MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dce4615cac8bad8de4310b354621a02e36e153ab8bf4f5c5c2242e81f9a98a27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dce4615cac8bad8de4310b354621a02e36e153ab8bf4f5c5c2242e81f9a98a27
SHA3-384 hash: e249b0d5ffaf60a0d469078cf8162077fca1495336fd841c4654abe65f5f446bbba12c83b5d50e73d2f44100c6c70747
SHA1 hash: 4197ca2095596f12c7e4a6334b6150284328ad13
MD5 hash: f20f46bfffc6cef11b1560cd9cc338be
humanhash: alanine-alanine-hydrogen-purple
File name:payment-copy_22-093003.bat
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'370'112 bytes
First seen:2022-03-24 07:19:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:2ht8+RrIc3K2iEsbooLF0rRNjIJ2IRG1pXFMRnC44SnH:Weo83EsbooLFq/eSZFKC4l
Threatray 2'023 similar samples on MalwareBazaar
TLSH T1D655F19C3690759FCC2BCA768A941CA4EB206477470BD243A09712ED9B4E9CBCF155F3
Reporter GovCERT_CH
Tags:AveMariaRAT exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RDPWrap
Create hunting rule
Link:
https://www.capesandbox.com/analysis/257042/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/623c1baedfdfa8501cd73160/reports/4c5c55da-ec20-4836-b327-be4794dd2bf8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e1030e39-2c00-4b61-8a5e-1319052a5f1c
Result
Threat name:
AveMaria Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/963534
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to create processes via WMI
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates files in alternative data streams (ADS)
Creates processes via WMI
Drops script or batch files to the startup folder
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 596014 Sample: payment-copy_22-093003.bat Startdate: 24/03/2022 Architecture: WINDOWS Score: 100 96 Malicious sample detected (through community Yara rule) 2->96 98 Antivirus detection for dropped file 2->98 100 Multi AV Scanner detection for dropped file 2->100 102 20 other signatures 2->102 10 payment-copy_22-093003.exe 7 2->10         started        14 WmiPrvSE.exe 2->14         started        16 cmd.exe 2->16         started        18 WmiPrvSE.exe 2->18         started        process3 file4 80 C:\Users\user\AppData\Roaming\zwmZqKIV.exe, PE32 10->80 dropped 82 C:\Users\...\zwmZqKIV.exe:Zone.Identifier, ASCII 10->82 dropped 84 C:\Users\user\AppData\Local\...\tmpA0CA.tmp, XML 10->84 dropped 86 C:\Users\...\payment-copy_22-093003.exe.log, ASCII 10->86 dropped 122 Uses schtasks.exe or at.exe to add and modify task schedules 10->122 124 Adds a directory exclusion to Windows Defender 10->124 20 payment-copy_22-093003.exe 3 10->20         started        23 powershell.exe 24 10->23         started        25 schtasks.exe 1 10->25         started        27 ProgramData:ApplicationData 14->27         started        30 WMIC.exe 16->30         started        32 conhost.exe 16->32         started        signatures5 process6 file7 76 C:\Users\user\AppData\...\warzone poison.exe, PE32 20->76 dropped 78 C:\Users\user\AppData\...\nerronewsn.exe, PE32 20->78 dropped 34 warzone poison.exe 20->34         started        38 nerronewsn.exe 15 2 20->38         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        126 Antivirus detection for dropped file 27->126 128 Found evasive API chain (may stop execution after checking mutex) 27->128 130 Machine Learning detection for dropped file 27->130 134 3 other signatures 27->134 132 Creates processes via WMI 30->132 signatures8 process9 dnsIp10 68 C:\ProgramData\windowsupdate.exe, PE32 34->68 dropped 70 C:\ProgramData:ApplicationData, PE32 34->70 dropped 72 C:\Users\user\AppData\...\programs.bat:start, ASCII 34->72 dropped 74 C:\Users\user\AppData\...\programs.bat, ASCII 34->74 dropped 104 Creates files in alternative data streams (ADS) 34->104 106 Adds a directory exclusion to Windows Defender 34->106 108 Increases the number of concurrent connection per server for Internet Explorer 34->108 110 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->110 45 windowsupdate.exe 34->45         started        49 cmd.exe 34->49         started        51 powershell.exe 34->51         started        88 checkip.dyndns.com 132.226.8.169, 49776, 80 UTMEMUS United States 38->88 90 freegeoip.app 188.114.97.7, 443, 49786 CLOUDFLARENETUS European Union 38->90 92 checkip.dyndns.org 38->92 112 Antivirus detection for dropped file 38->112 114 Multi AV Scanner detection for dropped file 38->114 116 May check the online IP address of the machine 38->116 118 4 other signatures 38->118 file11 signatures12 process13 