MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc5da53a5e93a588335b6561258d1540ac7d696c633d03de92e72d8e53254234. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc5da53a5e93a588335b6561258d1540ac7d696c633d03de92e72d8e53254234
SHA3-384 hash: ad023bea79ce3df125611b3591682042be257da56e7cb3f710cf295236b78510b6a1d96046f5b237112ef76a8edcecd6
SHA1 hash: 04dd2dc5affeca50ee9bfaaaa4b150864c989871
MD5 hash: 84bdff429235353658272bbd1906fac3
humanhash: zebra-monkey-grey-summer
File name:Invitation to Bid Quotation 15-02-2023·pdf.ex.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:636'088 bytes
First seen:2023-02-15 01:49:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 57e98d9a5a72c8d7ad8fb7a6a58b3daf (60 x GuLoader, 20 x AZORult, 12 x RemcosRAT)
ssdeep 12288:Yf1Pcyk2EGAFWO0X9zQDFczNOqggwMftxfT8:3Ve8t2JfJONgwotx78
Threatray 17'762 similar samples on MalwareBazaar
TLSH T193D4F040B691C8B7C55512738CA6EB29677ABE04985E8F07368DB34EAD3738F3817385
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:AveMariaRAT exe RAT signed

Code Signing Certificate

Organisation:Forankringspunktets
Issuer:Forankringspunktets
Algorithm:sha256WithRSAEncryption
Valid from:2023-02-14T23:15:44Z
Valid to:2026-02-13T23:15:44Z
Serial number: -43447476aa12c269
Thumbprint Algorithm:SHA256
Thumbprint: 84e527dad544c4ab6fcd9a4c0dbb36e362a05556f8185e9756c03a5981b1a945
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
AveMariaRAT C2:
91.193.75.188:2345

Intelligence

File Origin
# of uploads :
1
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invitation to Bid Quotation 15-02-2023·pdf.ex.exe
Verdict:
Malicious activity
Analysis date:
2023-02-15 01:52:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7b1ae032-292b-4393-8267-397826159a72

