MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea609cf51571388693642dbaaf8e6ef297792328ad16a24af7287ed7d2ee342a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea609cf51571388693642dbaaf8e6ef297792328ad16a24af7287ed7d2ee342a
SHA3-384 hash: a1c73c822e7955ea2c66ca26cce6ff00f2f61c9464406aedcf9a754fe1f5428ac2bd4f474eb07285608daf38b0524a22
SHA1 hash: d1f4e320f407da1b1840f8abae68e5f91a1c34fb
MD5 hash: 79d863368e039ff567883368a5f041d0
humanhash: echo-texas-queen-glucose
File name:79d863368e039ff567883368a5f041d0
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:3'393'064 bytes
First seen:2021-07-21 02:10:56 UTC
Last seen:2021-07-21 02:51:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 440c2f1f8b4e85a8125518c273eebc8d (1 x AveMariaRAT)
ssdeep 49152:90zMop2WziVbanQXUvnI3CJ61rzqAUT3CYKS8NJaNXwjpbCzK9lj2gYXVq7:GzQWmVbiQE/0mAmCINXwA2bj2ggc7
Threatray 56 similar samples on MalwareBazaar
TLSH T1A5F5123706691045E1EAC83ED137FED432F3037A9B81A47875E6AAC726358D5E713A83
dhash icon c090b090bc19995b (1 x AveMariaRAT)
Reporter zbetcheckin
Tags:32 AveMariaRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
79d863368e039ff567883368a5f041d0
Verdict:
Suspicious activity
Analysis date:
2021-07-21 02:12:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4cdbc4b6-fc43-4d96-bb0d-635a69ebf9f3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172911/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader40.47969.7422.2228.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3ede8cfa-810e-41cf-a76d-ffe54a90904e
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/819296
Signature
Contain functionality to detect virtual machines
Delayed program exit found
Detected potential unwanted application
Detected VMProtect packer
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea609cf51571388693642dbaaf8e6ef297792328ad16a24af7287ed7d2ee342a/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 19:42:19 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1b189602123e4dba4522d442877fb0862a8fbbc4cc6d187954ba27039bea7d9c
AveMariaRAT
1e04c1e4eefe23f454553364e757209462f2561d8455628b296b1dbe83fc6ec2
AveMariaRAT
2ace0be70434934b6e140f679a0c1551dd589abedfb1f6abeb5ceffaf0a1b9d9
AveMariaRAT
3c2fa1d04daaea31991c29bb4118c3d146a50815a033ea5ae325c3171ebdf713
AveMariaRAT
3e5bbf9fcae918011ec4eee75ac6402fddf20d09fef95b362d0e226d56b80f1d
AveMariaRAT
5940fd97a28d3ee232155231fe70af70be462aa144d0b625470fe46a01a3bd1b
AveMariaRAT
81074c41b76fd86ce228d266821c33d86a7448f30f58966d7990b77ba321552e
AveMariaRAT
81d14d241a35f52dae782c57784168f5295776984eb55d9f88f9f0cf12e67f72
AveMariaRAT
b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba7a10dc4686b5b183a33
AveMariaRAT
ff4a3e44fcd1cfbbf10ac318aca7559e0c20d0563e11e8a98e21e09e97ca68d3
AveMariaRAT
+ 46 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan vmprotect
Link:
https://tria.ge/reports/210721-l221xgdben/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Executes dropped EXE
VMProtect packed file
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
457126bd1e188f5c0e9aa004e0bf188fc7f48ac302be1f7a6e8c6d74b12d3e56
MD5 hash:
6e63fdd535c201ec63351acd8930969a
SHA1 hash:
f9d0e1839f9b40ead5deb60aa374a3a70c7850f3
Link:
https://www.unpac.me/results/a3ec419c-fcb4-4545-b11d-5e518796d161/
SH256 hash:
0c27b013dd61f9544a59f996297b9a0f62464e3d7c77898465eb573231cbe256
MD5 hash:
74ea7aa4b73545d273be146ff050f925
SHA1 hash:
271f5efa5a931fbab0c27f404e6213e99a4098cb
Link:
https://www.unpac.me/results/a3ec419c-fcb4-4545-b11d-5e518796d161/
SH256 hash:
ea609cf51571388693642dbaaf8e6ef297792328ad16a24af7287ed7d2ee342a
MD5 hash:
79d863368e039ff567883368a5f041d0
SHA1 hash:
d1f4e320f407da1b1840f8abae68e5f91a1c34fb
Link:
https://www.unpac.me/results/a3ec419c-fcb4-4545-b11d-5e518796d161/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea609cf51571388693642dbaaf8e6ef297792328ad16a24af7287ed7d2ee342a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe ea609cf51571388693642dbaaf8e6ef297792328ad16a24af7287ed7d2ee342a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1469815/
Cape
Cape
https://www.capesandbox.com/analysis/172911/

Comments


Avatar
zbet commented on 2021-07-21 02:10:57 UTC

url : hxxp://136.144.41.201/USA/Kripted.exe