MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed46cf8a9a3028a3e870a27df96140bd962b63e9ab55eb7e231e628c108dd4ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed46cf8a9a3028a3e870a27df96140bd962b63e9ab55eb7e231e628c108dd4ca
SHA3-384 hash: a07a8a5961706ce7f48bd28aac8ee281941f5808a908e4ec3a88abae58d6be41e2af23bf0726c9b2259d8e5f581220b5
SHA1 hash: 3adfbed6fedbf70aa2db67058e04f038a0d387ef
MD5 hash: 8632714629dc6a50d8728f72c46a7f42
humanhash: south-carpet-helium-friend
File name:OVER DUE INVOICES_12-08-2021.pdf.bat.gz.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'384'960 bytes
First seen:2022-03-29 12:58:36 UTC
Last seen:2022-03-30 06:58:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:A1w4GTTI/TycH6VAKA8e0CrOwNDcZwX4PsoOy0ai9Tt7jG:yGTT5caRTCBNDeZirnj
Threatray 2'785 similar samples on MalwareBazaar
TLSH T17555016673CEC502C6BD577794EA800047B9BA594663D70E3CC833FD0E32792698A79B
Reporter cocaman
Tags:AveMariaRAT exe payment

Intelligence

File Origin
# of uploads :
4
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
avemaria
Create hunting rule
ID:
1
File name:
ed46cf8a9a3028a3e870a27df96140bd962b63e9ab55eb7e231e628c108dd4ca.zip
Verdict:
Malicious activity
Analysis date:
2022-03-29 13:17:12 UTC
Tags:
evasion trojan snake stealer rat avemaria snakekeylogger keylogger
Link:
https://app.any.run/tasks/dab85a03-b684-4d51-b4d5-623f13f48f77

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/259223/
Detection(s):
SecuriteInfo.com.Artemis8632714629DC.14106.11885.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Running batch commands
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/62430299a19c649412a5f614/reports/93a13c29-410b-4eb4-8798-c054680cf244/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c29b458e-dfb6-41d6-8a07-53cf7b1ddb03
Result
Threat name:
AveMaria Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/966713
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates an undocumented autostart registry key
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 599203 Sample: OVER DUE INVOICES_12-08-202... Startdate: 29/03/2022 Architecture: WINDOWS Score: 100 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for dropped file 2->69 71 22 other signatures 2->71 9 OVER DUE INVOICES_12-08-2021.pdf.bat.gz.exe 7 2->9         started        process3 file4 47 C:\Users\user\AppData\...\vhDfviwDQsFXH.exe, PE32 9->47 dropped 49 C:\...\vhDfviwDQsFXH.exe:Zone.Identifier, ASCII 9->49 dropped 51 C:\Users\user\AppData\Local\...\tmpCCE0.tmp, XML 9->51 dropped 53 OVER DUE INVOICES_....pdf.bat.gz.exe.log, ASCII 9->53 dropped 89 Adds a directory exclusion to Windows Defender 9->89 91 Injects a PE file into a foreign processes 9->91 13 OVER DUE INVOICES_12-08-2021.pdf.bat.gz.exe 3 9->13         started        16 powershell.exe 25 9->16         started        18 schtasks.exe 1 9->18         started        signatures5 process6 file7 55 C:\Users\user\AppData\...\rat poison.exe, PE32 13->55 dropped 57 C:\Users\user\AppData\Local\...\iykeguy.exe, PE32 13->57 dropped 20 rat poison.exe 4 4 13->20         started        24 iykeguy.exe 15 2 13->24         started        27 conhost.exe 16->27         started        29 conhost.exe 18->29         started        process8 dnsIp9 45 C:\ProgramData\windowsupdater.exe, PE32 20->45 dropped 73 Adds a directory exclusion to Windows Defender 20->73 75 Increases the number of concurrent connection per server for Internet Explorer 20->75 77 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->77 31 windowsupdater.exe 20->31         started        34 cmd.exe 20->34         started        36 powershell.exe 20->36         started        59 checkip.dyndns.com 193.122.6.168, 49768, 80 ORACLE-BMC-31898US United States 24->59 61 freegeoip.app 188.114.97.7, 443, 49769 CLOUDFLARENETUS European Union 24->61 63 2 other IPs or domains 24->63 79 Antivirus detection for dropped file 24->79 81 May check the online IP address of the machine 24->81 83 Tries to steal Mail credentials (via file / registry access) 24->83 85 3 other signatures 24->85 file10 signatures11 process12 signatures13 93 Antivirus detection for dropped file 31->93 95 Machine Learning detection for dropped file 31->95 97 Contains functionality to inject threads in other processes 31->97 99 2 other signatures 31->99 38 reg.exe 34->38         started        41 conhost.exe 34->41         started        43 conhost.exe 36->43         started        process14 signatures15 87 Creates an undocumented autostart registry key 38->87
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ed46cf8a9a3028a3e870a27df96140bd962b63e9ab55eb7e231e628c108dd4ca/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-29 12:59:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5vdm7cu2gaukh2dquj67sykaxwlcwy7jvnk6w7rddzriyeen2tfa._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
4abd870d8eb2906d9078054500da763598f720b23d21b97cececb3829a4a06c7
AveMariaRAT
4b1532fa6483dfb4194a1f3fbf583f511caea6035f61e9ffad798bd58981f5a8
AveMariaRAT
a06df43cf78f226603a42ee45c6c676ecc9f5a6c978d3b3e18b364b116ba20fc
AveMariaRAT
a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249
AveMariaRAT
aaeea2518247c61576d04a680a02693dbb21cff050af2d3049f0c0636cbc478b
AveMariaRAT
c2a3491dd411786313b705dc0297a506c2abd633ee3bebfe19b871853cc558e7
AveMariaRAT
dce4615cac8bad8de4310b354621a02e36e153ab8bf4f5c5c2242e81f9a98a27
AveMariaRAT
+ 2'775 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger family:warzonerat collection infostealer keylogger rat spyware stealer
Link:
https://tria.ge/reports/220329-p73enaeaa7/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Snake Keylogger
Snake Keylogger Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
5.2.68.67:11940
Unpacked files
SH256 hash:
b627c5cbf8ed7b65a07e2136bc84e7d322d06941f94e9d5a6b4f4d0cf13f749a
MD5 hash:
e23f8543c0285321355191698e5d1e85
SHA1 hash:
1817d4b3979eb8353194e1e2a4ddda9a0aa7794c
Link:
https://www.unpac.me/results/6818350e-03c2-4566-a754-9245fcd4a642/
SH256 hash:
4e555f55195b771abc3c85a75c5090d9faa05859e147b3eba37f6ff49691b68e
MD5 hash:
f3bd416f53aa77646ccb2ca0a8e8d3bd
SHA1 hash:
ef0eeba071b9c183df8e1308f2aac6a9ea5f4763
Link:
https://www.unpac.me/results/6818350e-03c2-4566-a754-9245fcd4a642/
SH256 hash:
70eea87cf1a645383ec783d115921774bf453447490bd7ceb0826fcb21161a4f
MD5 hash:
d7c297a556eede1fa66fa84dfafd4707
SHA1 hash:
d0ec94b65b904a734f4e2c6f1fb9842588c219e3
Link:
https://www.unpac.me/results/6818350e-03c2-4566-a754-9245fcd4a642/
SH256 hash:
613b2819d35360cbfe6c94b2b998d1a4998c89f5bdef505e0e158e1288ab684c
MD5 hash:
3096cbaf4b5d40f9c61bf7ce13fde62f
SHA1 hash:
6b3c580e51fd306bfdc2e727ca3bc7805aba4b53
Link:
https://www.unpac.me/results/6818350e-03c2-4566-a754-9245fcd4a642/
SH256 hash:
0edb93d3a5ca1ade8de3c0172b1540bc8d0a327a7f9e351831e403ad42e8c4e2
MD5 hash:
438eb9a36e120c006ddd254f48c15916
SHA1 hash:
5e3a0b3322962222418f410546710a2857555363
Link:
https://www.unpac.me/results/6818350e-03c2-4566-a754-9245fcd4a642/
SH256 hash:
477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52
MD5 hash:
16a9ddc4b32981114fe4f069a4353105
SHA1 hash:
bf73849f57c150f9e2199c61427f631be2dfa595
Link:
https://www.unpac.me/results/6818350e-03c2-4566-a754-9245fcd4a642/
SH256 hash:
6af76073004ddb3978c2fad2286088ffc251323b52fed7664eeb8c46acb0a218
MD5 hash:
6cdd2a096f9469c5332c0886df3c5167
SHA1 hash:
606393de48c0037137fd78ed2221ce8112153988
Detections:
win_ave_maria_g0
Create hunting rule
win_ave_maria_auto
Create hunting rule
Link:
https://www.unpac.me/results/6818350e-03c2-4566-a754-9245fcd4a642/
SH256 hash:
f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36
MD5 hash:
6c72218c48cd68cbcb654675053a0abb
SHA1 hash:
12207fa32070f99683648d87b44410e5d3cdf2de
Link:
https://www.unpac.me/results/6818350e-03c2-4566-a754-9245fcd4a642/
SH256 hash:
ed46cf8a9a3028a3e870a27df96140bd962b63e9ab55eb7e231e628c108dd4ca
MD5 hash:
8632714629dc6a50d8728f72c46a7f42
SHA1 hash:
3adfbed6fedbf70aa2db67058e04f038a0d387ef
Link:
https://www.unpac.me/results/6818350e-03c2-4566-a754-9245fcd4a642/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ed46cf8a9a30/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ed46cf8a9a3028a3e870a27df96140bd962b63e9ab55eb7e231e628c108dd4ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

gz 840729250146593d31165c8763f43475c6d58f93ad6ce25d07aec42a3cd0b38e

AveMariaRAT

Executable exe ed46cf8a9a3028a3e870a27df96140bd962b63e9ab55eb7e231e628c108dd4ca

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 840729250146593d31165c8763f43475c6d58f93ad6ce25d07aec42a3cd0b38e
Cape
Cape
https://www.capesandbox.com/analysis/259223/

Comments