MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ff6edaf3533a3627afc5e2d74446e0c315087afe958b5fb2cc0a7ccb793d501. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ff6edaf3533a3627afc5e2d74446e0c315087afe958b5fb2cc0a7ccb793d501
SHA3-384 hash: cc7f7e140e6aff3aa57ce952b52c101e891bbe1ad75605f4b1e9b3f56f6044399bcf76aa929b6cb3b87af91b61757542
SHA1 hash: 75da6e3335b0dd01417c4d3f64fa96bd01941b35
MD5 hash: dc6b553661c49656e68757c397239df0
humanhash: london-oregon-queen-lemon
File name:dc6b553661c49656e68757c397239df0
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:740'864 bytes
First seen:2021-06-23 11:02:47 UTC
Last seen:2021-06-23 11:46:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c3f32a5a9887698ede69b21a2d37fd6f (2 x Formbook, 1 x AveMariaRAT)
ssdeep 12288:XTnjcRRQA6nHTLYhi3pw45sVETpVnb7x37Yq:XTj66nHTb9QETppb7x30
Threatray 1'053 similar samples on MalwareBazaar
TLSH 06F49DF5722244F3D827BA7FD80A63C4E90E7DD5BE04ACC5A5E47E0A5E39394785A083
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://179.43.140.150/khuh/twd.exe
Verdict:
No threats detected
Analysis date:
2021-06-23 10:47:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2ee31741-db84-4975-a06f-3041f0351f96

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167788/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cf29873a-06f8-43ec-bc2a-8f9c7628339c
Result
Threat name:
AveMaria UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/806525
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 438936 Sample: 0ZQNzv3MyU Startdate: 23/06/2021 Architecture: WINDOWS Score: 100 40 cdn.discordapp.com 2->40 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 6 other signatures 2->52 9 0ZQNzv3MyU.exe 1 23 2->9         started        14 Jkryash.exe 2->14         started        16 Jkryash.exe 2->16         started        signatures3 process4 dnsIp5 44 cdn.discordapp.com 162.159.134.233, 443, 49694, 49695 CLOUDFLARENETUS United States 9->44 38 C:\Users\Public\Libraries\...\Jkryash.exe, PE32 9->38 dropped 62 Writes to foreign memory regions 9->62 64 Allocates memory in foreign processes 9->64 66 Creates a thread in another existing process (thread injection) 9->66 68 Injects a PE file into a foreign processes 9->68 18 dialer.exe 3 4 9->18         started        22 cmd.exe 1 9->22         started        24 cmd.exe 1 9->24         started        70 Multi AV Scanner detection for dropped file 14->70 72 Machine Learning detection for dropped file 14->72 file6 signatures7 process8 dnsIp9 42 adebaree.duckdns.org 199.249.223.130, 49696, 9145 QUINTEXUS United States 18->42 54 Tries to steal Mail credentials (via file access) 18->54 56 Tries to harvest and steal browser information (history, passwords, etc) 18->56 58 Increases the number of concurrent connection per server for Internet Explorer 18->58 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->60 26 reg.exe 1 22->26         started        28 conhost.exe 22->28         started        30 cmd.exe 1 24->30         started        32 conhost.exe 24->32         started        signatures10 process11 process12 34 conhost.exe 26->34         started        36 conhost.exe 30->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ff6edaf3533a3627afc5e2d74446e0c315087afe958b5fb2cc0a7ccb793d501/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-06-23 11:03:09 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
122ef85900670d4776f3afdbe676d59c23c4cd9944b9d392eb9a446b3bb40dde
AveMariaRAT
1ec80487df001c0f6d41a90bbe2451242977a6f36a276d6eefa8aef0f593ab6b
AveMariaRAT
5cbed2f8a5fdadbd99816c4c8792bd51a2db7479f80bf70409f0f257f942d0c9
AveMariaRAT
5f0161e643adfaeca9dc6918e8cc29fc85ecdcf6727afd601649068f1e36a814
AveMariaRAT
688db922ed6771475dc6c379990567dc7e07ecaa848ada113472d1021eb02926
AveMariaRAT
803ed954a2fbfa36e1b154d7b1b6b270021eb72583d5a876e5aaedd728c39cc7
AveMariaRAT
9b342770fe4594e3a6d22b0b8d50269f8c749fb6d43c4f22d6ba48ddbff23bb4
AveMariaRAT
a67866e26c35be123728faf13ab166a05eb79ad7e8c6c79768ea059326d5cb60
AveMariaRAT
b5633b89bc09a7e0bfdb617572df279f2a08518ffe186ad3c372f2b53c210996
AveMariaRAT
b59b27b89189fc7fd98bc8f8a70d7d500907439cba4303c1eb812532fa2bc96f
AveMariaRAT
+ 1'043 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/210623-w79nt6nwzj/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Warzone RAT Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
adebaree.duckdns.org:9145
Unpacked files
SH256 hash:
a962b300b10f701e3a3c8b4691a11161dd919a542e3ee79b890bfef413c15aa8
MD5 hash:
78c33a69fd2a9e77abcd07eed8b13cf7
SHA1 hash:
dc698bff43357d0e1b5e9c8ccfdf28e2a190aa02
Link:
https://www.unpac.me/results/6b38bf8d-b664-4139-9765-940ab8896ff2/
SH256 hash:
0ff6edaf3533a3627afc5e2d74446e0c315087afe958b5fb2cc0a7ccb793d501
MD5 hash:
dc6b553661c49656e68757c397239df0
SHA1 hash:
75da6e3335b0dd01417c4d3f64fa96bd01941b35
Link:
https://www.unpac.me/results/6b38bf8d-b664-4139-9765-940ab8896ff2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0ff6edaf3533a3627afc5e2d74446e0c315087afe958b5fb2cc0a7ccb793d501

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe 0ff6edaf3533a3627afc5e2d74446e0c315087afe958b5fb2cc0a7ccb793d501

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/167788/

Comments