MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc368da984106cbbe7fbb8faa31441513fa325aabfbce9045da5982aadf69eff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc368da984106cbbe7fbb8faa31441513fa325aabfbce9045da5982aadf69eff
SHA3-384 hash: dcbc6a3bcdc1d3575b5b25f154c5e5083d2e39bfdc9838d0344fa16dff7e60fd0ea210608ab8283ea1189ba911bf82f0
SHA1 hash: 328c9f94a242ab38140cf278938eec2fad46b7a0
MD5 hash: ecd8c241eb9112a7d475ff5ac7e584b4
humanhash: mississippi-wolfram-yellow-kentucky
File name:v49922.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:3'082'616 bytes
First seen:2026-06-24 08:13:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d42595b695fc008ef2c56aabd8efd68e (489 x Vidar, 96 x Stealc, 92 x Rhadamanthys)
ssdeep 49152:0tx35AQ9dMYQz25atKowzWofDXf8yXy6H8hdaoWrbCjNGuAVnxsCVb:0tt4Q8spkygZzC5
Threatray 47 similar samples on MalwareBazaar
TLSH T163E59D0BAC9048E5C4EA52B18CB721527B64B84A0F3537C32F60B7782F36BD19D76B95
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:AveMariaRAT exe signed

Code Signing Certificate

Organisation:gocodeit.online
Issuer:gocodeit.online
Algorithm:sha256WithRSAEncryption
Valid from:2026-06-23T17:06:03Z
Valid to:2027-06-23T17:06:03Z
Serial number: 40fb92a98a98161a
Thumbprint Algorithm:SHA256
Thumbprint: f21ec278c05c33f4d6ff34db5cf3164166edb99ccf3f2f5b6306aec1be17887c
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
176
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
phorpiex
Create hunting rule
ID:
1
File name:
bomb.bin
Verdict:
Malicious activity
Analysis date:
2026-06-23 19:44:34 UTC
Tags:
possible-phishing github botnet phorpiex stealer stealc stego loader reverseloader agenttesla ta558 apt payload stegocampaign screenconnect tool rmm-tool remote adware glamour rat auto generic remus solaris valley phishing purelogs purehvnc discord blindeagle backdoor amadey connectwise clickfix valleyrat silverfox winos rdp xmrig miner ip-check evasion python vidar venomrat telegram pastebin credentialflusher
Link:
https://app.any.run/tasks/a570b128-48b4-4bfa-9036-9b79ab5f5b7d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71802/
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.66247758.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a3b734b86bc95245bf90a2b
Tags:
injection obfusc crypt
Result
Verdict:
Malware
Maliciousness:
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm crypto golang signed
Link:
https://www.filescan.io/uploads/6a3b91a790632a45f737edb5/reports/80a08525-e7cb-4a89-ba7a-1949030fc10e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/dc368da984106cbbe7fbb8faa31441513fa325aabfbce9045da5982aadf69eff
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-06-23T17:22:00Z UTC
Last seen:
2026-06-23T17:47:00Z UTC
Hits:
~10
Detections:
Backdoor.Win64.Gsb.sb Backdoor.Win64.Gsb.gen
Link:
https://opentip.kaspersky.com/dc368da984106cbbe7fbb8faa31441513fa325aabfbce9045da5982aadf69eff/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e1ba1f05-36db-4ac7-8668-9f59fd883cbc
Result
Threat name:
AveMaria, Gocoder, KeyLogger, LimeRAT, N
Create hunting rule
Detection:
malicious
Classification:
evad.mine.rans.phis.troj.adwa.spyw.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1933033
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
AI detected suspicious PE digital signature
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Connects to many ports of the same IP (likely port scanning)
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to infect the boot sector
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Creates multiple autostart registry keys
Deletes shadow drive data (may be related to ransomware)
Disables zone checking for all users
Drops PE files to the startup folder
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
High number of junk calls founds (likely related to sandbox DOS / API hammering)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Locky time evasion found (measures execution of CloseHandle and GetProcessHeap)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential Privilege Escalation using Task Scheduler highest RunLevel
