MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e886baf2ba6653cdf655d189bbee53522b5728979539f68edd47fc8f8f80a3c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e886baf2ba6653cdf655d189bbee53522b5728979539f68edd47fc8f8f80a3c7
SHA3-384 hash: 940a3c5073a9cf1f7fbd877ba26d741f0339c629c377ac0d6c6c8f3b3aa5ed45ed3a79dd5682b73134eef3df70284655
SHA1 hash: bdf26777f7a95e01b545868beb386fdc204cb897
MD5 hash: 2afc90cdd567b808a4bdbb6d994c533a
humanhash: indigo-pip-blossom-mango
File name:SecuriteInfo.com.IL.Trojan.MSILZilla.28600.494.22699
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:775'168 bytes
First seen:2023-07-25 03:27:38 UTC
Last seen:2023-07-31 06:54:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:b9t5HrOzVIlj2YxrrHYStsKwgdYY0pfQemu5mxEBGDORK79YF1B5IIKi4w:RnrOKXr/tjwgd0rmQmAGKt+l
Threatray 2'345 similar samples on MalwareBazaar
TLSH T194F433D70188FD7EEBB127392890937095131F390F7D854FF28B462B92BB78492256B9
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
294
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.IL.Trojan.MSILZilla.28600.494.22699
Verdict:
Malicious activity
Analysis date:
2023-07-25 03:28:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2cdd1fa8-1b6b-40ed-863b-54eef02782f1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/431824/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.28600.494.22699.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a UDP request
Creating a file in the %AppData% directory
DNS request
Launching the default Windows debugger (dwwin.exe)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Gathering data
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/e886baf2ba6653cdf655d189bbee53522b5728979539f68edd47fc8f8f80a3c7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4f752724-6adf-40ae-a762-a7bab542a184
Result
Threat name:
AveMaria, UACMe
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1278779
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to hide user accounts
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
Yara detected AveMaria stealer
Yara detected Costura Assembly Loader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1278779 Sample: SecuriteInfo.com.IL.Trojan.... Startdate: 25/07/2023 Architecture: WINDOWS Score: 100 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for URL or domain 2->63 65 9 other signatures 2->65 7 SecuriteInfo.com.IL.Trojan.MSILZilla.28600.494.22699.exe 1 5 2->7         started        11 Knqjx.exe 5 2->11         started        13 Knqjx.exe 5 2->13         started        process3 file4 53 C:\Users\user\AppData\Roaming\Knqjx.exe, PE32 7->53 dropped 55 C:\Users\user\...\Knqjx.exe:Zone.Identifier, ASCII 7->55 dropped 67 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->67 15 cmd.exe 1 7->15         started        18 cmd.exe 1 7->18         started        20 WerFault.exe 24 9 7->20         started        69 Antivirus detection for dropped file 11->69 71 Multi AV Scanner detection for dropped file 11->71 73 Machine Learning detection for dropped file 11->73 23 cmd.exe 11->23         started        25 cmd.exe 11->25         started        27 WerFault.exe 11->27         started        29 cmd.exe 13->29         started        31 cmd.exe 13->31         started        33 WerFault.exe 13->33         started        signatures5 process6 dnsIp7 75 Uses ipconfig to lookup or modify the Windows network settings 15->75 35 conhost.exe 15->35         started        37 ipconfig.exe 1 15->37         started        39 conhost.exe 18->39         started        41 ipconfig.exe 1 18->41         started        57 192.168.2.1 unknown unknown 20->57 43 conhost.exe 23->43         started        45 ipconfig.exe 23->45         started        47 2 other processes 25->47 49 2 other processes 29->49 51 2 other processes 31->51 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e886baf2ba6653cdf655d189bbee53522b5728979539f68edd47fc8f8f80a3c7/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-25 01:37:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5cdlv4v2mzj435sv2ge3x3stkivvokexsu47ndw5i76i7d4aupdq._file
Verdict:
malicious
Similar samples:
05c4f71a5caa0ed6809fdfa57b44836f5ee6408d73f6b97cd9a751b696091101
AveMariaRAT
3c2129e1c7b154ba70dcb01035d8538f8092d5091f38048a02254cc435701248
AveMariaRAT
43107af0c3f2ef758f9bdd44f1541188cf513bac34c222151cdb81a588b0fd27
AveMariaRAT
4a269414d116334ba8837a573d824a3ff46c3b7d274b7b8e3c3ffd688a2e3729
AveMariaRAT
737a4e3c0bc536fddc9f55099a01736da0b5ecb543d62b55ec3f29650a1305d8
AveMariaRAT
97b9d63fe195249b2862a13c72cc88f4cb736f846eb91188de18984c231d168b
AveMariaRAT
bcf3266e8996bcdb7acb686034f264b07c228ce37f1212b663b636cc0317ee1a
AveMariaRAT
ea42c3ce01a1e8f241e069405c7d7a769af25f2cc34a6cedf7cb22285677b944
AveMariaRAT
+ 2'335 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/230725-d1bsksag7z/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Warzone RAT payload
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
9b1401d90b5ba0deb0cb3b703f2829db337cc03a808024a9beee351fc925d181
MD5 hash:
5d0b397fc8860fd8c827c87adf633f8e
SHA1 hash:
bc2265f05e2fcabf8106d7260b0f632193a66f35
Link:
https://www.unpac.me/results/02d19ebb-2f34-44cd-8456-8c5487f8fd65/
SH256 hash:
b5c88c0e39b7e9f34c020c1b3023c5522c7e34f9281d4d912b41aefd7d3ff4bf
MD5 hash:
f8e7f0053bfc08987c68cb4b7f7dbc44
SHA1 hash:
6b4e4d4ed0d5141d2830c22198fcd49e5fb58def
Link:
https://www.unpac.me/results/02d19ebb-2f34-44cd-8456-8c5487f8fd65/
SH256 hash:
4b428075e4f891c76bc43efac109bd26810bf56d99684497d25fa908431d597d
MD5 hash:
ea73c37dcb3ef19c0cb56258a6986e52
SHA1 hash:
277ae26ea18fb5fe692ebcb8ce934e1946d38ecd
Link:
https://www.unpac.me/results/02d19ebb-2f34-44cd-8456-8c5487f8fd65/
SH256 hash:
e886baf2ba6653cdf655d189bbee53522b5728979539f68edd47fc8f8f80a3c7
MD5 hash:
2afc90cdd567b808a4bdbb6d994c533a
SHA1 hash:
bdf26777f7a95e01b545868beb386fdc204cb897
Link:
https://www.unpac.me/results/02d19ebb-2f34-44cd-8456-8c5487f8fd65/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/e886baf2ba6653cdf655d189bbee53522b5728979539f68edd47fc8f8f80a3c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

img 0c477981081bcfab201b14dc0a7529cf9825e13b0957cabbc4b7b2ab6bef7c8d

AveMariaRAT

Executable exe e886baf2ba6653cdf655d189bbee53522b5728979539f68edd47fc8f8f80a3c7

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/431824/
  
Dropped by
SHA256 0c477981081bcfab201b14dc0a7529cf9825e13b0957cabbc4b7b2ab6bef7c8d
  
Dropped by
MD5 7fb7b656772e052782a15149d1ec1a01

Comments