102 104 4 other signatures 2->104 13 Sandra-Wohl-Bewerbung-Zeugnis.exe 8 2->13         started        signatures3 process4 process5 15 cmd.exe 1 13->15         started        18 conhost.exe 13->18         started        signatures6 110 Drops script or batch files to the startup folder 15->110 112 Uses cmd line tools excessively to alter registry or file data 15->112 114 Drops PE files to the startup folder 15->114 20 Sandra-Wohl-Bewerbung-Zeugnis.exe 8 15->20         started        process7 process8 22 cmd.exe 3 20->22         started        25 conhost.exe 20->25         started        file9 90 C:\Users\user\AppData\Roaming\...\part1.bat, ASCII 22->90 dropped 27 cmd.exe 22->27         started        29 cmd.exe 1 22->29         started        31 cmd.exe 22->31         started        33 13 other processes 22->33 process10 dnsIp11 36 cmd.exe 27->36         started        40 conhost.exe 27->40         started        42 cmd.exe 1 29->42         started        44 conhost.exe 29->44         started        46 cmd.exe 31->46         started        48 conhost.exe 31->48         started        94 111.90.151.174, 49706, 49707, 49708 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 33->94 50 cmd.exe 33->50         started        52 cmd.exe 33->52         started        54 6 other processes 33->54 process12 file13 88 C:\Users\user\AppData\...\Ransomware.exe, PE32 36->88 dropped 106 Uses cmd line tools excessively to alter registry or file data 36->106 63 5 other processes 36->63 56 cmd.exe 42->56         started        65 6 other processes 42->65 59 cmd.exe 46->59         started        67 5 other processes 46->67 61 cmd.exe 50->61         started        69 5 other processes 50->69 71 5 other processes 52->71 73 6 other processes 54->73 signatures14 process15 file16 108 Uses cmd line tools excessively to alter registry or file data 56->108 76 reg.exe 56->76         started        78 reg.exe 59->78         started        80 reg.exe 61->80         started        82 reg.exe 63->82         started        84 reg.exe 71->84         started        92 C:\configuration\5201.exe, PE32 73->92 dropped 86 reg.exe 73->86         started        signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cebf1665279b1ce695f105bfe9710012793c5dce9e06b53b778d66eeb553c5ab/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-10-19 02:57:57 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z27rmzjhtmoonfpraw76s4iacj4tyxootydlko3xrvto5nktywvq._file
Verdict:
unknown
Similar samples:
2278d1bca473d91247e01794a1202297bda4bce23c3a1e74c43abc67d8d7b371
AveMariaRAT
275e4c659edeeb5dd650b29253f72c8e95b7556e465253fabf8264d76abb2f02
AveMariaRAT
49cecc5851dc6ed4f7dfd13f91ade2941ea491cd7c08df9f3630de8de50e3fb4
AveMariaRAT
4fe08cc381f8f4ea6e3d8e34fddf094193ccbbcc1cae7217f0233893b9c566a2
AveMariaRAT
54d288be3de7ca248076fda266a5fcc3b5488b6d4a91f93033b1652dfe0164d3
AveMariaRAT
58f6462c0225f4ec37209add8486ef9bdcdc1d1e766096af73b3c7797ebeadb1
AveMariaRAT
882d3aaa507d5340258272b1b39c8d603776eda51124e2c443ae8ea1edc2059b
AveMariaRAT
9e2374545fd02bff5d25134c71940bf423173a9bb611f54f5db6729c8407da66
AveMariaRAT
eaf08f6d20670daa716352b18fbc7801d4dbba9e26f986cec4234947e83bba0e
AveMariaRAT
+ 2'965 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:eternity family:warzonerat evasion infostealer persistence ransomware rat upx
Link:
https://tria.ge/reports/221019-c5wswaedh7/
Behaviour
Kills process with taskkill
