MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 028c26af36b0a9adf4d1a9c91c2531e28580ebd15d2200fec58c81337813ae56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 028c26af36b0a9adf4d1a9c91c2531e28580ebd15d2200fec58c81337813ae56
SHA3-384 hash: 7f7abb66742221ee49910ce0aa7cd37217314ec9664dfb0350c3cea6d31b9cf6e61115906c3dd783a33241bc542d3e8c
SHA1 hash: ad7d071afddbba4c7ea60f79936b498ad32cd9f9
MD5 hash: 4a36c902a2e841eb72be13a1741e8458
humanhash: maryland-pip-sad-item
File name:4a36c902a2e841eb72be13a1741e8458.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'389'216 bytes
First seen:2024-01-14 20:43:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:Ku6J33O0c+JY5UZ+XC0kGso6Fa720W4njUprvVcC1f2o5RRfgUWY/:8u0c++OCvkGs9Fa+rd1f26RaY/
TLSH T1EB55BF52E39EC2F0DE165172BA7DF71A2F3F3C254530B956AFC52D3AAD21021112DAA3
TrID 53.9% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
15.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.8% (.EXE) Win64 Executable (generic) (10523/12/4)
6.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon c4c0ccc8ccf4d4fc (23 x NetWire, 14 x AveMariaRAT, 11 x Formbook)
Reporter smica83
Tags:AveMariaRAT exe NetWiredRAT UKR WarzoneRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
379
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
netwire
Create hunting rule
ID:
1
File name:
028c26af36b0a9adf4d1a9c91c2531e28580ebd15d2200fec58c81337813ae56.zip
Verdict:
Malicious activity
Analysis date:
2024-01-15 06:19:35 UTC
Tags:
netwire warzone
Link:
https://app.any.run/tasks/0f66cc88-2d64-4c4c-9884-64867dd24527

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/470824/
Detection(s):
Win.Trojan.Ulise-7135679-1
Create hunting rule

Win.Malware.Ulise-9940505-0
Create hunting rule

Win.Malware.Razy-6703914-0
Create hunting rule

SecuriteInfo.com.BehavesLike.Win32.Generic.vh.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Restart of the analyzed sample
Launching cmd.exe command interpreter
Launching a process
Creating a process with a hidden window
DNS request
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autoit crypto greyware keylogger netwire netwire overlay
Link:
https://www.filescan.io/uploads/65a4479359502c0e7b36ad05/reports/98a865e7-5411-4dec-9e46-1cc17bbb66cb/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/028c26af36b0a9adf4d1a9c91c2531e28580ebd15d2200fec58c81337813ae56
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NetWire RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d03c765c-ceec-4bf3-a65a-ddd65bc258ab
Result
Threat name:
AveMaria, NetWire, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1374496
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to log keystrokes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found stalling execution ending in API Sleep call
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected NetWire RAT
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1374496 Sample: wl7vfC3DCN.exe Startdate: 14/01/2024 Architecture: WINDOWS Score: 100 76 wealthyme.ddns.net 2->76 78 wealth.warzonedns.com 2->78 80 Wealthy2019.com.strangled.net 2->80 82 Multi AV Scanner detection for domain / URL 2->82 84 Found malware configuration 2->84 86 Malicious sample detected (through community Yara rule) 2->86 90 11 other signatures 2->90 9 wl7vfC3DCN.exe 4 2->9         started        13 RtDCpl64.exe 1 2->13         started        15 RtDCpl64.exe 1 2->15         started        17 4 other processes 2->17 signatures3 88 Uses dynamic DNS services 76->88 process4 file5 72 C:\Users\user\AppData\...\RtDCpl64.exe, PE32 9->72 dropped 74 C:\Users\user\AppData\Roaming\Blasthost.exe, PE32 9->74 dropped 120 Contains functionality to hide user accounts 9->120 122 Binary is likely a compiled AutoIt script file 9->122 124 Found stalling execution ending in API Sleep call 9->124 132 6 other signatures 9->132 19 Blasthost.exe 2 9->19         started        23 wl7vfC3DCN.exe 3 2 9->23         started        25 schtasks.exe 1 9->25         started        126 Antivirus detection for dropped file 13->126 128 Machine Learning detection for dropped file 13->128 130 Injects a PE file into a foreign processes 13->130 27 RtDCpl64.exe 2 13->27         started        33 2 other processes 13->33 29 RtDCpl64.exe 2 15->29         started        35 2 other processes 15->35 31 RtDCpl64.exe 17->31         started        37 9 other processes 17->37 signatures6 process7 file8 70 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 19->70 dropped 92 Antivirus detection for dropped file 19->92 94 Multi AV Scanner detection for dropped file 19->94 96 Contains functionality to log keystrokes 19->96 110 2 other signatures 19->110 39 Host.exe 19->39         started        98 Contains functionality to hide user accounts 23->98 100 Binary is likely a compiled AutoIt script file 23->100 102 Writes to foreign memory regions 23->102 104 Increases the number of concurrent connection per server for Internet Explorer 23->104 42 cmd.exe 1 23->42         started        44 conhost.exe 25->44         started        106 Allocates memory in foreign processes 27->106 108 Creates a thread in another existing process (thread injection) 27->108 46 cmd.exe 1 27->46         started        48 cmd.exe 29->48         started        50 cmd.exe 31->50         started        52 conhost.exe 33->52         started        54 conhost.exe 35->54         started        56 5 other processes 37->56 signatures9 process10 signatures11 112 Antivirus detection for dropped file 39->112 114 Multi AV Scanner detection for dropped file 39->114 116 Machine Learning detection for dropped file 39->116 118 Binary is likely a compiled AutoIt script file 42->118 58 conhost.exe 42->58         started        60 conhost.exe 46->60         started        62 conhost.exe 48->62         started        64 conhost.exe 50->64         started        66 conhost.exe 56->66         started        68 conhost.exe 56->68         started        process12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/028c26af36b0a9adf4d1a9c91c2531e28580ebd15d2200fec58c81337813ae56
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/028c26af36b0a9adf4d1a9c91c2531e28580ebd15d2200fec58c81337813ae56/
Threat name:
Win32.Trojan.Weecnaw
Create hunting rule
Status:
Malicious
First seen:
2024-01-12 19:04:00 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
31 of 38 (81.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=akgcnlzwwcu235grvheryjjr4kcyb26rlurab7wfrsatg6atvzla._file
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:netwire family:warzonerat botnet infostealer rat stealer
Link:
https://tria.ge/reports/240114-zh5htseaf6/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
AutoIT Executable
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Warzone RAT payload
NetWire RAT payload
Netwire
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
Wealthy2019.com.strangled.net:20190
wealthyme.ddns.net:20190
wealth.warzonedns.com:5202
Unpacked files
SH256 hash:
028c26af36b0a9adf4d1a9c91c2531e28580ebd15d2200fec58c81337813ae56
MD5 hash:
4a36c902a2e841eb72be13a1741e8458
SHA1 hash:
ad7d071afddbba4c7ea60f79936b498ad32cd9f9
Detections:
win_netwire_g1
Create hunting rule
AutoIT_Compiled
Create hunting rule
SUSP_Imphash_Mar23_3
Create hunting rule
netwire
Create hunting rule
Link:
https://www.unpac.me/results/f1a9451e-ff81-49af-9e8c-99351935a023/
Malware family:
Netwire
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/028c26af36b0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/028c26af36b0a9adf4d1a9c91c2531e28580ebd15d2200fec58c81337813ae56

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:AveMaria
Create hunting rule
Author:@bartblaze
Description:Identifies AveMaria aka WarZone RAT.
Rule name:AveMaria_WarZone
Create hunting rule
Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_1_RID2C2D
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2_RID2C2E
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:malware_netwire_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_WarzoneRAT
Create hunting rule
Author:ditekSHen
Description:Detects AveMaria/WarzoneRAT
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:netwire
Create hunting rule
Author:jeFF0Falltrades
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:troj_win_warzonerat
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Detects WarzoneRAT.
Reference:https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/
Rule name:Windows_Trojan_AveMaria_31d2bce9
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Netwire_f42cb379
Create hunting rule
Author:Elastic Security
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.ave_maria.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/470824/

Comments