dnsIp14 94 76.8.53.133, 1198, 49801, 49802 QUONIXNETUS United States 45->94 136 Antivirus detection for dropped file 45->136 138 Machine Learning detection for dropped file 45->138 140 Contains functionality to inject threads in other processes 45->140 142 6 other signatures 45->142 53 powershell.exe 45->53         started        55 cmd.exe 45->55         started        57 reg.exe 49->57         started        60 conhost.exe 49->60         started        62 conhost.exe 51->62         started        signatures15 process16 signatures17 64 conhost.exe 53->64         started        66 conhost.exe 55->66         started        120 Creates an undocumented autostart registry key 57->120 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dce4615cac8bad8de4310b354621a02e36e153ab8bf4f5c5c2242e81f9a98a27/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-24 07:19:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3tsgcxfmrowy3zbrbm2uminafy3ocu5lrp2plroceqxid6njritq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
29a4c97029dcf52e73bb65d748d1fd6194c5f7f72fe8c272320bbe38636e0f3a
AveMariaRAT
4b1532fa6483dfb4194a1f3fbf583f511caea6035f61e9ffad798bd58981f5a8
AveMariaRAT
94fd8c7b7935c64a7ed46794b3b5597800ae02715d5d0d95df19b208dc0d98fb
AveMariaRAT
a06df43cf78f226603a42ee45c6c676ecc9f5a6c978d3b3e18b364b116ba20fc
AveMariaRAT
a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249
AveMariaRAT
aaeea2518247c61576d04a680a02693dbb21cff050af2d3049f0c0636cbc478b
AveMariaRAT
fb55340ef36d5bfae56dd84e51b9aff7996ab7428fd1fcbe53dfb8fdcda244e8
AveMariaRAT
fdcb93d14d249d6970c9f7374eb95190af62db72b5555c48d23a3af20902b682
AveMariaRAT
+ 2'013 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220324-h5h5nsacgk/
Unpacked files
SH256 hash:
d185986cb9b369a5f5d641c80d09adc878771b33ab020879629fb570c2cd7cec
MD5 hash:
755b1262aa6b3a6b267b41580c7e8972
SHA1 hash:
b2f0f7293cf7162895df2976eecfc1084eeba2fc
Link:
https://www.unpac.me/results/7de6b9b8-50fc-4eac-8242-30e836850c04/
SH256 hash:
477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52
MD5 hash:
16a9ddc4b32981114fe4f069a4353105
SHA1 hash:
bf73849f57c150f9e2199c61427f631be2dfa595
Link:
https://www.unpac.me/results/7de6b9b8-50fc-4eac-8242-30e836850c04/
SH256 hash:
017c61631075514428dd2183757cd18727db1bb1a4a4aa779ed4e59989f61b94
MD5 hash:
22b6633349dec3d98bf94b389d3a64c4
SHA1 hash:
1d2ce6374735498193d55ac5977e89b7ceb78518
Detections:
win_ave_maria_g0
Create hunting rule
win_ave_maria_auto
Create hunting rule
Link:
https://www.unpac.me/results/7de6b9b8-50fc-4eac-8242-30e836850c04/
Parent samples :
4b1532fa6483dfb4194a1f3fbf583f511caea6035f61e9ffad798bd58981f5a8
dce4615cac8bad8de4310b354621a02e36e153ab8bf4f5c5c2242e81f9a98a27
SH256 hash:
f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36
MD5 hash:
6c72218c48cd68cbcb654675053a0abb
SHA1 hash:
12207fa32070f99683648d87b44410e5d3cdf2de
Link:
https://www.unpac.me/results/7de6b9b8-50fc-4eac-8242-30e836850c04/
SH256 hash:
24fbdb2854d2ec1771248d85ae452b4f7e9b75d5d01ae2924b81c578de138f4b
MD5 hash:
c0edc2c11c3c417766e3cf1e4eaf523a
SHA1 hash:
f425e65a33871e798ac55c032b50ce89557f5fac
Link:
https://www.unpac.me/results/7de6b9b8-50fc-4eac-8242-30e836850c04/
SH256 hash:
dc5c057b0ee1eb079cf189762aac69f0d86338ea18795dc4fbf7ed9b5a45c2eb
MD5 hash:
4103ed94f4747b30e166cf3c25416f47
SHA1 hash:
d553a67056e94f60d621ca42dcecd6d93f9ef1ad
Link:
https://www.unpac.me/results/7de6b9b8-50fc-4eac-8242-30e836850c04/
SH256 hash:
379520d694fa21e9f03ceeea49442fecdf1ee2f8374d825d7ec59421421b02bc
MD5 hash:
30cf28f494403a9d3d742f76973dea0a
SHA1 hash:
a01d497f32ce2e18047668607f252a751316e718
Link:
https://www.unpac.me/results/7de6b9b8-50fc-4eac-8242-30e836850c04/
SH256 hash:
21befa6de75be34c0b1cbb68519c13520770c03aa00611eeba97107e189eb22a
MD5 hash:
df4c4644285d2fbe9b953cabd88d9130
SHA1 hash:
16578076de1841ac16c12c998a151a6d6656a487
Link:
https://www.unpac.me/results/7de6b9b8-50fc-4eac-8242-30e836850c04/
SH256 hash:
dce4615cac8bad8de4310b354621a02e36e153ab8bf4f5c5c2242e81f9a98a27
MD5 hash:
f20f46bfffc6cef11b1560cd9cc338be
SHA1 hash:
4197ca2095596f12c7e4a6334b6150284328ad13
Link:
https://www.unpac.me/results/7de6b9b8-50fc-4eac-8242-30e836850c04/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dce4615cac8bad8de4310b354621a02e36e153ab8bf4f5c5c2242e81f9a98a27

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe dce4615cac8bad8de4310b354621a02e36e153ab8bf4f5c5c2242e81f9a98a27

(this sample)

  
Dropped by
snakekeylogger
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/257042/

Comments