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/366254/
Detection(s):
SecuriteInfo.com.Trojan.Inject.31120.591.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Banker1.30494.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file in the %AppData% subdirectories
Delayed reading of the file
Creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/70079/overview
Behaviour
MalwareBazaar
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/dc5da53a5e93a588335b6561258d1540ac7d696c633d03de92e72d8e53254234
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3ab464f0-d506-4f21-bce5-ca0f76f21229
Result
Threat name:
AveMaria, GuLoader, UACMe
Create hunting rule
Detection:
malicious
Classification:
troj.evad.rans.phis.spyw.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1175122
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Creates files in alternative data streams (ADS)
Drops PE files to the document folder of the user
Drops script or batch files to the startup folder
Found potential ransomware demand text
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides user accounts
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected GuLoader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 807918 Sample: Invitation to Bid Quotation... Startdate: 15/02/2023 Architecture: WINDOWS Score: 100 84 pressurem002.duckdns.org 2->84 86 googlehosted.l.googleusercontent.com 2->86 88 2 other IPs or domains 2->88 102 Snort IDS alert for network traffic 2->102 104 Malicious sample detected (through community Yara rule) 2->104 106 Multi AV Scanner detection for dropped file 2->106 108 13 other signatures 2->108 12 Invitation to Bid Quotation 15-02-2023#U00b7pdf.ex.exe 1 28 2->12         started        16 Windows.exe 18 2->16         started        18 rdpvideominiport.sys 2->18         started        20 2 other processes 2->20 signatures3 process4 file5 74 C:\Users\user\AppData\...\showauth.dat, PE32+ 12->74 dropped 76 C:\Users\user\AppData\...\ConsolePauser.exe, PE32 12->76 dropped 78 C:\Users\user\AppData\Local\...\System.dll, PE32 12->78 dropped 134 Tries to detect Any.run 12->134 22 Invitation to Bid Quotation 15-02-2023#U00b7pdf.ex.exe 5 14 12->22         started        80 C:\Users\user\AppData\Local\...\System.dll, PE32 16->80 dropped 27 WerFault.exe 21 16->27         started        signatures6 process7 dnsIp8 94 googlehosted.l.googleusercontent.com 142.250.184.225, 443, 49840, 49856 GOOGLEUS United States 22->94 96 drive.google.com 142.250.184.238, 443, 49839, 49855 GOOGLEUS United States 22->96 66 C:\Users\user\Documents\Windows.exe, PE32 22->66 dropped 68 C:\Users\user\...\Documents:ApplicationData, PE32 22->68 dropped 70 C:\Users\user\...\Windows.exe:Zone.Identifier, ASCII 22->70 dropped 72 2 other malicious files 22->72 dropped 118 Creates files in alternative data streams (ADS) 22->118 120 Adds a directory exclusion to Windows Defender 22->120 122 Tries to detect Any.run 22->122 124 2 other signatures 22->124 29 Windows.exe 18 22->29         started        33 powershell.exe 23 22->33         started        file9 signatures10 process11 file12 82 C:\Users\user\AppData\Local\...\System.dll, PE32 29->82 dropped 136 Multi AV Scanner detection for dropped file 29->136 138 Adds a directory exclusion to Windows Defender 29->138 140 Tries to detect Any.run 29->140 35 Windows.exe 5 28 29->35         started        40 conhost.exe 33->40         started        signatures13 process14 dnsIp15 90 pressurem002.duckdns.org 91.193.75.188, 2345, 49857 DAVID_CRAIGGG Serbia 35->90 92 127.0.0.1 unknown unknown 35->92 58 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 35->58 dropped 60 C:\Users\user\AppData\Local\Temp\nss3.dll, PE32 35->60 dropped 62 C:\Users\user\AppData\Local\...\mozglue.dll, PE32 35->62 dropped 64 6 other files (3 malicious) 35->64 dropped 110 Hides user accounts 35->110 112 Tries to harvest and steal browser information (history, passwords, etc) 35->112 114 Writes to foreign memory regions 35->114 116 4 other signatures 35->116 42 25.exe 35->42         started        46 powershell.exe 35->46         started        48 cmd.exe 35->48         started        file16 signatures17 process18 dnsIp19 98 192.168.11.1, 5351 unknown unknown 42->98 100 239.255.255.250, 1900 unknown Reserved 42->100 126 Antivirus detection for dropped file 42->126 128 Multi AV Scanner detection for dropped file 42->128 130 Uses netsh to modify the Windows network and firewall settings 42->130 132 Modifies the windows firewall 42->132 50 netsh.exe 42->50         started        52 conhost.exe 46->52         started        54 conhost.exe 48->54         started        signatures20 process21 process22 56 conhost.exe 50->56         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc5da53a5e93a588335b6561258d1540ac7d696c633d03de92e72d8e53254234/
Threat name:
Win32.Trojan.Nsisx
Create hunting rule
Status:
Malicious
First seen:
2023-02-15 01:50:10 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
11 of 39 (28.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ro2kos6sosyqm23mvqsldivicwh22lmmm6qhxus44wy4uzfii2a._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
4f93f4cec712117b9e8bd20f079e8086b6358f0d0b2738a8a448dbdf9fc3db3c
AveMariaRAT
572c70b1f167c7a19728583ddf3c5024df5e514cceaccc04ae6bb990fd71a30a
AveMariaRAT
5a70453a6b4f6a5dfd956507dcb364fa07bd6517f87ee23ed6d703f7ec1f6599
AveMariaRAT
723ff97e6559f6558c288ca693898592a21aab28c003883ca13b81667d7e3aef
AveMariaRAT
957354af4cd0c5869354b87ed9df4166ef66b804e52e2cdffcba8920ada612ea
AveMariaRAT
a43a0cacbfaf5aa649acc0d29ce25855ea92c50af2729f30c5f2ecfad376ef4d
AveMariaRAT
ef56f8c0615d059de3d0f669b651d38caf535155878ff4bc7d1b1a62abd45213
AveMariaRAT
f13b318caba7938d24d18b32e16a1f111ec694b313590a4023f5e277d70ef7db
AveMariaRAT
+ 17'752 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:warzonerat downloader evasion infostealer persistence rat upx
Link:
https://tria.ge/reports/230215-b8991ahe64/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Modifies WinLogon
Checks QEMU agent file
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
UPX packed file
Modifies Windows Firewall
Sets DLL path for service in the registry
Guloader,Cloudeye
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
MD5 hash:
fbe295e5a1acfbd0a6271898f885fe6a
SHA1 hash:
d6d205922e61635472efb13c2bb92c9ac6cb96da
Link:
https://www.unpac.me/results/07768e65-9ee9-42b6-b612-b19345994786/
SH256 hash:
6c7d6974e13ca3387fc32d52b6ddf48daab0b49bbaa4c08737f805ea4faf94a2
MD5 hash:
d8346645a9ec58108a21af6f6cdfd2a1
SHA1 hash:
920a0cad9c993f52ef01d08f67cac99ac8832be9
Link:
https://www.unpac.me/results/07768e65-9ee9-42b6-b612-b19345994786/
SH256 hash:
dc5da53a5e93a588335b6561258d1540ac7d696c633d03de92e72d8e53254234
MD5 hash:
84bdff429235353658272bbd1906fac3
SHA1 hash:
04dd2dc5affeca50ee9bfaaaa4b150864c989871
Link:
https://www.unpac.me/results/07768e65-9ee9-42b6-b612-b19345994786/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dc5da53a5e93/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.02
Link:
https://yomi.yoroi.company/submissions/dc5da53a5e93a588335b6561258d1540ac7d696c633d03de92e72d8e53254234

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/366254/

Comments