MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef99e792e4cd56d866ebc4e60723e7500f36586d9df7e45a629975495d94b357. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	ef99e792e4cd56d866ebc4e60723e7500f36586d9df7e45a629975495d94b357
SHA3-384 hash:	9aa03a0fd20a6e012c76041e2ab62e2ef8ca537e714f22f435b81248425c53f2177e172b4c96b464ac414bed37b18f1f
SHA1 hash:	af15192ef2578e846647a11ec2e55243db577666
MD5 hash:	a14138c90076a4cc36d859de2faabf81
humanhash:	one-eighteen-table-vegan
File name:	2eb24ea0a335e87450800cb9944a8685.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	131'584 bytes
First seen:	2020-04-03 19:23:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c2b786a696586e9c02e9379099893977 (1 x AveMariaRAT)
ssdeep	1536:q7C1cA/aUbRdP0oBAPUphieNA+zKFixdVE0zRJG2WLBw61:q71edP99weNAQKFWVE0C2E
Threatray	423 similar samples on MalwareBazaar
TLSH	EBD3BF13F3D54831F7B602B009797F7ADBEEF971022889ABA79441879D31887EA21353
Reporter	abuse_ch
Tags:	AveMariaRAT exe GuLoader

abuse_ch

Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=1JnhxZfNNie-ujOHn_4sC6FfkSQscQv-W

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.PWS.Maria.4.17072.22484.UNOFFICIAL

SecuriteInfo.com.Trojan.PWS.Maria.3.30306.22950.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Mocrt

Status:

Malicious

First seen:

2020-04-03 19:36:03 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 31 (90.32%)

Threat level:

5/5

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

3db0da97119509327c8a494c8a5beca070c6dc51c0fe9569de478cc41917ea5e

AveMariaRAT

5084295c61b6333540a33ee23df90c13e58c04884002f747be7412ed877e60db

AveMariaRAT

671f757dde09984e3f3672f5858e94bbd0cce45d17620d3727364067768c984e

AveMariaRAT

685aa7fb0c1c641e7435711c144609ca72f57eaf5f32ce332e193ee55ceb844f

AveMariaRAT

7ff8f569a151047f25f2f858e562e4b5b54d9af822105780f6c8a91ec4740124

AveMariaRAT

8e944862dbed48bf69c402e4d8b58b87092b9154e127f6786ef47132148177b7

AveMariaRAT

9d71c01a2e63e041ca58886eba792d3fc0c0064198d225f2f0e2e70c6222365c

AveMariaRAT

c4455526cf7405d73b9921ccbfc495da018d97d12ae5590d20720894a88b4d72

AveMariaRAT

da1305da0ae76ad97c57d683d406bb1c45bc112199504df3eb6e62b516696e6a

AveMariaRAT

+ 413 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

5dd75436c153e8d803639fdd7be8980f9340405cf80fdc478ad50efbf0bab1b4

AveMariaRAT

exe ef99e792e4cd56d866ebc4e60723e7500f36586d9df7e45a629975495d94b357

(this sample)

Dropped by

MD5 2eb24ea0a335e87450800cb9944a8685

Dropped by

MD5 e30fc4eb85ea40e26b7c08295933bcac

Dropped by

GuLoader

Dropped by

SHA256 5dd75436c153e8d803639fdd7be8980f9340405cf80fdc478ad50efbf0bab1b4

Dropped by

SHA256 5b15e0bb8db44c423ba7993bbca158819e685e60e6e643859343e4e732d74fce

URLhaus

https://urlhaus.abuse.ch/url/334730/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::FreeSid ADVAPI32.dll::InitializeSecurityDescriptor
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance ole32.dll::CoInitializeSecurity
DP_API	Uses DP API	CRYPT32.dll::CryptUnprotectData
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::SetSecurityDescriptorDacl
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExA SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW
URL_MONIKERS_API	Can Download & Execute components	urlmon.dll::URLDownloadToFileW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateRemoteThread KERNEL32.dll::CreateProcessW KERNEL32.dll::CreateProcessA KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken KERNEL32.dll::VirtualAllocEx
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetDriveTypeW KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WinExec
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW SHELL32.dll::SHCreateDirectoryExW KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileA KERNEL32.dll::DeleteFileW
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameW ADVAPI32.dll::LookupAccountSidW ADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyA ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegOpenKeyExW
WIN_SOCK_API	Uses Network to send and receive data	WS2_32.dll::freeaddrinfo WS2_32.dll::getaddrinfo
WIN_SVC_API	Can Manipulate Windows Services	ADVAPI32.dll::ChangeServiceConfigW ADVAPI32.dll::OpenSCManagerW ADVAPI32.dll::OpenServiceW ADVAPI32.dll::QueryServiceConfigW ADVAPI32.dll::StartServiceW
WIN_USER_API	Performs GUI Actions	USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample