MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1457c29de4acf85b9420e78bb22d8c84e674a1bce55a9a8070bb4ef4bd883d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1457c29de4acf85b9420e78bb22d8c84e674a1bce55a9a8070bb4ef4bd883d2
SHA3-384 hash: 9ce86ab81905ec409a8b4ef2da0ddbcb1602b77b8065b00c5fc934bc641c7d099123c12588f2c3aed225059d0d85847a
SHA1 hash: e10d30e3df726735e917744131e8ffad1c3f9b73
MD5 hash: 7cdd66a82d9e6d4c417d908c85ffc78b
humanhash: dakota-alpha-twelve-muppet
File name:2fe24dbb15ba9a7c2fa51066b81c89e6.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:103'936 bytes
First seen:2020-03-31 01:25:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 879635b629affd65258851469f9bf6f9 (31 x AveMariaRAT)
ssdeep 1536:lvqIPE8ddFD1frrq7gVxoNGPNJKF1m+xVE0/bK:cI8CxFVxAMNJKu+xVE0TK
Threatray 425 similar samples on MalwareBazaar
TLSH 1FA39D2377D14439F67102B02CB97E79CABFFE380221855BD72456876B31994EA263A3
Reporter abuse_ch
Tags:AveMariaRAT exe GuLoader


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://phamchilong.com/Corona/Saudi%20Corona%20Guide%20line.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Maria.4.17072.22484.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Maria.3.30306.22950.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Agentb
Create hunting rule
Status:
Malicious
First seen:
2020-03-31 01:35:20 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4fcxyko6jlhylokcbz4lwiwyzbhgosq3zzk2tkahbo2o6s6yqpja._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
21c5dfaf16a6b6fb850af64a34db2eac7263835048a6041533967de282a42caf
AveMariaRAT
33a76af55237d9ba192ee8496fd6c4adc489593705e81c663a890b39e1c92a8e
AveMariaRAT
4b13bb36220d46ab9fa89c4163c8ec571fe0c113af00773d0968fa51c4056bbd
AveMariaRAT
4fe45a8e07fc28eb30222f08219ca2bb8832220a97ff56333193bd422a876f0c
AveMariaRAT
62a9e0bc56c03b9ad7ff3ff1242415b95c29b10c2699a55c4d8940338e18887e
AveMariaRAT
8f787ad8df4ea3ee0c0940cf5170cccffa5c5783f065b89581de06c53a20b30c
AveMariaRAT
8fbd0e656a1ee90b82591111e01fb0e8b7a3d3e711e0d5165d05a5d844b8c03f
AveMariaRAT
9cbb4a330c540c4632d8640472dafa3f204b1765ff09b15716b76de1d48ebbfc
AveMariaRAT
b5b64f85cdeb5432018e22087fce4b6dc1e56593e8416335f471d4eac1e2b8cf
AveMariaRAT
f58206c0e3f90670105f3d92f49e4f3e4dd36970697f24de762862f24ea130cf
AveMariaRAT
+ 415 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

b260932b7d61ee82219ec1b8184268055fd4eef48dd43be9b93fa6f67ed5dfc9

AveMariaRAT

Executable exe e1457c29de4acf85b9420e78bb22d8c84e674a1bce55a9a8070bb4ef4bd883d2

(this sample)

  
Dropped by
MD5 2fe24dbb15ba9a7c2fa51066b81c89e6
  
Dropped by
MD5 7acab391ad09f1317955842b55deba1f
  
Dropped by
GuLoader
  
Dropped by
SHA256 b260932b7d61ee82219ec1b8184268055fd4eef48dd43be9b93fa6f67ed5dfc9
  
Dropped by
SHA256 f02ef6c287374f76a97f8fab140d08ecfb4cc1611113d42721ddcce0be5509cf
  
URLhaus
https://urlhaus.abuse.ch/url/332511/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::InitializeSecurityDescriptor
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CoInitializeSecurity
DP_APIUses DP APICRYPT32.dll::CryptUnprotectData
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::SetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::ShellExecuteExA
SHELL32.dll::ShellExecuteExW
URL_MONIKERS_APICan Download & Execute componentsurlmon.dll::URLDownloadToFileW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateRemoteThread
KERNEL32.dll::CreateProcessW
KERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::VirtualAllocEx
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WinExec
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
SHELL32.dll::SHCreateDirectoryExW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::LookupAccountSidW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyExW
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::freeaddrinfo
WS2_32.dll::getaddrinfo
WS2_32.dll::InetNtopW
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::ChangeServiceConfigW
ADVAPI32.dll::OpenSCManagerW
ADVAPI32.dll::OpenServiceW
ADVAPI32.dll::QueryServiceConfigW
ADVAPI32.dll::StartServiceW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments