MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef180fefc30417616ff0363f67ac44cf21bd1538c72ec55d294ccf997235298c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	ef180fefc30417616ff0363f67ac44cf21bd1538c72ec55d294ccf997235298c
SHA3-384 hash:	ed9b611dc57c1c6834db4825f0a34737c65911e1c370cfa81329453cb1fd72152a75e200eb5947a8293697227850ead1
SHA1 hash:	0ae1cdb7fffc5c9e7c1f204818d0b8b8cb328e94
MD5 hash:	9ed99688b203421ab1095f250f1f63f4
humanhash:	oranges-summer-saturn-speaker
File name:	ef180fefc30417616ff0363f67ac44cf21bd1538c72ec55d294ccf997235298c
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	412'191 bytes
First seen:	2023-07-06 12:18:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	12288:ZYCBNqIP9rt9wWD4nCxqFxmfIn0BOfs6a4uQ6JmSqaiLRi:ZYicIPdHwrCxYJ0BOfs/EVRi
Threatray	47 similar samples on MalwareBazaar
TLSH	T166942218B1B6D656E4E2317305759BB5FFB958213628E11B3B01AF8C7F661AFA30E310
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	64f4d4d4ecf4d4d4 (82 x SnakeKeylogger, 34 x AgentTesla, 24 x Formbook)
Reporter	adrian__luca
Tags:	AveMariaRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

295

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ef180fefc30417616ff0363f67ac44cf21bd1538c72ec55d294ccf997235298c

Verdict:

Malicious activity

Analysis date:

2023-07-06 12:18:39 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/9a7cb98c-4561-4523-a4b4-fc0e6b1ad8da

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/409275/

Detection(s):

SecuriteInfo.com.Win32.InjectorX-gen.13904.23751.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a window

Creating a file

Creating a file in the %AppData% subdirectories

Unauthorized injection to a recently created process

Restart of the analyzed sample

Сreating synchronization primitives

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/95982/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/64a6b1378583eaadb34f17aa/reports/ece093f1-4cd8-4832-bfa5-6973a55047d7/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ef180fefc30417616ff0363f67ac44cf21bd1538c72ec55d294ccf997235298c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7e4b5109-1de1-49e7-bd79-473c1d5e0da6

Result

Threat name:

DarkCloud

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1268119

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected DarkCloud

Yara detected Generic Dropper

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ef180fefc30417616ff0363f67ac44cf21bd1538c72ec55d294ccf997235298c/

Threat name:

Win32.Trojan.InjectorX

Status:

Malicious

First seen:

2023-06-29 04:01:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 38 (76.32%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=54ma736daqlwc37qgy7wplcez4q32fjyy4xmkxjjjthzs4rvfgga._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

326628b6afc679ebb166efee5fd2eb60bf8e266ce88d1e5d1924d74556479be0

AveMariaRAT

5975ea85d339a31e8d9b5b1eced0d699c1d59d980896f1332d1e08497f005e21

AveMariaRAT

5fd1ca9e5ced8b596fdd63f5ec5c2d9cd8f71fa6c5840549eeb93b40cd20178c

AveMariaRAT

87ff9d9612267c284b867bd9d4a85224d3bf1c4d8070b3eb6541ef7c6b62c3ad

AveMariaRAT

92eeea68a958e1a8e597abb4a3dd6047241b66324f16d30a9840699bbaf2d62c

AveMariaRAT

bd52957b10b5d187c4545e81d083cb1f7508d84fe403a027f6e36a42cbaf449d

AveMariaRAT

beb927e2c2c93bd7af86e0290f6f30a66586275af924cd4f617f87003ab33743

AveMariaRAT

cb7a1e1ff821a0caf8c677a1e4a268c83f9c2253b31881128f9cc7b219ccdcb0

AveMariaRAT

d88c101a1c0570712c1c182ba9c7f501bba00f98cb9d083286b339283b9008e2

AveMariaRAT

+ 37 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

persistence

Link:

https://tria.ge/reports/230706-pg6pdscb3s/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Unpacked files