Potentially malicious time measurement code found
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected BrowserPasswordDump
Yara detected Gocoder ransomware
Yara detected Keylogger Generic
Yara detected LimeRAT
Yara detected Njrat
Yara detected Quasar RAT
Yara detected StormKitty Stealer
Yara detected VenomRAT
Yara detected Vidar stealer
Yara detected Xorium Stealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1933033 Sample: v49922.exe Startdate: 24/06/2026 Architecture: WINDOWS Score: 100 116 lib.esteghlal.news 2->116 118 telegram.me 2->118 120 2 other IPs or domains 2->120 156 Suricata IDS alerts for network traffic 2->156 158 Found malware configuration 2->158 160 Malicious sample detected (through community Yara rule) 2->160 162 34 other signatures 2->162 11 v49922.exe 1 18 2->11         started        16 Wihnup.exe 2->16         started        18 Server.exe 2->18         started        20 10 other processes 2->20 signatures3 process4 dnsIp5 122 62.60.226.185, 49813, 49815, 49816 FEMOITGB Germany 11->122 124 lib.esteghlal.news 172.67.148.199, 443, 49805, 49806 CLOUDFLARENET-CloudflareIncUS Canada 11->124 126 telegram.me 149.154.167.99, 443, 49804 TELEGRAMVG United Kingdom 11->126 100 C:\Users\user\AppData\Local\...\cb675f1c.exe, PE32 11->100 dropped 102 C:\Users\user\AppData\Local\...\a9242239.exe, PE32 11->102 dropped 104 C:\Users\user\AppData\Local\...\69bb47db.exe, PE32 11->104 dropped 106 2 other malicious files 11->106 dropped 180 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->180 182 Found many strings related to Crypto-Wallets (likely being stolen) 11->182 184 Deletes shadow drive data (may be related to ransomware) 11->184 192 8 other signatures 11->192 22 cmd.exe 1 11->22         started        24 cmd.exe 1 11->24         started        26 cmd.exe 11->26         started        28 2 other processes 11->28 186 Antivirus detection for dropped file 16->186 188 Multi AV Scanner detection for dropped file 16->188 190 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->190 194 2 other signatures 16->194 file6 signatures7 process8 process9 30 cb675f1c.exe 15 5 22->30         started        35 conhost.exe 22->35         started        37 a9242239.exe 1 3 24->37         started        39 conhost.exe 24->39         started        41 69bb47db.exe 26->41         started        43 conhost.exe 26->43         started        45 48090ead.exe 28->45         started        47 3c60535e.exe 28->47         started        49 2 other processes 28->49 dnsIp10 128 ip-api.com 208.95.112.1, 49814, 80 TUT-AS-TotalUptimeTechnologiesLLCUS United States 30->128 108 C:\Users\user\AppData\Roaming\Chrome.exe, PE32 30->108 dropped 132 Antivirus detection for dropped file 30->132 134 Multi AV Scanner detection for dropped file 30->134 136 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 30->136 152 5 other signatures 30->152 51 powershell.exe 27 30->51         started        54 powershell.exe 30->54         started        56 powershell.exe 30->56         started        68 2 other processes 30->68 110 C:\Users\user\AppData\Local\...\Dllhost.exe, PE32 37->110 dropped 58 Dllhost.exe 37->58         started        138 Locky time evasion found (measures execution of CloseHandle and GetProcessHeap) 41->138 140 Contains functionality to detect virtual machines (IN, VMware) 41->140 142 Contains functionality to detect hardware virtualization (CPUID execution measurement) 41->142 154 2 other signatures 41->154 61 WerFault.exe 41->61         started        112 C:\Users\user\AppData\Local\Temp\Wihnup.exe, PE32 45->112 dropped 144 Protects its processes via BreakOnTermination flag 45->144 146 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 45->146 70 2 other processes 45->70 114 C:\Users\user\AppData\Roaming\...