MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec58c3fc201e9b9802d8a2b99dbe046fb29ef26c5f6fcc461ed968b66351473f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	ec58c3fc201e9b9802d8a2b99dbe046fb29ef26c5f6fcc461ed968b66351473f
SHA3-384 hash:	da1f342774599628140692039cdf9774487852a16506fb33ef48f7afcb3d4575482e7b557b2d6162a61cf980b0cf6c32
SHA1 hash:	9e199d0e69d8dd361bbcc4e513c361bc9c852fc6
MD5 hash:	1a870cbfbb357ec67af189381b1d10e9
humanhash:	queen-michigan-arizona-georgia
File name:	Detalles de la descripción de la oferta del producto.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	31'136 bytes
First seen:	2020-11-05 18:55:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	384:AwzEAxGapymZPLGzZ7PuNMCHNsPGU3NCUl4Si7kCh3bzX8Dgf2h8Yk:DzEkBZPLGzbFTi7k230Uf2htk
Threatray	554 similar samples on MalwareBazaar
TLSH	F1E22804A284BD13FD9A32321653CC7017A3D7FD91B1858BB89DC95CF042AE63C6B9DA
Reporter	abuse_ch
Tags:	AveMariaRAT ESP exe geo

abuse_ch

Malspam distributing unidentified malware:

From: Maria García <account@atlanticnavigation.com>
Subject: Precio de oferta
Attachment: Detalles de la descripción de la oferta del producto.ark (contains "Detalles de la descripción de la oferta del producto.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

61

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/83531/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a process with a hidden window

DNS request

Creating a window

Sending a TCP request to an infection source

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Forced shutdown of a system process

Enabling autorun by creating a file

Enabling autorun

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ec58c3fc201e9b9802d8a2b99dbe046fb29ef26c5f6fcc461ed968b66351473f/

Threat name:

ByteCode-MSIL.Trojan.Emotet

Status:

Malicious

First seen:

2020-11-05 17:51:11 UTC

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5rmmh7bad2nzqawyuk4z3pqen6zj54tml5x4yrq63fulmy2ri47q._file

Verdict:

malicious

Label(s):

avemaria

Similar samples:

18ec681c471f185edf3ab8e23b52b4ea2a87162f9957b4d5d10ac0e2bc008405

2850ddcebc7ed468cb0db271e54956468f0c93dd57a233665646d28cb1139373

285f4e79ae946ef179e45319caf11bf0c1cdaa376924b83bfbf82ed39361911b

5b92d7f869973b50de0c707ce58afacd6f1202364283c7dffa6ffd79a41a93eb

aae06c61ea30fd920db8caa7e32eefe1b74842affe3fa6d53ce6765f49783ed5

bec0fd02d4c6cc5da2d88a5bf2a53b8d3ad5cfc1d40a8c62852629d7de06ebd8

c805a81435618323cd34e9729b058df78e9c496d1d6c752cc3e5c7cb30f26613

c838da7346e7f3373f9f1a84a073c248f785e82be48db979cdb339460402de06

e9ef69bd0b38ec9381f02d44dd893c75ac6c1e6a96f4e320416636860d05d398

fc4b29f54e0b3ed0493ba85310a2665ab47e5143f3cb3ce09686f0560dd1ed04

+ 544 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat infostealer persistence rat

Link:

https://tria.ge/reports/201105-tz3h2qlqyx/

Behaviour

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Adds Run key to start application

Drops startup file

Warzone RAT Payload

Modifies WinLogon for persistence

WarzoneRat, AveMaria

Unpacked files

SH256 hash:

ec58c3fc201e9b9802d8a2b99dbe046fb29ef26c5f6fcc461ed968b66351473f

MD5 hash:

1a870cbfbb357ec67af189381b1d10e9

SHA1 hash:

9e199d0e69d8dd361bbcc4e513c361bc9c852fc6

Link:

https://www.unpac.me/results/ebc3edd0-5b14-46ec-85fc-960c3a522eda/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Dropper

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/ec58c3fc201e9b9802d8a2b99dbe046fb29ef26c5f6fcc461ed968b66351473f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 1a3a500df4f39ed4afae626f7af177fdc0c3ed44d1bf83bd918440ee81ea5054

exe ec58c3fc201e9b9802d8a2b99dbe046fb29ef26c5f6fcc461ed968b66351473f

(this sample)

Dropped by

MD5 06dfe47c257d03e5cba3260ba096dc14

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/83531/

Dropped by

SHA256 1a3a500df4f39ed4afae626f7af177fdc0c3ed44d1bf83bd918440ee81ea5054

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample