MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddb61652772dfbae79ce10a2f92cfe6f585b7851afce2b3eb8bf70605f419154. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ddb61652772dfbae79ce10a2f92cfe6f585b7851afce2b3eb8bf70605f419154
SHA3-384 hash: 406ed7d68ea7a6a71c03be12d6a0d989d62af8c5d2fcd3d16fcc38ad5c7a724c9f828bed6e993fa037e95e724738524e
SHA1 hash: 3fc373de4cf0b728a0b9a17608b493f114cdf9cf
MD5 hash: ace68031816b590f740f60db507faa88
humanhash: cardinal-failed-hot-social
File name:afkjo.vbs
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:379'696 bytes
First seen:2023-09-28 20:03:06 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:pSi9Pz5wgWx5JxOxB2AQuqfnfHQ6tC/sDvYcsY3YpYtsv:J9Pz+gWx5JxOxp4HHQ6A/N
Threatray 555 similar samples on MalwareBazaar
TLSH T1A384A22025EF544CB2B77F522BDCB6E98E6FFBA2151AE05D2404430BDBA1E44CE65732
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter James_inthe_box
Tags:AveMariaRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/451827/
Detection(s):
SecuriteInfo.com.VBS.Obfuscated-JW.19382.15869.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6515dc3434be449f011af397/reports/3e6d3edd-417e-4c31-a837-bb2cf9968bee/overview
Verdict:
Malicious
Labled as:
GT:VB.LrgVrObfsc.1
Link:
https://www.hybrid-analysis.com/sample/ddb61652772dfbae79ce10a2f92cfe6f585b7851afce2b3eb8bf70605f419154
Result
Verdict:
MALICIOUS
Result
Threat name:
AveMaria, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1316064
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to check if Internet connection is working
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Found evasive API chain checking for user administrative privileges
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Sigma detected: Powershell download and load assembly
Snort IDS alert for network traffic
Suspicious powershell command line found
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AveMaria stealer
Yara detected Generic Downloader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1316064 Sample: afkjo.vbs Startdate: 28/09/2023 Architecture: WINDOWS Score: 100 30 Snort IDS alert for network traffic 2->30 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 7 other signatures 2->36 8 wscript.exe 1 2->8         started        process3 signatures4 46 VBScript performs obfuscated calls to suspicious functions 8->46 48 Suspicious powershell command line found 8->48 50 Wscript starts Powershell (via cmd or directly) 8->50 52 3 other signatures 8->52 11 powershell.exe 7 8->11         started        process5 signatures6 54 Suspicious powershell command line found 11->54 56 Found suspicious powershell code related to unpacking or dynamic code loading 11->56 14 powershell.exe 14 15 11->14         started        18 conhost.exe 11->18         started        process7 dnsIp8 26 uploaddeimagens.com.br 172.67.215.45, 443, 49723 CLOUDFLARENETUS United States 14->26 28 79.110.48.52, 49726, 80 OTAVANET-ASCZ Germany 14->28 58 Contains functionality to hide user accounts 14->58 60 Writes to foreign memory regions 14->60 62 Injects a PE file into a foreign processes 14->62 20 RegAsm.exe 3 181 14->20         started        signatures9 process10 dnsIp11 24 werberyouse.kozow.com 79.134.225.108, 2936, 49728 FINK-TELECOM-SERVICESCH Switzerland 20->24 38 Contains functionality to hide user accounts 20->38 40 Contains functionality to check if Internet connection is working 20->40 42 Contains functionality to inject threads in other processes 20->42 44 5 other signatures 20->44 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ddb61652772dfbae79ce10a2f92cfe6f585b7851afce2b3eb8bf70605f419154/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2023-09-28 20:03:01 UTC
File Type:
Text (VBS)
AV detection:
6 of 22 (27.27%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3w3bmutxfx5246ooccrpslh6n5mfw6crv7hcwpvyx5ygax2bsfka._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0a9c93af93718bab8e1d620b1dc4a727f77e9d7bc421ee9ccc59f5fe7f154837
AveMariaRAT
2532cb332efc6086c05d5de55eb02cbedbb053f10400076a521540542248986b
AveMariaRAT
280f496ca58dc38705871bce43803a623ae40ec1f47fd52d0eb50d49740a0725
AveMariaRAT
3180620ee9921fa4fbfbbb780478f80b4c5b58e7f2d94563ac7dbb19fe602a01
AveMariaRAT
50b84d6a84b7bd56b635bc6816321470c7dc01308b9bffd51dade9b9d1f80132
AveMariaRAT
8fe28392ed74cab65862f53a220dc2139b4d58ec342da62487c5a6e62999fe67
AveMariaRAT
9d5bf672e7bbf92805e5c3ef96099e96634b8fdfba90a29cd73cb2c8c3e1d4bd
AveMariaRAT
c897c8d2450936785b92dae3655022d1c6f21c9a56c5117f823dec60eca96868
AveMariaRAT
d33f5262375dff205d38b290de80d6b6a7b5edeb5a0d5f1b01048bd3a371cd42
AveMariaRAT
+ 545 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/230928-ys9d4afe96/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ddb61652772d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Ave Maria
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ddb61652772dfbae79ce10a2f92cfe6f585b7851afce2b3eb8bf70605f419154

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/451827/
  
URLhaus
https://urlhaus.abuse.ch/url/2714964/

Comments