MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8b0bc17d73b611e2ae4ac8addf6a90745af6107cfadffc7cc497a2db38afc87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8b0bc17d73b611e2ae4ac8addf6a90745af6107cfadffc7cc497a2db38afc87
SHA3-384 hash: b03cced8416fdfb8bb4e1bddf1daecd33cb22db9d3bedd47d112eb2d69205ae1e6871dbba2c274cb24944d1a4194fbbe
SHA1 hash: 0d62f6fd842197f855986da747fbae8c14d3ccf1
MD5 hash: 26155e96db9e26fa870f7be50c281d3c
humanhash: friend-july-summer-mockingbird
File name:Milieubeskyttelsesinteressernes.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:296'368 bytes
First seen:2023-02-22 12:56:44 UTC
Last seen:2023-02-22 14:42:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7eae418c7423834ffc3d79b4300bd6fb (54 x GuLoader, 17 x RemcosRAT, 16 x AgentTesla)
ssdeep 6144:LicFyL3iGmri24SPDtW9JHDff/g1++QPX8fp9bJZky:ePyaS5uJHTX14bJZ
Threatray 514 similar samples on MalwareBazaar
TLSH T19F5412211BB4D05BFAB19DB148729F678EDAAA2145913F5703C09B0E7E33B809F2E711
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 69dcba23b392dc79 (3 x AveMariaRAT, 1 x NanoCore, 1 x GuLoader)
Reporter abuse_ch
Tags:AveMariaRAT exe RAT signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-06-23T05:18:27Z
Valid to:2025-06-22T05:18:27Z
Serial number: 3d416c7863b8d88552457afc28dbb9a50bbeb11d
Thumbprint Algorithm:SHA256
Thumbprint: ad9c8241fbfc63310f71ef6b3ad698351e01698a64061c531bf72760d01c5438
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
AveMariaRAT C2:
91.193.75.149:3630

Intelligence

File Origin
# of uploads :
2
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Milieubeskyttelsesinteressernes.exe
Verdict:
Malicious activity
Analysis date:
2023-02-22 13:02:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/afd9a645-dcaa-4c36-a373-bb8fedd5fcbf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/369036/
Detection(s):
SecuriteInfo.com.Heur.30354.9395.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% subdirectories
Delayed reading of the file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/72241/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63f6112001b99ad33e802862/reports/83648e39-f725-47bf-827d-d41f6ead8851/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/d8b0bc17d73b611e2ae4ac8addf6a90745af6107cfadffc7cc497a2db38afc87
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4b825a4d-08d3-4cf4-9f70-85e749c63dad
Result
Threat name:
AveMaria, GuLoader, UACMe
Create hunting rule
Detection:
malicious
Classification:
troj.evad.rans.phis.spyw.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1180708
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Contains functionality to hide user accounts
Drops PE files to the document folder of the user
Found potential ransomware demand text
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides user accounts
Increases the number of concurrent connection per server for Internet Explorer
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Yara detected AveMaria stealer
Yara detected GuLoader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 11652 Sample: Milieubeskyttelsesinteresse... Startdate: 22/02/2023 Architecture: WINDOWS Score: 100 74 wtwrrtxhssbqsm-fk.duckdns.org 2->74 76 googlehosted.l.googleusercontent.com 2->76 78 2 other IPs or domains 2->78 92 Snort IDS alert for network traffic 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 Multi AV Scanner detection for dropped file 2->96 98 7 other signatures 2->98 12 Milieubeskyttelsesinteressernes.exe 28 2->12         started        16 Fritidshjemmet.exe 20 2->16         started        18 rdpvideominiport.sys 2->18         started        20 2 other processes 2->20 signatures3 process4 file5 68 C:\Users\user\AppData\Local\...\System.dll, PE32 12->68 dropped 124 Drops PE files to the document folder of the user 12->124 126 Adds a directory exclusion to Windows Defender 12->126 128 Tries to detect Any.run 12->128 22 Milieubeskyttelsesinteressernes.exe 6 13 12->22         started        70 C:\Users\user\AppData\Local\...\System.dll, PE32 16->70 dropped 27 WerFault.exe 21 16->27         started        signatures6 process7 dnsIp8 84 googlehosted.l.googleusercontent.com 142.250.186.161, 443, 49838, 49846 GOOGLEUS United States 22->84 86 drive.google.com 142.250.186.46, 443, 49837, 49845 GOOGLEUS United States 22->86 62 C:\Users\user\Documents\Windows.exe, PE32 22->62 dropped 64 C:\Users\user\AppData\...\Fritidshjemmet.exe, PE32 22->64 dropped 66 C:\Users\user\...\Windows.exe:Zone.Identifier, ASCII 22->66 dropped 108 Adds a directory exclusion to Windows Defender 22->108 110 Tries to detect Any.run 22->110 112 Increases the number of concurrent connection per server for Internet Explorer 22->112 114 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->114 29 Windows.exe 20 22->29         started        33 powershell.exe 23 22->33         started        88 192.168.11.1, 5351 unknown unknown 27->88 file9 signatures10 process11 file12 72 C:\Users\user\AppData\Local\...\System.dll, PE32 29->72 dropped 130 Adds a directory exclusion to Windows Defender 29->130 132 Tries to detect Any.run 29->132 35 Windows.exe 5 32 29->35         started        40 conhost.exe 33->40         started        signatures13 process14 dnsIp15 80 wtwrrtxhssbqsm-fk.duckdns.org 91.193.75.149, 3630, 49848 DAVID_CRAIGGG Serbia 35->80 82 127.0.0.1 unknown unknown 35->82 54 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 35->54 dropped 56 C:\Users\user\AppData\Local\Temp\nss3.dll, PE32 35->56 dropped 58 C:\Users\user\AppData\Local\...\mozglue.dll, PE32 35->58 dropped 60 6 other files (3 malicious) 35->60 dropped 100 Hides user accounts 35->100 102 Tries to harvest and steal browser information (history, passwords, etc) 35->102 104 Adds a directory exclusion to Windows Defender 35->104 106 Tries to detect Any.run 35->106 42 13.exe 35->42         started        46 powershell.exe 35->46         started        file16 signatures17 process18 dnsIp19 90 239.255.255.250, 1900 unknown Reserved 42->90 116 Antivirus detection for dropped file 42->116 118 Multi AV Scanner detection for dropped file 42->118 120 Uses netsh to modify the Windows network and firewall settings 42->120 122 Modifies the windows firewall 42->122 48 netsh.exe 42->48         started        50 conhost.exe 46->50         started        signatures20 process21 process22 52 conhost.exe 48->52         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d8b0bc17d73b611e2ae4ac8addf6a90745af6107cfadffc7cc497a2db38afc87/
Threat name:
Win32.Downloader.Minix
Create hunting rule
Status:
Malicious
First seen:
2023-02-22 12:09:08 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
12 of 25 (48.00%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3cylyf6xhnqr4kxevsfn35vja5c26yihz6w77r6mjf5c3m4k7sdq._file
Verdict:
unknown
Similar samples:
1104665d2257c57ec4b02dab78e072bbf7a091952d2e0424792d2caba586e5d6
AveMariaRAT
18b1abba90cf4a74b7216b91f02febb1c8694113f5ddc3507fd35b66253bcb83
AveMariaRAT
20fb078a0205ca04adf66dd2250409721698e14e9e1d2590eeff2873265e896b
AveMariaRAT
b534709b0de0c4392af03fea261580b08915ae1e5a55496f85dc21500c6a8338
AveMariaRAT
c2882a42e9ad87ef5260d3299307dae39af71853c75b44441c0dec497bc5c175
AveMariaRAT
dc5da53a5e93a588335b6561258d1540ac7d696c633d03de92e72d8e53254234
AveMariaRAT
f13b318caba7938d24d18b32e16a1f111ec694b313590a4023f5e277d70ef7db
AveMariaRAT
f4b15c4c1ad3c5de9ded9964ee4313a5fd3023f222d98a2ea287727dcea19732
AveMariaRAT
ff2c1d0bdc27e3137837afac350c6e433e86d4523f32555b3b59de1aa0981c53
AveMariaRAT
+ 504 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:warzonerat downloader evasion infostealer persistence rat upx
Link:
https://tria.ge/reports/230222-p6x4jsdd7x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Modifies WinLogon
Checks QEMU agent file
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Modifies Windows Firewall
Sets DLL path for service in the registry
Guloader,Cloudeye
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
MD5 hash:
8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 hash:
7cc1caaa747ee16dc894a600a4256f64fa65a9b8
Link:
https://www.unpac.me/results/67fb3281-1c3f-4c54-ac5a-a68d256c036c/
SH256 hash:
d8b0bc17d73b611e2ae4ac8addf6a90745af6107cfadffc7cc497a2db38afc87
MD5 hash:
26155e96db9e26fa870f7be50c281d3c
SHA1 hash:
0d62f6fd842197f855986da747fbae8c14d3ccf1
Link:
https://www.unpac.me/results/67fb3281-1c3f-4c54-ac5a-a68d256c036c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Ave Maria
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d8b0bc17d73b611e2ae4ac8addf6a90745af6107cfadffc7cc497a2db38afc87

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/369036/

Comments