Modifies Control Panel
Modifies registry class
NTFS ADS
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Enumerates physical storage devices
Drops file in Windows directory
Sets desktop wallpaper using registry
Adds Run key to start application
Checks computer location settings
Drops startup file
Loads dropped DLL
Disables Task Manager via registry modification
Downloads MZ/PE file
Executes dropped EXE
Modifies extensions of user files
UPX packed file
Warzone RAT payload
Eternity
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
111.90.151.174:5200
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0fa1327e-e71a-4e1e-97d8-79350230706d
Unpacked files
SH256 hash:
9acc1f9bcb8913fc1527faecaaee9649c7d9df5c0c4a10608cbcd3d8eb9e3525
MD5 hash:
704807995ac07b1266c307f4c150419e
SHA1 hash:
fa4621483317dea8c83a8e9d2fd262a2d1c7bc66
Link:
https://www.unpac.me/results/79e88330-c3e1-4c4e-b137-edfcbad0cd15/
SH256 hash:
bf045dabf45e7772877a85b26328c93795c66684a49347a6486261cc942ffe23
MD5 hash:
e02026ea076bb8a0e54c8aa27bb000d4
SHA1 hash:
e5c1033d72a4ec203474bf3a962c150fa50fa986
Link:
https://www.unpac.me/results/79e88330-c3e1-4c4e-b137-edfcbad0cd15/
SH256 hash:
519f9c265dfa2b6d8ccfcc5f1bfef8bfa176fcd095f0663762065dff4aef5f2b
MD5 hash:
737ce8eee034580750e6c70288197dc0
SHA1 hash:
6432e51abbfc8999da9ed38a4cdc48ecbee4743a
Link:
https://www.unpac.me/results/79e88330-c3e1-4c4e-b137-edfcbad0cd15/
SH256 hash:
c8bdc11b294dc8f32669737dd504b67d4e994df7289d7da8e13a265f0c002c82
MD5 hash:
3fc5503ae4e9791d2eaeb69eebad7228
SHA1 hash:
37713803e485ee6d9d949c3bea97d22d9515dccb
Link:
https://www.unpac.me/results/79e88330-c3e1-4c4e-b137-edfcbad0cd15/
SH256 hash:
92b08b775a5022a13bcd568a0914c999137eb288d6ca2c8630b283d7f6681f36
MD5 hash:
396166152728edaf00db60e68c6db981
SHA1 hash:
f57fb17f3002979c92a08ada0aa0770f0bcc3d50
Link:
https://www.unpac.me/results/79e88330-c3e1-4c4e-b137-edfcbad0cd15/
SH256 hash:
491256a5cb44daeb91f7436bedf45cd7d86404e4a4183bd56f2d7be70f77719b
MD5 hash:
acca08a7114f7bc87c0b6377437229d3
SHA1 hash:
c94d8aa8a684e2027dfc986928f9983fefce3326
Link:
https://www.unpac.me/results/79e88330-c3e1-4c4e-b137-edfcbad0cd15/
SH256 hash:
9fbb358fa899836b1abcc15ec6f58b6bde78d29d7fc8d0cd4655057d66383332
MD5 hash:
2a72122a15deb2935323c19785727c49
SHA1 hash:
bce7eb93d644ed3589f165ed4fc3bc35f1aac8e4
Link:
https://www.unpac.me/results/79e88330-c3e1-4c4e-b137-edfcbad0cd15/
SH256 hash:
0377585ec50ed2e1b3d8519be272599f31024accd20b484ddae8240e09cc83b4
MD5 hash:
13d3997b43c3d5cbafb0ff10b6f0dee1
SHA1 hash:
e650a76f3fa8d28e2ff3751ccf44d124ef2b82bd
Link:
https://www.unpac.me/results/79e88330-c3e1-4c4e-b137-edfcbad0cd15/
SH256 hash:
00b9c0120df0595184523a3620ef9b3c3e11fc0e61d366d7eeabb646647cfceb
MD5 hash:
bd1f243ee2140f2f6118a7754ea02a63
SHA1 hash:
cdf7dd7dd1771edcc473037af80afd7e449e30d9
Link:
https://www.unpac.me/results/79e88330-c3e1-4c4e-b137-edfcbad0cd15/
SH256 hash:
cebf1665279b1ce695f105bfe9710012793c5dce9e06b53b778d66eeb553c5ab
MD5 hash:
b5611df0f2ad9a0214a32a8503d30417
SHA1 hash:
531b916099a0c94ea5d17ab344214ef1292c3a7c
Link:
https://www.unpac.me/results/79e88330-c3e1-4c4e-b137-edfcbad0cd15/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cebf1665279b1ce695f105bfe9710012793c5dce9e06b53b778d66eeb553c5ab

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe cebf1665279b1ce695f105bfe9710012793c5dce9e06b53b778d66eeb553c5ab

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/321556/

Comments