MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e961ac85380ccd346de98c4a55e10b837b9a77b7d31ec7a312b61b484e32c932. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e961ac85380ccd346de98c4a55e10b837b9a77b7d31ec7a312b61b484e32c932
SHA3-384 hash: 2e65a0b217917fe4bd7fa271e3ef481eae0646810a166da948c8f4a4894ac11b9f6e393d016224655f453c54a42b8b9e
SHA1 hash: a3245e3cc90122c20c91996680ab8ccd50b3bd6e
MD5 hash: bca10ec35865a633403c9bf3f314f65a
humanhash: juliet-low-mexico-kentucky
File name:Scan01.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:700'416 bytes
First seen:2022-02-17 17:45:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:q57SGnEHmXjH22qla5w/yXbx/ftorrwmXKq:lIEHWH0MW/IbxvmX
Threatray 2'078 similar samples on MalwareBazaar
TLSH T114E47C08E7D51AC1F9BA55BE94F5A7241263FAB04CCBC347329D287886AF3B47F40A45
File icon (PE):PE icon
dhash icon 1080aaacac84c010 (1 x AgentTesla, 1 x AveMariaRAT)
Reporter lowmal3
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RDPWrap
Create hunting rule
Link:
https://www.capesandbox.com/analysis/242319/
Detection(s):
SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/620e89b2a2660f3bb9f2ef4f/reports/903a1527-1da8-4e58-b186-4585fac34a8b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e833040c-1375-44a7-af04-0334526a4e63
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/941782
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 574255 Sample: Scan01.exe Startdate: 17/02/2022 Architecture: WINDOWS Score: 100 67 yahoo.com 2->67 97 Found malware configuration 2->97 99 Malicious sample detected (through community Yara rule) 2->99 101 Antivirus detection for URL or domain 2->101 103 9 other signatures 2->103 9 Scan01.exe 1 5 2->9         started        13 Optvlldry.exe 1 2->13         started        15 Optvlldry.exe 1 2->15         started        signatures3 process4 dnsIp5 61 C:\Users\user\AppData\...\Optvlldry.exe, PE32 9->61 dropped 63 C:\Users\...\Optvlldry.exe:Zone.Identifier, ASCII 9->63 dropped 65 C:\Users\user\AppData\...\Scan01.exe.log, ASCII 9->65 dropped 105 Writes to foreign memory regions 9->105 107 Injects a PE file into a foreign processes 9->107 18 RegAsm.exe 9->18         started        21 RegAsm.exe 3 2 9->21         started        24 cmd.exe 1 9->24         started        36 9 other processes 9->36 109 Multi AV Scanner detection for dropped file 13->109 111 Machine Learning detection for dropped file 13->111 26 cmd.exe 1 13->26         started        28 cmd.exe 13->28         started        30 cmd.exe 13->30         started        83 192.168.2.1 unknown unknown 15->83 32 cmd.exe 15->32         started        34 cmd.exe 15->34         started        file6 signatures7 process8 dnsIp9 85 Contains functionality to inject threads in other processes 18->85 87 Contains functionality to steal Chrome passwords or cookies 18->87 89 Contains functionality to steal e-mail passwords 18->89 69 146.70.76.43, 43206, 49810 TENET-1ZA United Kingdom 21->69 91 Increases the number of concurrent connection per server for Internet Explorer 21->91 93 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->93 95 Uses ping.exe to check the status of other devices and networks 24->95 45 2 other processes 24->45 47 2 other processes 26->47 49 2 other processes 28->49 51 2 other processes 30->51 53 2 other processes 32->53 38 PING.EXE 1 36->38         started        41 PING.EXE 1 36->41         started        43 PING.EXE 1 36->43         started        55 15 other processes 36->55 signatures10 process11 dnsIp12 57 conhost.exe 38->57         started        59 PING.EXE 38->59         started        71 98.137.11.163 YAHOO-GQ1US United States 41->71 73 98.137.11.164 YAHOO-GQ1US United States 43->73 75 yahoo.com 74.6.231.21 YAHOO-NE1US United States 45->75 77 74.6.231.20 YAHOO-NE1US United States 49->77 79 74.6.143.25 YAHOO-3US United States 55->79 81 74.6.143.26 YAHOO-3US United States 55->81 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e961ac85380ccd346de98c4a55e10b837b9a77b7d31ec7a312b61b484e32c932/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-17 12:47:00 UTC
AV detection:
16 of 43 (37.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5fq2zbjybtgti3pjrrfflyilqn5zu55x2mpmpiyswynuqtrszeza._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
2fb8d82fc85af477d7e2fd5efae9e0a5849babe06544d5fc477972087cd2c353
AveMariaRAT
36c35b4364b62c4d1ff2be1e1a043a10bc587625ad383dd2b4dacde157a952e4
AveMariaRAT
38a7b50472d2fbc4d4d76ef0936ceafa31606153a36e7afa3d7952539dfa0c2f
AveMariaRAT
39cd390039e7ad850abd64cfc0b387c77470153c09d35108cf96a893185804a2
AveMariaRAT
649acc4a8ec45c2b3d6e217e3818db8174eb3a3bd923d8b907f6164fd42bb751
AveMariaRAT
6c50f2ce4c1837beeeae5f03ae740dc759955eabb63ef41bda72bc89312657c8
AveMariaRAT
995c82e7ea2a4f8882876f17fe0e3cacb47860744d48f250bdee6a7e9b01f0f7
AveMariaRAT
d9740755673a2b1025f0a9ea9a579657b0d22d7c00a049d113f84326d37b66bb
AveMariaRAT
+ 2'068 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat collection infostealer persistence rat spyware stealer
Link:
https://tria.ge/reports/220217-wbq53scfe5/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
146.70.76.43:43206
Unpacked files
SH256 hash:
9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
MD5 hash:
9fbb8cec55b2115c00c0ba386c37ce62
SHA1 hash:
e2378a1c22c35e40fd1c3e19066de4e33b50f24a
Link:
https://www.unpac.me/results/7275a81f-cb04-4de0-9f28-e40b89fb9ffb/
SH256 hash:
4f0498e4658bf953374c3bb8b3d309fe8aff5bde5813c2df49903cac0928f958
MD5 hash:
ecf5ee1f1fecf5823d1f6973420e6583
SHA1 hash:
dcdc04a226d0cbed6513e9ec03d425897a5bc51e
Link:
https://www.unpac.me/results/7275a81f-cb04-4de0-9f28-e40b89fb9ffb/
SH256 hash:
e961ac85380ccd346de98c4a55e10b837b9a77b7d31ec7a312b61b484e32c932
MD5 hash:
bca10ec35865a633403c9bf3f314f65a
SHA1 hash:
a3245e3cc90122c20c91996680ab8ccd50b3bd6e
Link:
https://www.unpac.me/results/7275a81f-cb04-4de0-9f28-e40b89fb9ffb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e961ac85380c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.68
Link:
https://yomi.yoroi.company/submissions/e961ac85380ccd346de98c4a55e10b837b9a77b7d31ec7a312b61b484e32c932

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe e961ac85380ccd346de98c4a55e10b837b9a77b7d31ec7a312b61b484e32c932

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/242319/

Comments