MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ee560598acfc546632e9f4aaece6b45db4926a766cb4d5cc1235d226fd1145b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ee560598acfc546632e9f4aaece6b45db4926a766cb4d5cc1235d226fd1145b
SHA3-384 hash: 92bb3295da39adf683a9693342476df41c81074975232ccfe3365f3897b25f65c2f46d728169554f9b757bdb5118cebe
SHA1 hash: c4aa8318cdca6e6829657862e0752c02c4cee336
MD5 hash: 0b12cd33afdb24c60e2a6cccdd1a508e
humanhash: berlin-summer-pip-juliet
File name:Order specification details & P.O.xls.z
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:248'348 bytes
First seen:2023-10-05 08:39:48 UTC
Last seen:Never
File type: z
MIME type:application/x-rar
ssdeep 6144:eXbi8SnPX0ejtvLVR8GGs5H3nFQ95Y/+weA3q7V8zHX:eXbZSJKst3nqKeQQoHX
TLSH T11434239D041E1B6C9E5879234580743BAFCD183DBAC692043E42DD60DE34B295F3F6BA
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:AveMariaRAT z


Avatar
cocaman
Malicious email (T1566.001)
From: "Goh <goh@appearhuman.com>" (likely spoofed)
Received: "from htp.appearhuman.com (unknown [91.203.6.57]) "
Date: "04 Oct 2023 20:36:06 -0700"
Subject: "Re: Order_specification For bankucb1.com"
Attachment: "Order specification details & P.O.xls.z"

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
64.188.20.119:5200 https://threatfox.abuse.ch/ioc/1183037/

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Order specification details & P.O.exe
File size:300'862 bytes
SHA256 hash: 4732c2a4e78e5f416cf1d7abf28c1991e45ac8706fbab576b84f0b72d0288d2f
MD5 hash: ff347cfc7f5bc51e626366aa9099e2d1
MIME type:application/x-dosexec
Signature AveMariaRAT
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/651e76641e07d7e1e9b19343/reports/be91bffe-c986-4842-ab06-99a46e1e71ab/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/0ee560598acfc546632e9f4aaece6b45db4926a766cb4d5cc1235d226fd1145b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ee560598acfc546632e9f4aaece6b45db4926a766cb4d5cc1235d226fd1145b/
Threat name:
Win32.Backdoor.Warzone
Create hunting rule
Status:
Suspicious
First seen:
2023-10-05 04:11:38 UTC
File Type:
Binary (Archive)
Extracted files:
4
AV detection:
18 of 36 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b3swawmkz7cumyzot5fk5ttlixnusjvhm3fu2xgbenose36rcrnq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0ee560598acfc546632e9f4aaece6b45db4926a766cb4d5cc1235d226fd1145b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AveMaria
Create hunting rule
Author:@bartblaze
Description:Identifies AveMaria aka WarZone RAT.
Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_1_RID2C2D
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding command execution via IExecuteCommand COM object
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_EXEPWSH_DLAgent
Create hunting rule
Author:ditekSHen
Description:Detects SystemBC
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Windows_Trojan_AveMaria_31d2bce9
Create hunting rule
Author:Elastic Security
Rule name:win_ave_maria_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

z 0ee560598acfc546632e9f4aaece6b45db4926a766cb4d5cc1235d226fd1145b

(this sample)

AveMariaRAT

Executable exe 4732c2a4e78e5f416cf1d7abf28c1991e45ac8706fbab576b84f0b72d0288d2f

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 4732c2a4e78e5f416cf1d7abf28c1991e45ac8706fbab576b84f0b72d0288d2f
  
Dropping
AveMariaRAT

Comments