MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef56f8c0615d059de3d0f669b651d38caf535155878ff4bc7d1b1a62abd45213. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef56f8c0615d059de3d0f669b651d38caf535155878ff4bc7d1b1a62abd45213
SHA3-384 hash: f8ae2aa95e37810bf34b7e06131109a819e3a24c21095a8db2929fae828b01dee96acfc2a5f863fa497a5e1eaab851bc
SHA1 hash: 841e007277d085f43afecba308ad7e0edee81dcc
MD5 hash: d64248de7641b1efd1137fcb3d5b5023
humanhash: charlie-berlin-red-cardinal
File name:Taxinvoice1198691264·pdf.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:572'384 bytes
First seen:2023-02-08 07:50:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e2a592076b17ef8bfb48b7e03965a3fc (385 x GuLoader, 58 x RemcosRAT, 40 x AgentTesla)
ssdeep 12288:Iky+IuY0vH9+/dUj4fn7fJkB+N8v2ocCSivrlicgUKiW2Y:Q9uY6H4K4fSS8vcKGkY
TLSH T159C423466B50D5E3C322C232AEF992B3AF762E2710544E2F35427F585CB21C0D85FB66
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8ee2f0b8cc3b3b80 (5 x AveMariaRAT, 1 x GuLoader)
Reporter abuse_ch
Tags:AveMariaRAT exe RAT signed

Code Signing Certificate

Organisation:Amalgamater
Issuer:Amalgamater
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-04T18:31:28Z
Valid to:2025-10-03T18:31:28Z
Serial number: -04a9df7d0986b47c
Thumbprint Algorithm:SHA256
Thumbprint: eab0cf175f2b5c99254cd097d2cb9bbb1ef0bff292694ef0a9e153287ca5c420
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
AveMariaRAT C2:
91.193.75.152:2345

Intelligence

File Origin
# of uploads :
1
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Taxinvoice1198691264·pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-02-08 07:51:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/868b67f0-6925-4b07-bf12-248c2bc3fa97

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/361820/
Detection(s):
SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.s.27703.19664.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% subdirectories
Delayed reading of the file
Creating a file in the %temp% subdirectories
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/66429/overview
Behaviour
MalwareBazaar
Verdict:
No Threat
Threat level:
  2/10
Confidence:
80%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63e3546789bd67c10fdd3937/reports/d7816494-1efe-4d71-ba93-67621d398f9e/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/ef56f8c0615d059de3d0f669b651d38caf535155878ff4bc7d1b1a62abd45213
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/da2b59cf-ef04-4e00-ac71-8b0bd73871fe
Result
Threat name:
AveMaria, GuLoader, UACMe
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1168537
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Creates files in alternative data streams (ADS)
Drops PE files to the document folder of the user
Drops script or batch files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides user accounts
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected GuLoader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 801317 Sample: Taxinvoice1198691264#U00b7pdf.exe Startdate: 08/02/2023 Architecture: WINDOWS Score: 100 84 pressurem002.duckdns.org 2->84 86 googlehosted.l.googleusercontent.com 2->86 88 2 other IPs or domains 2->88 102 Snort IDS alert for network traffic 2->102 104 Malicious sample detected (through community Yara rule) 2->104 106 Multi AV Scanner detection for dropped file 2->106 108 8 other signatures 2->108 12 Taxinvoice1198691264#U00b7pdf.exe 27 2->12         started        16 Windows.exe 19 2->16         started        18 rdpvideominiport.sys 2->18         started        20 2 other processes 2->20 signatures3 process4 file5 76 C:\Users\user\AppData\...\CCUpdate.exe, PE32 12->76 dropped 78 C:\Users\user\AppData\Local\...\System.dll, PE32 12->78 dropped 134 Drops PE files to the document folder of the user 12->134 136 Drops script or batch files to the startup folder 12->136 138 Adds a directory exclusion to Windows Defender 12->138 140 Tries to detect Any.run 12->140 22 Taxinvoice1198691264#U00b7pdf.exe 5 14 12->22         started        80 C:\Users\user\AppData\Local\...\System.dll, PE32 16->80 dropped 27 WerFault.exe 21 16->27         started        signatures6 process7 dnsIp8 96 googlehosted.l.googleusercontent.com 142.250.185.129, 443, 49834, 49843 GOOGLEUS United States 22->96 98 drive.google.com 142.250.186.110, 443, 49833, 49842 GOOGLEUS United States 22->98 68 C:\Users\user\Documents\Windows.exe, PE32 22->68 dropped 70 C:\Users\user\...\Documents:ApplicationData, PE32 22->70 dropped 72 C:\Users\user\...\Windows.exe:Zone.Identifier, ASCII 22->72 dropped 74 2 other malicious files 22->74 dropped 118 Creates files in alternative data streams (ADS) 22->118 120 Adds a directory exclusion to Windows Defender 22->120 122 Tries to detect Any.run 22->122 124 2 other signatures 22->124 29 Windows.exe 19 22->29         started        33 powershell.exe 23 22->33         started        file9 signatures10 process11 file12 82 C:\Users\user\AppData\Local\...\System.dll, PE32 29->82 dropped 142 Multi AV Scanner detection for dropped file 29->142 144 Adds a directory exclusion to Windows Defender 29->144 146 Tries to detect Any.run 29->146 35 Windows.exe 5 28 29->35         started        40 conhost.exe 33->40         started        signatures13 process14 dnsIp15 90 pressurem002.duckdns.org 91.193.75.152, 2345, 49844 DAVID_CRAIGGG Serbia 35->90 92 127.0.0.1 unknown unknown 35->92 94 192.168.11.1 unknown unknown 35->94 60 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 35->60 dropped 62 C:\Users\user\AppData\Local\Temp\nss3.dll, PE32 35->62 dropped 64 C:\Users\user\AppData\Local\...\mozglue.dll, PE32 35->64 dropped 66 6 other files (3 malicious) 35->66 dropped 110 Hides user accounts 35->110 112 Tries to harvest and steal browser information (history, passwords, etc) 35->112 114 Writes to foreign memory regions 35->114 116 4 other signatures 35->116 42 25.exe 35->42         started        46 powershell.exe 35->46         started        48 cmd.exe 35->48         started        file16 signatures17 process18 dnsIp19 100 239.255.255.250, 1900 unknown Reserved 42->100 126 Antivirus detection for dropped file 42->126 128 Multi AV Scanner detection for dropped file 42->128 130 Uses netsh to modify the Windows network and firewall settings 42->130 132 Modifies the windows firewall 42->132 50 netsh.exe 42->50         started        52 WerFault.exe 42->52         started        54 conhost.exe 46->54         started        56 conhost.exe 48->56         started        signatures20 process21 process22 58 conhost.exe 50->58         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef56f8c0615d059de3d0f669b651d38caf535155878ff4bc7d1b1a62abd45213/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=55lprqdblucz3y6q6zu3muotrsxvgukvq6h7jpd5dmngfk6ukijq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:warzonerat downloader evasion infostealer persistence rat upx
Link:
https://tria.ge/reports/230208-jps6dahf68/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Modifies WinLogon
Checks QEMU agent file
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
UPX packed file
Modifies Windows Firewall
Guloader,Cloudeye
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb
MD5 hash:
17ed1c86bd67e78ade4712be48a7d2bd
SHA1 hash:
1cc9fe86d6d6030b4dae45ecddce5907991c01a0
Link:
https://www.unpac.me/results/fed188aa-c6eb-47f1-81d8-591785ffd627/
SH256 hash:
194f9df745d5146d334b0e7c8e4afef13cff0f02da3f68bcee8845d26bedb037
MD5 hash:
fd4bc4a2c95d26f61ecb26672415221f
SHA1 hash:
ef1f60af264a21b191beaf2c5ca0204630f1dd1c
Link:
https://www.unpac.me/results/fed188aa-c6eb-47f1-81d8-591785ffd627/
SH256 hash:
ef56f8c0615d059de3d0f669b651d38caf535155878ff4bc7d1b1a62abd45213
MD5 hash:
d64248de7641b1efd1137fcb3d5b5023
SHA1 hash:
841e007277d085f43afecba308ad7e0edee81dcc
Link:
https://www.unpac.me/results/fed188aa-c6eb-47f1-81d8-591785ffd627/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ef56f8c0615d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.02
Link:
https://yomi.yoroi.company/submissions/ef56f8c0615d059de3d0f669b651d38caf535155878ff4bc7d1b1a62abd45213

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/361820/

Comments