MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01582bad45f7bb1d0f24be06cbb2c3d1beaba05f9f24c5b40de301fc2c690ba6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01582bad45f7bb1d0f24be06cbb2c3d1beaba05f9f24c5b40de301fc2c690ba6
SHA3-384 hash: 845517fd6ea728d288f6dfe9c11f3b309c57cec50761c0a5ed65edf145c5d2d04b8779e67fb539edf8c5d36dff8cf05f
SHA1 hash: fb758dabce45c654d07ebb429726d19e1f3f98a0
MD5 hash: e1f7334b2a0dbacb0db735693a367e78
humanhash: snake-wisconsin-cardinal-xray
File name:PO_NGOC_2022-08.img.gz
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:491'189 bytes
First seen:2022-08-02 10:54:46 UTC
Last seen:Never
File type: gz
MIME type:application/gzip
ssdeep 6144:D0fnfSBpWVJrllwIxTEEEtYD3S8EXaoI/wkMBDnjjZYQNzMyGSRRYAsBLVPUJqWk:D0fqE/sYD3MIIhjayG/1UUWrCPvh
TLSH T131A423C9701FF806BBA5DF395A0D0DD504FC379AC8D23881A95A8D53836DD5A7C68E70
Reporter cocaman
Tags:AveMariaRAT gz


Avatar
cocaman
Malicious email (T1566.001)
From: ""Dolly Zhou" <EXPRESS_ADG@ismarine.com.tr>" (likely spoofed)
Received: "from ismarine.com.tr (unknown [185.222.58.48]) "
Date: "01 Aug 2022 11:42:34 +0200"
Subject: "ORDER CONFIRMATION & ARTWORK"
Attachment: "PO_NGOC_2022-08.img.gz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Inject4.39103.15079.6023.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62e902fec4ff0c95024f029f/reports/16636112-d014-403e-9663-cbb4cbc2917c/overview
Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01582bad45f7bb1d0f24be06cbb2c3d1beaba05f9f24c5b40de301fc2c690ba6/
Threat name:
ByteCode-MSIL.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2022-08-01 05:13:50 UTC
File Type:
Binary (Archive)
Extracted files:
10
AV detection:
21 of 40 (52.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=afmcxlkf665r2dzexydmxmwd2g7kxic7t4smlnan4ma7yldjbota._file
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer rat
Link:
https://tria.ge/reports/220802-mz4xeafcal/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Warzone RAT payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
76.8.53.138:1198
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/01582bad45f7bb1d0f24be06cbb2c3d1beaba05f9f24c5b40de301fc2c690ba6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

gz 01582bad45f7bb1d0f24be06cbb2c3d1beaba05f9f24c5b40de301fc2c690ba6

(this sample)

AveMariaRAT

Executable exe b2753d2782d31f9b99932638271c4306ea84b61d38da3fe6468f5487b8508635

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 b2753d2782d31f9b99932638271c4306ea84b61d38da3fe6468f5487b8508635
  
Dropping
AveMariaRAT

Comments