SH256 hash:

ee5e747f3127ce9fbec8e43788408d29bee05a457681ab9bd80fc8333fb56b31

MD5 hash:

169dc10ff4b1e44ca22245e5e6c198e6

SHA1 hash:

de511d31fdf2b19bfeb0cdb5065785f397368914

Link:

https://www.unpac.me/results/5009a4e9-b0b7-4667-a465-9c8177be4628/

SH256 hash:

961d146c2fef8c5f47fbfcc146f28ed3469f0ccaf0736bbc88e217b22e1c342b

MD5 hash:

ebff00d8b260a6db45b9a206d909b6a6

SHA1 hash:

71b90527e0fbb1bde39ac7fe08402a359a0225f0

Link:

https://www.unpac.me/results/5009a4e9-b0b7-4667-a465-9c8177be4628/

SH256 hash:

ee5e747f3127ce9fbec8e43788408d29bee05a457681ab9bd80fc8333fb56b31

MD5 hash:

169dc10ff4b1e44ca22245e5e6c198e6

SHA1 hash:

de511d31fdf2b19bfeb0cdb5065785f397368914

Link:

https://www.unpac.me/results/5009a4e9-b0b7-4667-a465-9c8177be4628/

SH256 hash:

395255eb1d2da75d185ce6bdd80aab9deabdda0824ae8bdd860fff6427e7a40f

MD5 hash:

d81f7ffebeff00617749fc4cc2203ea1

SHA1 hash:

7124ecbc4fe5a6ed32a2b7c2a4d4c79662144e03

Link:

https://www.unpac.me/results/5009a4e9-b0b7-4667-a465-9c8177be4628/

Parent samples :

1d723d2030385c01e1c22326dae212bab15cd09e9dc3b2c8a439cf039fccf90b
d4409a190a74dd98d16c9818b60040256a024733be1e9f151dd46e3c4243abcb
d0a427ef5fa5496840ff480c1ba3f2b4a533d516f6fff8b012e131a4d5f6ddc6
769c2febefd0402ee34d4c1bbd4aee8f6b6b660c22ac74e212765978ae3e903f

SH256 hash:

961d146c2fef8c5f47fbfcc146f28ed3469f0ccaf0736bbc88e217b22e1c342b

MD5 hash:

ebff00d8b260a6db45b9a206d909b6a6

SHA1 hash:

71b90527e0fbb1bde39ac7fe08402a359a0225f0

Link:

https://www.unpac.me/results/5009a4e9-b0b7-4667-a465-9c8177be4628/

SH256 hash:

005011e329b81747e23c78dc1d072fbff2f0909fdbfe08049d8d872c152262a1

MD5 hash:

9066a98b8b8894db234b1fba967b8d35

SHA1 hash:

553620d93a90863fbea253c9e2785b6e764205d4

Link:

https://www.unpac.me/results/5009a4e9-b0b7-4667-a465-9c8177be4628/

SH256 hash:

395255eb1d2da75d185ce6bdd80aab9deabdda0824ae8bdd860fff6427e7a40f

MD5 hash:

d81f7ffebeff00617749fc4cc2203ea1

SHA1 hash:

7124ecbc4fe5a6ed32a2b7c2a4d4c79662144e03

Link:

https://www.unpac.me/results/5009a4e9-b0b7-4667-a465-9c8177be4628/

Parent samples :

SH256 hash:

005011e329b81747e23c78dc1d072fbff2f0909fdbfe08049d8d872c152262a1

MD5 hash:

9066a98b8b8894db234b1fba967b8d35

SHA1 hash:

553620d93a90863fbea253c9e2785b6e764205d4

Link:

https://www.unpac.me/results/5009a4e9-b0b7-4667-a465-9c8177be4628/

SH256 hash:

ee5e747f3127ce9fbec8e43788408d29bee05a457681ab9bd80fc8333fb56b31

MD5 hash:

