MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10aa2cc0619a0897cd733a107f57251340c23f6ff623dba71fc809202337c80b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10aa2cc0619a0897cd733a107f57251340c23f6ff623dba71fc809202337c80b
SHA3-384 hash: 15df17dcd82090a71fca5d37649790b09ae71439a18af07aa192106b0c330f1798f3f0c994b1e976ee8aed4f1add1899
SHA1 hash: e94265d8b4fa9bd43331a7430a342e02ae9a2c08
MD5 hash: 9773377884d3b259110a613e45ce6e96
humanhash: delta-mike-lithium-cold
File name:RFQ_Quote 07 13 2023 -99994302.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:21'504 bytes
First seen:2023-07-13 06:35:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 384:PDwTh/tmqwwi2CNiXqzFfu/h2LZq8tP3vNMfB5kR7:7mONwSfxLAQPfif07
Threatray 102 similar samples on MalwareBazaar
TLSH T14EA28500367D5B53C87B83F429A6531913F9291F2471FBA68DC6F4D638BAF004A81E2B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter cocaman
Tags:AveMariaRAT exe RFQ

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ_Quote 07 13 2023 -99994302.exe
Verdict:
Malicious activity
Analysis date:
2023-07-13 06:37:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ec7e84ff-255e-4c23-a318-236218e13e72

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/417254/
Detection(s):
SecuriteInfo.com.Heur.5087.16882.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a window
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Creating a file in the %AppData% directory
Reading critical registry keys
Creating a file in the %temp% directory
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64af9b57730800029d38e2b7/reports/4794cf80-dfec-4d3b-bebd-776b1d4d9fb4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/10aa2cc0619a0897cd733a107f57251340c23f6ff623dba71fc809202337c80b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a11ed35-5c7e-4de8-847b-fb59e09cc4bc
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1272228
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide user accounts
Drops PE files to the startup folder
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1272228 Sample: RFQ_Quote_07_13_2023_-99994... Startdate: 13/07/2023 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 6 other signatures 2->48 7 RFQ_Quote_07_13_2023_-99994302.exe 15 4 2->7         started        11 RFQ_Quote_07_13_2023_-99994302.exe 2 2->11         started        process3 dnsIp4 32 filetransfer.io 188.114.97.7, 443, 49680, 49681 CLOUDFLARENETUS European Union 7->32 34 s26.filetransfer.io 7->34 30 C:\...\RFQ_Quote_07_13_2023_-99994302.exe.log, ASCII 7->30 dropped 13 RFQ_Quote_07_13_2023_-99994302.exe 3 4 7->13         started        17 cmd.exe 3 7->17         started        20 RFQ_Quote_07_13_2023_-99994302.exe 7->20         started        36 188.114.96.7, 443, 49683 CLOUDFLARENETUS European Union 11->36 38 s26.filetransfer.io 11->38 22 RFQ_Quote_07_13_2023_-99994302.exe 1 11->22         started        file5 process6 dnsIp7 40 84.38.130.205, 49682, 58146 DATACLUBLV Latvia 13->40 50 Tries to steal Mail credentials (via file / registry access) 13->50 52 Tries to harvest and steal browser information (history, passwords, etc) 13->52 54 Increases the number of concurrent connection per server for Internet Explorer 13->54 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->56 26 C:\...\RFQ_Quote_07_13_2023_-99994302.exe, PE32 17->26 dropped 28 RFQ_Quote_07_13_20...exe:Zone.Identifier, ASCII 17->28 dropped 58 Drops PE files to the startup folder 17->58 24 conhost.exe 17->24         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/10aa2cc0619a0897cd733a107f57251340c23f6ff623dba71fc809202337c80b/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-13 04:40:31 UTC
File Type:
PE (.Net Exe)
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ccvczqdbtiejptlthiih6vzfcnamep3p6yr5xjy7zaesaizxzafq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0db986d1314a3c9ee0e3a30e853ee6f258eeab311117826856a58db70bdf265a
AveMariaRAT
17db20ebfbce957562eb47a2a0db1a052df6352613d554fe707fae58b8975f81
AveMariaRAT
28899cd77a674fd8fc103e44aa12ce58b76dadcdcdecca0637c774df8dbdc61c
AveMariaRAT
3e61ff7da9c135135af8936d7fb362a285b02c6431c8614eda55d2cce3bf3ff7
AveMariaRAT
77db79af2f66fb41ede6dbb5c11e2864569f9781f5e78b06427e904a60505277
AveMariaRAT
853e1ec7d4d8fa449d88746cab1bfac6074e0d81e9a26ef6948793059e9bd781
AveMariaRAT
d0a840fa6a505cfceb3c1b6d9b4e36de649a4a1535cfd7e28310b058ca7b9057
AveMariaRAT
fb9d0187ef58360b6877dc38f0509030b2e7d57d060deae2bb6e3233dda8f47d
AveMariaRAT
+ 92 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat collection infostealer rat spyware stealer
Link:
https://tria.ge/reports/230713-hcxglafe92/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Warzone RAT payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
84.38.130.205:58146
Unpacked files
SH256 hash:
10aa2cc0619a0897cd733a107f57251340c23f6ff623dba71fc809202337c80b
MD5 hash:
9773377884d3b259110a613e45ce6e96
SHA1 hash:
e94265d8b4fa9bd43331a7430a342e02ae9a2c08
Link:
https://www.unpac.me/results/ca147be4-1797-431a-beb4-df28aace5fad/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

xz 8a8f07c548f5ee402b359c3c874d56151164b0ca147b2187371b7770a11acfc2

AveMariaRAT

Executable exe 10aa2cc0619a0897cd733a107f57251340c23f6ff623dba71fc809202337c80b

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 8a8f07c548f5ee402b359c3c874d56151164b0ca147b2187371b7770a11acfc2
Cape
Cape
https://www.capesandbox.com/analysis/417254/
  
Dropped by
MD5 03db8c848cf3fc80ee9a475df0ca169a

Comments