MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00eefa6efa1815770b9bcd826b985d67668194c98329e0c339060b9d22e6483d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 4


Intelligence 4 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00eefa6efa1815770b9bcd826b985d67668194c98329e0c339060b9d22e6483d
SHA3-384 hash: 5b4b24929e7bbeb82bd056ed6409e2ca532ce159b474846b42aba9d3f9579e9472926d90351354dc16111f6a1ec74856
SHA1 hash: e12d519f983448da4ae29d918ead7e5a1a7aeaa1
MD5 hash: d102d5c8bf9fa5a0034fcfdc759d5f01
humanhash: wyoming-black-diet-blue
File name:d102d5c8bf9fa5a0034fcfdc759d5f01.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:332'800 bytes
First seen:2020-05-25 12:27:23 UTC
Last seen:2020-05-25 14:29:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:yB8X8KMwtabsQD6jsHw3O9erzBjcs1qObGOzPCySckpbmeBZ:HHtjQUs/Wz9qObGQ/ScknB
Threatray 190 similar samples on MalwareBazaar
TLSH 2C64E0D1FB65A38DE1B85FF30BE2486C07163E065721EB8879C132CA39F970A15B0676
Reporter abuse_ch
Tags:AveMariaRAT exe RAT


Avatar
abuse_ch
AveMariaRAT C2:
149.28.115.223:3404

Intelligence

File Origin
# of uploads :
2
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Generic.mg.d102d5c8bf9fa5a0.5331.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Avemaria
Create hunting rule
Status:
Malicious
First seen:
2020-05-25 10:45:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
24 of 31 (77.42%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
08c31318d635778eaaf19c55440ed58570e764db28339f3061d927d9f3643ce3
AveMariaRAT
349a52b2d011c6f570d87ca4706a644c0f4ab8a6b96decd522c2fd789ecf50ac
AveMariaRAT
3764a8690d829b849cc82babfb6dc75a3b6f812e46d3d9535c380c187534094e
AveMariaRAT
6e57b3151e696198fa799ccdc91d05ecee2462f5adc2ec5cd591b745165106e8
AveMariaRAT
767781b11adfbea680b8b77538ce011bbec0e3e3bb25df6d72b19344a4afa3f2
AveMariaRAT
785fb441663997067c0126c5574423d01242220e107db86c847ad8ea30752729
AveMariaRAT
7cf72bae10afa79e537315303bc0ffd4ab5159102347818158796b4a05692403
AveMariaRAT
b833d79953fe177a48a5832ce2606c41d00f0d5b9bd31ceb25d3055a3850c2f7
AveMariaRAT
d4898d4aec91b789a3abb2d9e103eb1111d783a05a119ef7d1db9ab3811a79c2
AveMariaRAT
ea0493a75251c59cbf9ae40a8c3ed4a0808adf8071f4c297d4fe52ead18962ef
AveMariaRAT
+ 180 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer rat
Link:
https://tria.ge/reports/201109-ctcjkdyd9x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
WarzoneRat, AveMaria
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe 00eefa6efa1815770b9bcd826b985d67668194c98329e0c339060b9d22e6483d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/367891/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/367892/

Comments