MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3ced1332d5437bfd61e06610852c43d8b00c6bd100ff6e84f0daed25ccefdd9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3ced1332d5437bfd61e06610852c43d8b00c6bd100ff6e84f0daed25ccefdd9
SHA3-384 hash: 9e2070b2cf45804b1cceccde1b384f58ad421ddc62f5bf8b0f6135baf07af5b569420333374ddc181f09b0e1b82f838d
SHA1 hash: b7d63395138c25ffe8c27ac397f5024da764c42f
MD5 hash: 7b50273a41c8d725b7bfd3c485504366
humanhash: autumn-aspen-washington-mexico
File name:Purchase_Order - SEPT-013-2023.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:248'832 bytes
First seen:2023-09-14 07:14:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'653 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 3072:4s+LN8m2lixU68b63mIU0fYvtM5mGd9YKKdfD9bf9/3veWvEUQNcTxsND:mLN8jlgqfIU0fYVMcGUf1feWNQNcT6
Threatray 436 similar samples on MalwareBazaar
TLSH T18034E803BB4789A1F284173EC5DB441053B5E9C9B2A7DB0A3BEA33D618537B6BC89147
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 1f195b5a5b6f777f (12 x AgentTesla, 2 x AZORult, 2 x PureCrypter)
Reporter abuse_ch
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
320
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
avemaria
Create hunting rule
ID:
1
File name:
Purchase_Order - SEPT-013-2023.exe
Verdict:
Malicious activity
Analysis date:
2023-09-14 07:20:15 UTC
Tags:
rat avemaria remote warzone
Link:
https://app.any.run/tasks/b2683f63-adb8-4139-a31d-00917bda3180

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/448566/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.22979.22473.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file in the %AppData% directory
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a window
DNS request
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin masquerade packed replace
Link:
https://www.filescan.io/uploads/6502b2f79bae8a3785568fc7/reports/44160a0a-5569-4b44-8f3a-a37d6ee411c9/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d3ced1332d5437bfd61e06610852c43d8b00c6bd100ff6e84f0daed25ccefdd9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b8dc4408-686e-4df3-b288-897b1f9dd82f
Result
Threat name:
AveMaria, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1307665
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if Internet connection is working
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Found evasive API chain checking for user administrative privileges
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected Costura Assembly Loader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1307665 Sample: Purchase_Order_-_SEPT-013-2... Startdate: 14/09/2023 Architecture: WINDOWS Score: 100 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->59 61 9 other signatures 2->61 6 Purchase_Order_-_SEPT-013-2023.exe 16 5 2->6         started        11 Vuyfrlbxwib.exe 14 5 2->11         started        13 Vuyfrlbxwib.exe 4 2->13         started        process3 dnsIp4 31 qu.ax 199.19.74.139, 443, 49719, 49750 KAMATERAUS United States 6->31 29 C:\Users\user\AppData\...\Vuyfrlbxwib.exe, PE32 6->29 dropped 63 Contains functionality to hide user accounts 6->63 65 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 6->65 67 Writes to foreign memory regions 6->67 15 aspnet_compiler.exe 3 25 6->15         started        69 Multi AV Scanner detection for dropped file 11->69 71 Machine Learning detection for dropped file 11->71 73 Allocates memory in foreign processes 11->73 19 aspnet_compiler.exe 11->19         started        75 Injects a PE file into a foreign processes 13->75 21 aspnet_compiler.exe 13->21         started        23 aspnet_compiler.exe 13->23         started        25 aspnet_compiler.exe 13->25         started        27 aspnet_compiler.exe 13->27         started        file5 signatures6 process7 dnsIp8 33 193.42.32.223, 49741, 49778, 5200 EENET-ASEE Germany 15->33 35 web.fe.1drv.com 15->35 37 onedrive.live.com 15->37 43 Contains functionality to check if Internet connection is working 15->43 45 Contains functionality to inject threads in other processes 15->45 47 Contains functionality to steal Chrome passwords or cookies 15->47 53 4 other signatures 15->53 39 web.fe.1drv.com 19->39 41 onedrive.live.com 19->41 49 Tries to harvest and steal browser information (history, passwords, etc) 19->49 51 Contains functionality to hide user accounts 21->51 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d3ced1332d5437bfd61e06610852c43d8b00c6bd100ff6e84f0daed25ccefdd9/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-09-13 03:24:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
15 of 36 (41.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2phncmznkq337vq6azqqquwehwfqbrv5cah7n2cpbwxnexgo7xmq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0a9c93af93718bab8e1d620b1dc4a727f77e9d7bc421ee9ccc59f5fe7f154837
AveMariaRAT
280f496ca58dc38705871bce43803a623ae40ec1f47fd52d0eb50d49740a0725
AveMariaRAT
34b8932980e5d4741763bac8c088fcaca1e59b709801c84653830c58d36c7c14
AveMariaRAT
389e52a5612f9242ae4162ba51323010a97641be291893dcb9bc261ca26acb27
AveMariaRAT
50b84d6a84b7bd56b635bc6816321470c7dc01308b9bffd51dade9b9d1f80132
AveMariaRAT
78b45024f4ce309e9091f88bfb65be3bfa6afd5699771d0d82b31aa085b1a111
AveMariaRAT
918f09129def9a8720ce512b77e77161e01d76849f0c9b21ee127be1e6202ec4
AveMariaRAT
9d5bf672e7bbf92805e5c3ef96099e96634b8fdfba90a29cd73cb2c8c3e1d4bd
AveMariaRAT
c897c8d2450936785b92dae3655022d1c6f21c9a56c5117f823dec60eca96868
AveMariaRAT
e88a1484c485f473cd852bedc70e36aae19e8aa726f6612431b528e45c91be81
AveMariaRAT
+ 426 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat collection infostealer persistence rat
Link:
https://tria.ge/reports/230914-h2n7hsch23/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Loads dropped DLL
Warzone RAT payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
193.42.32.223:5200
Unpacked files
SH256 hash:
d3ced1332d5437bfd61e06610852c43d8b00c6bd100ff6e84f0daed25ccefdd9
MD5 hash:
7b50273a41c8d725b7bfd3c485504366
SHA1 hash:
b7d63395138c25ffe8c27ac397f5024da764c42f
Link:
https://www.unpac.me/results/030561c3-3c00-4699-85c5-bd9297d31705/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d3ced1332d54/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Ave Maria
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d3ced1332d5437bfd61e06610852c43d8b00c6bd100ff6e84f0daed25ccefdd9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe d3ced1332d5437bfd61e06610852c43d8b00c6bd100ff6e84f0daed25ccefdd9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/448566/

Comments