\Chrome.exe, PE32 47->114 dropped 148 Deletes shadow drive data (may be related to ransomware) 47->148 150 Hides that the sample has been downloaded from the Internet (zone.identifier) 47->150 63 Chrome.exe 47->63         started        66 schtasks.exe 47->66         started        file11 signatures12 process13 dnsIp14 164 Loading BitLocker PowerShell Module 51->164 72 conhost.exe 51->72         started        75 conhost.exe 54->75         started        77 conhost.exe 56->77         started        96 C:\Users\user\AppData\...\Java update.exe, PE32 58->96 dropped 98 C:\Users\user\AppData\Local\Temp\Server.exe, PE32 58->98 dropped 166 Antivirus detection for dropped file 58->166 168 System process connects to network (likely due to code injection or exploit) 58->168 170 Multi AV Scanner detection for dropped file 58->170 174 4 other signatures 58->174 79 schtasks.exe 58->79         started        130 ipwho.is 104.20.44.133, 443, 49818 CLOUDFLARENET-CloudflareIncUS Canada 63->130 172 Hides that the sample has been downloaded from the Internet (zone.identifier) 63->172 81 schtasks.exe 63->81         started        83 conhost.exe 66->83         started        85 conhost.exe 68->85         started        87 conhost.exe 68->87         started        89 4 other processes 70->89 file15 signatures16 process17 signatures18 176 Installs a global keyboard hook 72->176 91 conhost.exe 79->91         started        94 conhost.exe 81->94         started        process19 signatures20 178 Installs a global keyboard hook 91->178
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dc368da984106cbbe7fbb8faa31441513fa325aabfbce9045da5982aadf69eff
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc368da984106cbbe7fbb8faa31441513fa325aabfbce9045da5982aadf69eff/
Verdict:
Malicious
Threat:
Backdoor.Win64.Gsb
Link:
https://tip.neiki.dev/file/dc368da984106cbbe7fbb8faa31441513fa325aabfbce9045da5982aadf69eff
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-06-24 00:57:55 UTC
File Type:
PE+ (Exe)
AV detection:
8 of 36 (22.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3q3i3kmecbwlxz73xd5kgfcbke72gjnkx66osbc5uwmcvlpwt37q._file
Verdict:
malicious
Label(s):
vidar
Create hunting rule
Similar samples:
0dcbe5afb17831300599e9cdc3c8a655c1380c86a1562db04fec664677a50e20
AveMariaRAT
12a44f393d69081d893e0ecdd5726d6a776f57bead2a176222e517ba6367bbda
AveMariaRAT
28fb3127d5e68e4436fc9c8c83556f41d9f644df94157d1f99ae00288b9572cb
AveMariaRAT
38710fa6b5218e34f90935ea70f138136123aaabbcdab215d7337b2994c8d222
AveMariaRAT
41137fe5e25ea1ba86c55f34a484003234f43ab6e2611733eb0b325f4efff608
AveMariaRAT
a38e30fc95d2a59e32e381c5c36d7f3a8e874e53fb3f5c6e6ba5ea09fa0fe2a3
AveMariaRAT
d3edc0c8ca141d1a7e1f93f4d727f92e0e63bba43cac95723d9a20467e790296
AveMariaRAT
e5ca4586785728938cb9de0e964a35bd36dfa534bd7bf47f2438af4a4c2103c2
AveMariaRAT
error
AveMariaRAT
ff1860389f41deedf8b72f3cd4cf7b33584c0b329264bb58d1d62d0f6cda777d
AveMariaRAT
+ 37 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
adware persistence ransomware spyware
Link:
https://tria.ge/reports/260624-j4mxxaaz8m/
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates connected drives
Boot or Logon Autostart Execution: Active Setup
Unpacked files
SH256 hash:
dc368da984106cbbe7fbb8faa31441513fa325aabfbce9045da5982aadf69eff
MD5 hash:
ecd8c241eb9112a7d475ff5ac7e584b4
SHA1 hash:
328c9f94a242ab38140cf278938eec2fad46b7a0
Link:
https://www.unpac.me/results/393394f4-ac97-4692-820b-b085f254a7ff/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RemusStealer_GoPayload
Create hunting rule
Author:burger
Description:Detects RemusStealer Go-compiled payload
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Suspicious_Golang_Binary
Create hunting rule
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe dc368da984106cbbe7fbb8faa31441513fa325aabfbce9045da5982aadf69eff

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3859771/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/71802/

Comments