MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c7de462833b7b4703c368f1a30b2cb20010211f91928e1f15dbac3e357210bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c7de462833b7b4703c368f1a30b2cb20010211f91928e1f15dbac3e357210bc
SHA3-384 hash: c696e5f1fa43d848fc4ca204c5e6733a7082eb5075f0ce36e6ee88a8b17d2c17b1b27b3855b5eceae159cb7b3d5014d0
SHA1 hash: 517aeb0de6aef5b2daf14190d7a851209c56eb15
MD5 hash: bd2425f5585ee49dfe8f8b73909738b3
humanhash: kitten-kansas-romeo-quiet
File name:Readme.lnk
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:33'134 bytes
First seen:2023-09-18 15:09:36 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 12:8MMlKm/3BVSXvk44X3ojsqzKtnWNl/xW+UcCsvXnCKeXRP00NVYHWKDiN37+lbYH:8lp/BHYVKVWPw+/CW3C7hPUarabFO
TLSH T15CE261180FD21724D7B3CB3DACBAB311C9363C56DE514F9D019192846464511F4B9F2F
Reporter abuse_ch
Tags:AveMariaRAT lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
215
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/0c7de462833b7b4703c368f1a30b2cb20010211f91928e1f15dbac3e357210bc/results/dashboard
Payload URLs
URL
File name
https://filebin.net/qksc7kcncap9iv46/Readme.hta'
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade
Link:
https://www.filescan.io/uploads/650868501edabd99829c6f9c/reports/3944d3a9-90f5-40a5-b4eb-b64d57f3fcd6/overview
Verdict:
Malicious
Labled as:
TrojanDownloader/LNK.Agent
Link:
https://www.hybrid-analysis.com/sample/0c7de462833b7b4703c368f1a30b2cb20010211f91928e1f15dbac3e357210bc
Result
Verdict:
MALICIOUS
Result
Threat name:
AsyncRAT, AveMaria, UACMe, VenomRAT, Xmr
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.adwa.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1310143
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to check if Internet connection is working
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to log keystrokes (.Net Source)
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Creates files in alternative data streams (ADS)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the document folder of the user
Drops script or batch files to the startup folder
Encrypted powershell cmdline option found
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found URL in windows shortcut file (LNK)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Hides user accounts
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potential dropper URLs found in powershell memory
Powershell drops PE file
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Drops script at startup location
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses powercfg.exe to modify the power settings
Very long command line found
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Writes a notice file (html or txt) to demand a ransom
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected AveMaria stealer
Yara detected Costura Assembly Loader
Yara detected PersistenceViaHiddenTask
Yara detected UACMe UAC Bypass tool
Yara detected VenomRAT
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1310143 Sample: Readme.lnk Startdate: 18/09/2023 Architecture: WINDOWS Score: 100 143 remotes1338.hopto.org 2->143 171 Snort IDS alert for network traffic 2->171 173 Found malware configuration 2->173 175 Malicious sample detected (through community Yara rule) 2->175 177 32 other signatures 2->177 13 powershell.exe 11 2->13         started        16 PermissionType.exe 2->16         started        18 cmd.exe 2->18         started        20 8 other processes 2->20 signatures3 process4 dnsIp5 227 Powershell drops PE file 13->227 23 mshta.exe 25 13->23         started        27 conhost.exe 1 13->27         started        229 Multi AV Scanner detection for dropped file 16->229 231 Writes to foreign memory regions 16->231 233 Modifies the context of a thread in another process (thread injection) 16->233 235 Injects a PE file into a foreign processes 16->235 237 Uses powercfg.exe to modify the power settings 18->237 239 Modifies power options to not sleep / hibernate 18->239 29 conhost.exe 18->29         started        31 sc.exe 18->31         started        33 sc.exe 18->33         started        39 3 other processes 18->39 145 127.0.0.1 unknown unknown 20->145 35 conhost.exe 20->35         started        37 conhost.exe 20->37         started        41 4 other processes 20->41 signatures6 process7 dnsIp8 151 filebin.net 185.47.40.36, 443, 49711, 49714 REDPILL-LINPRORedpillLinproNO Norway 23->151 153 situla.bitbit.net 87.238.33.7, 443, 49712 REDPILL-LINPRORedpillLinproNO Norway 23->153 195 Windows shortcut file (LNK) starts blacklisted processes 23->195 197 Suspicious powershell command line found 23->197 199 Very long command line found 23->199 201 Adds a directory exclusion to Windows Defender 23->201 43 powershell.exe 14 29 23->43         started        signatures9 process10 dnsIp11 155 filebin.net 43->155 157 87.238.33.8, 443, 49715 REDPILL-LINPRORedpillLinproNO Norway 43->157 159 2 other IPs or domains 43->159 123 C:\Users\user\AppData\...\winrar-x64-623.exe, PE32+ 43->123 dropped 125 C:\Users\user\AppData\...\AIO_protected.exe, PE32 43->125 dropped 47 AIO_protected.exe 43->47         started        51 winrar-x64-623.exe 1 50 43->51         started        53 conhost.exe 43->53         started        file12 process13 file14 127 C:\Users\user\AppData\...\updater - .exe, PE32 47->127 dropped 129 C:\...\SecurityHealthSystray_protected.exe, PE32+ 47->129 dropped 131 C:\Users\user\AppData\Local\Temp\Lapas.exe, PE32+ 47->131 dropped 133 C:\Users\user\AppData\...behaviorgraphoogle Chrome.exe, PE32 47->133 dropped 161 Windows shortcut file (LNK) starts blacklisted processes 47->161 163 Multi AV Scanner detection for dropped file 47->163 165 Detected unpacking (changes PE section rights) 47->165 169 6 other signatures 47->169 55 SecurityHealthSystray_protected.exe 47->55         started        59 updater - .exe 47->59         started        61 Lapas.exe 47->61         started        65 2 other processes 47->65 135 C:\Program Files\WinRAR\Zip64.SFX, PE32+ 51->135 dropped 137 C:\Program Files\WinRAR\Zip.SFX, PE32 51->137 dropped 139 C:\Program Files\WinRAR\WinRAR.exe, PE32+ 51->139 dropped 141 13 other malicious files 51->141 dropped 167 Writes a notice file (html or txt) to demand a ransom 51->167 63 Uninstall.exe 243 13 51->63         started        signatures15 process16 file17 99 C:\Users\user\AppData\...\jizozpsmpiqo.tmp, PE32+ 55->99 dropped 101 C:\...\SecurityHealthSystray.exe, PE32+ 55->101 dropped 103 C:\Windows\System32\drivers\etc\hosts, ASCII 55->103 dropped 203 Windows shortcut file (LNK) starts blacklisted processes 55->203 205 Multi AV Scanner detection for dropped file 55->205 207 Detected unpacking (changes PE section rights) 55->207 223 6 other signatures 55->223 67 dialer.exe 55->67         started        105 C:\Users\user\Documents\updater.exe, PE32 59->105 dropped 107 C:\Users\user\...\Documents:ApplicationData, PE32 59->107 dropped 109 C:\Users\user\AppData\...\programs.bat:start, ASCII 59->109 dropped 111 C:\Users\user\AppData\...\programs.bat, ASCII 59->111 dropped 209 Creates files in alternative data streams (ADS) 59->209 211 Contains functionality to hide user accounts 59->211 213 Adds a directory exclusion to Windows Defender 59->213 225 2 other signatures 59->225 70 updater.exe 59->70         started        74 powershell.exe 59->74         started        113 C:\Users\user\AppData\...\PermissionType.exe, PE32+ 61->113 dropped 215 Antivirus detection for dropped file 61->215 217 Machine Learning detection for dropped file 61->217 115 C:\Users\user\AppData\...\ChromeUpdater.exe, PE32 65->115 dropped 219 Protects its processes via BreakOnTermination flag 65->219 221 Potential dropper URLs found in powershell memory 65->221 76 conhost.exe 65->76         started        signatures18 process19 dnsIp20 179 Suspicious powershell command line found 67->179 181 Injects code into the Windows Explorer (explorer.exe) 67->181 183 Writes to foreign memory regions 67->183 185 Injects a PE file into a foreign processes 67->185 78 lsass.exe 67->78 injected 81 powershell.exe 67->81         started        83 winlogon.exe 67->83 injected 91 7 other processes 67->91 147 remotes1338.hopto.org 172.105.234.48, 49736, 5252, 80 LINODE-APLinodeLLCUS United States 70->147 149 filebin.net 70->149 117 C:\Users\user\AppData\Local\Temp\28.exe, PE32 70->117 dropped 119 C:\Program Files\Microsoft DN1\sqlmap.dll, PE32+ 70->119 dropped 121 C:\Users\user\AppData\Local\...\WRP42E2.tmp, PE32+ 70->121 dropped 187 Windows shortcut file (LNK) starts blacklisted processes 70->187 189 Multi AV Scanner detection for dropped file 70->189 191 Hides user accounts 70->191 193 4 other signatures 70->193 85 powershell.exe 70->85         started        87 cmd.exe 70->87         started        89 conhost.exe 74->89         started        file21 signatures22 process23 signatures24 241 Writes to foreign memory regions 78->241 93 conhost.exe 81->93         started        95 conhost.exe 85->95         started        97 conhost.exe 87->97         started        process25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0c7de462833b7b4703c368f1a30b2cb20010211f91928e1f15dbac3e357210bc/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-09-18 11:11:44 UTC
File Type:
Binary
AV detection:
13 of 38 (34.21%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=br66iyudhn5uoa6dndy2gczmwiabaii7sgji4hyv3owd4nlscc6a._file
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:warzonerat botnet:default evasion infostealer rat themida trojan
Link:
https://tria.ge/reports/230918-skmbpsab5s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Async RAT payload
Warzone RAT payload
AsyncRat
UAC bypass
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
remotes1338.hopto.org:5252
Dropper Extraction:
https://filebin.net/qksc7kcncap9iv46/Readme.hta
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0c7de462833b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0c7de462833b7b4703c368f1a30b2cb20010211f91928e1f15dbac3e357210bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:Long_RelativePath_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies shortcut (LNK) file with a long relative path. Might be used in an attempt to hide the path.
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:Script_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies scripting artefacts in shortcut (LNK) files.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Shortcut (lnk) lnk 0c7de462833b7b4703c368f1a30b2cb20010211f91928e1f15dbac3e357210bc

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments