MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6bfd23b8c13a875d4f59486d3afa362e2ab5159e3920011a8d77f7710cb6f1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6bfd23b8c13a875d4f59486d3afa362e2ab5159e3920011a8d77f7710cb6f1c
SHA3-384 hash: 2c0831905cd8c9c5a8e9b7e9a43e5ae761afaa5185d71ea27d63d8ba0f1e9cfe62dcdaf3d83e180f94cdbb0b83f84ee2
SHA1 hash: 746d079c467ab4efd46244aeb62e0e6e7a093451
MD5 hash: 230dbdff4e93fdbc1ce6240b84e4099f
humanhash: west-missouri-carolina-three
File name:TAX INVOICE_CCU-30408495_00942998_20180910_194738.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'051'648 bytes
First seen:2021-09-27 14:07:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:5fhadgtXsVcT8e0nFD44lDlXZ0SORa/Vjtsf7Skr06yKI:vadCJ8XnNbXUqjyK
Threatray 1'289 similar samples on MalwareBazaar
TLSH T1FB257B2137948B91F42F0B318977831427B7EE069F12EB0AFDD87E9ABD7178152122D6
File icon (PE):PE icon
dhash icon 9232b272e9ccacc2 (10 x AveMariaRAT, 1 x NanoCore, 1 x RedLineStealer)
Reporter adrian__luca
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TAX INVOICE_CCU-30408495_00942998_20180910_194738.exe
Verdict:
Malicious activity
Analysis date:
2021-09-27 14:21:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a2701eb0-738d-4b3c-a6fd-1b0335651b58

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RDPWrap
Create hunting rule
Link:
https://www.capesandbox.com/analysis/192145/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1044.9648.30541.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/900660d1-3be0-49f1-a63c-52147061f169
Result
Threat name:
AveMaria UACMe
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/859194
Signature
.NET source code contains potential unpacker
Contains functionality to hide user accounts
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6bfd23b8c13a875d4f59486d3afa362e2ab5159e3920011a8d77f7710cb6f1c/
Threat name:
ByteCode-MSIL.Trojan.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-09-27 13:08:58 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4275eo4mcouhlvhvssdnhl5dmlrkwukz4ojaaeni257xoegln4oa._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
09fde9ea165ae44ebc4956fc4cdbc72c9f51db639219b7bef1975e0d571f8080
AveMariaRAT
442e74649ae6be0b2f84e73917c8ef704ca9aaa15d7922d0807731a15f3ce019
AveMariaRAT
4cd1f14c1edad0029600ee41fe2e8cd09332a86b5e6b533f96632ce6192c4b6e
AveMariaRAT
8d98f6090c83a627a2922f45047ad42e91002e7a54abe5f5f55dd91a3d14476f
AveMariaRAT
97d1f00a9c4853e05bdad965148774ee6d3c58bcb864c018909d04ae99b9ed2e
AveMariaRAT
9d43e942f513a32e1c0db58de3d63abb24a8a4bc7bef3da4a6106656b9a64a5f
AveMariaRAT
e82c6834c7a9fb7ffa1d5b5ccafe0b2a97a4ff30bfe5e770e26f6b1232e5b672
AveMariaRAT
+ 1'279 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat agilenet infostealer rat spyware stealer
Link:
https://tria.ge/reports/210927-rfmw1ahbe5/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Executes dropped EXE
Warzone RAT Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
enginekeysmoney.ddns.net:9671
Unpacked files
SH256 hash:
e6bfd23b8c13a875d4f59486d3afa362e2ab5159e3920011a8d77f7710cb6f1c
MD5 hash:
230dbdff4e93fdbc1ce6240b84e4099f
SHA1 hash:
746d079c467ab4efd46244aeb62e0e6e7a093451
Link:
https://www.unpac.me/results/b15363a8-3ad0-4c76-bdb0-461d3a0acc25/
Malware family:
Goobin
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e6bfd23b8c13/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/e6bfd23b8c13a875d4f59486d3afa362e2ab5159e3920011a8d77f7710cb6f1c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe e6bfd23b8c13a875d4f59486d3afa362e2ab5159e3920011a8d77f7710cb6f1c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/192145/

Comments