169dc10ff4b1e44ca22245e5e6c198e6

SHA1 hash:

de511d31fdf2b19bfeb0cdb5065785f397368914

Link:

https://www.unpac.me/results/5009a4e9-b0b7-4667-a465-9c8177be4628/

SH256 hash:

961d146c2fef8c5f47fbfcc146f28ed3469f0ccaf0736bbc88e217b22e1c342b

MD5 hash:

ebff00d8b260a6db45b9a206d909b6a6

SHA1 hash:

71b90527e0fbb1bde39ac7fe08402a359a0225f0

Link:

https://www.unpac.me/results/5009a4e9-b0b7-4667-a465-9c8177be4628/

SH256 hash:

395255eb1d2da75d185ce6bdd80aab9deabdda0824ae8bdd860fff6427e7a40f

MD5 hash:

d81f7ffebeff00617749fc4cc2203ea1

SHA1 hash:

7124ecbc4fe5a6ed32a2b7c2a4d4c79662144e03

Link:

https://www.unpac.me/results/5009a4e9-b0b7-4667-a465-9c8177be4628/

Parent samples :

SH256 hash:

005011e329b81747e23c78dc1d072fbff2f0909fdbfe08049d8d872c152262a1

MD5 hash:

9066a98b8b8894db234b1fba967b8d35

SHA1 hash:

553620d93a90863fbea253c9e2785b6e764205d4

Link:

https://www.unpac.me/results/5009a4e9-b0b7-4667-a465-9c8177be4628/

SH256 hash:

ee5e747f3127ce9fbec8e43788408d29bee05a457681ab9bd80fc8333fb56b31

MD5 hash:

169dc10ff4b1e44ca22245e5e6c198e6

SHA1 hash:

de511d31fdf2b19bfeb0cdb5065785f397368914

Link:

https://www.unpac.me/results/5009a4e9-b0b7-4667-a465-9c8177be4628/

SH256 hash:

961d146c2fef8c5f47fbfcc146f28ed3469f0ccaf0736bbc88e217b22e1c342b

MD5 hash:

ebff00d8b260a6db45b9a206d909b6a6

SHA1 hash:

71b90527e0fbb1bde39ac7fe08402a359a0225f0

Link:

https://www.unpac.me/results/5009a4e9-b0b7-4667-a465-9c8177be4628/

SH256 hash:

395255eb1d2da75d185ce6bdd80aab9deabdda0824ae8bdd860fff6427e7a40f

MD5 hash:

d81f7ffebeff00617749fc4cc2203ea1

SHA1 hash:

7124ecbc4fe5a6ed32a2b7c2a4d4c79662144e03

Link:

https://www.unpac.me/results/5009a4e9-b0b7-4667-a465-9c8177be4628/

Parent samples :

SH256 hash:

005011e329b81747e23c78dc1d072fbff2f0909fdbfe08049d8d872c152262a1

MD5 hash:

9066a98b8b8894db234b1fba967b8d35

SHA1 hash:

553620d93a90863fbea253c9e2785b6e764205d4

Link:

https://www.unpac.me/results/5009a4e9-b0b7-4667-a465-9c8177be4628/

SH256 hash:

ef180fefc30417616ff0363f67ac44cf21bd1538c72ec55d294ccf997235298c

MD5 hash:

9ed99688b203421ab1095f250f1f63f4

SHA1 hash:

0ae1cdb7fffc5c9e7c1f204818d0b8b8cb328e94

Link:

https://www.unpac.me/results/5009a4e9-b0b7-4667-a465-9c8177be4628/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ef180fefc30417616ff0363f67ac44cf21bd1538c72ec55d294ccf997235298c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	SUSP_Imphash_Mar23_2 Create hunting rule
Author:	Arnim Rupp (https://github.com/ruppde)
Description:	Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/409275/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample