MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15aa6740e95e630a0a4547e21e9008e46f46b599aa356686fcbe4448da25560c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 18 File information Comments

SHA256 hash:	15aa6740e95e630a0a4547e21e9008e46f46b599aa356686fcbe4448da25560c
SHA3-384 hash:	55e8e6654737e14cd394bb84f223c1d336f3f26ebb4fac9a801be2217d17f485e0711158adeecd446aea811f132980de
SHA1 hash:	35e7717f37eec7ffa2e07c7f46089b3c11fd7a1a
MD5 hash:	49d8e3f56470245454924814ddbae92c
humanhash:	fish-mexico-lion-venus
File name:	Details5621Opuqhzrxqhaycmmxkaywlkktoonbomxuaj.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	751'616 bytes
First seen:	2022-07-20 15:15:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a1fe30710cd81c908b0878e166e653d4 (2 x DBatLoader, 2 x RemcosRAT, 1 x Formbook)
ssdeep	12288:mDVyc7hRZ/ksbXlwv/qcAD/reQynzySzQrtVSX3x7FRSRjAf2rDNtl2aCHVVIHg:O9j1ksXev/qcADPyzySzWtVSn52pAf2s
Threatray	3'954 similar samples on MalwareBazaar
TLSH	T164F49E71E3F0CE36C17A063F5C2B76A59C2D7E112929F84A26E47D885FF828135291E7
TrID	26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4) 24.5% (.SCR) Windows screen saver (13101/52/3) 19.7% (.EXE) Win64 Executable (generic) (10523/12/4) 8.4% (.EXE) Win32 Executable (generic) (4505/5/1) 5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):
dhash icon	27d0d8d6d6d8d023 (11 x RemcosRAT, 6 x DBatLoader, 5 x ModiLoader)
Reporter	abuse_ch
Tags:	AveMariaRAT exe RAT

abuse_ch

AveMariaRAT C2:
134.19.179.243:9145

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
134.19.179.243:9145	https://threatfox.abuse.ch/ioc/838862/

Intelligence

File Origin

# of uploads :

# of downloads :

378

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/292955/

Detection(s):

SecuriteInfo.com.Variant.Zusy.433412.14211.20160.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Creating a file

Launching a process

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% directory

Reading critical registry keys

Creating a file in the %temp% directory

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/26859/overview

Behaviour

MalwareBazaar

CheckScreenResolution

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware keylogger obfuscated packed

Link:

https://www.filescan.io/uploads/62d81c1361945a46c8d6cf16/reports/7b9de293-4143-4d80-811c-8cacfb6593da/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AveMaria, UACMe

Detection:

malicious

Classification:

phis.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1037667

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/15aa6740e95e630a0a4547e21e9008e46f46b599aa356686fcbe4448da25560c/

Threat name:

Win32.Trojan.Remcos

Status:

Malicious

First seen:

2022-07-20 15:16:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 39 (41.03%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cwvgoqhjlzrqucsfi7rb5eai4rxunnmzvi2wnbx4xzcerwrfkyga._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

1c01c5a95d637bd542273db79548f463e2821fda9c82d972050754b68c0025e2

AveMariaRAT

36981ea2e9ccb73809a6fe8956552f0e84a39e7684fc1982b6f52a2ce0ffd11d

AveMariaRAT

549d8f67e615fb4a17084e884f285947b9a4cd6c46bdd32d18bf44e71993fac4

AveMariaRAT

6a388696745c133ba5ea711f6413c3c10c082df2d70ca70b2f015c5f83c53c75

AveMariaRAT

755563f333f32b67a9920bc004ca720c9ad07a7d04d0f29fbbc0e7c634973ef6

AveMariaRAT

9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf

AveMariaRAT

f3c1c5cfc3e095b3ae94a810e13d707bc0e7b07ab3c6ecc9f165729a48c1cb4b

AveMariaRAT

f43ec67b5158f58273a216cbc49003c55b8f0e6316a3390823348924e38507be

AveMariaRAT

+ 3'944 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:modiloader family:warzonerat collection infostealer persistence rat trojan

Link:

https://tria.ge/reports/220720-snfy4aggh5/

Behaviour

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Accesses Microsoft Outlook profiles

Adds Run key to start application

Loads dropped DLL

ModiLoader Second Stage

Warzone RAT payload

ModiLoader, DBatLoader

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

alukoren.duckdns.org:9145

Unpacked files

SH256 hash:

e5cee39f56c43d207f40862077d5b015e62929ff21f9de4e45c3b958c8947770

MD5 hash:

0de7dbbda445e257c9169774b9a8000b

SHA1 hash:

23ab78a6fdd513f2b3877efc92a71fe7d44db0db

Link:

https://www.unpac.me/results/022046fa-3f1e-4f29-81a6-7d1337307188/

SH256 hash:

15aa6740e95e630a0a4547e21e9008e46f46b599aa356686fcbe4448da25560c

MD5 hash:

49d8e3f56470245454924814ddbae92c

SHA1 hash:

35e7717f37eec7ffa2e07c7f46089b3c11fd7a1a

Link:

https://www.unpac.me/results/022046fa-3f1e-4f29-81a6-7d1337307188/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/15aa6740e95e630a0a4547e21e9008e46f46b599aa356686fcbe4448da25560c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AveMaria Create hunting rule
Author:	@bartblaze
Description:	Identifies AveMaria aka WarZone RAT.

Rule name:	AveMaria_WarZone Create hunting rule

Rule name:	ave_maria_warzone_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_1_RID2C2D Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2_RID2C2E Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding command execution via IExecuteCommand COM object

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_WarzoneRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AveMaria/WarzoneRAT

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	RDPWrap Create hunting rule
Author:	@bartblaze
Description:	Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:	https://github.com/stascorp/rdpwrap

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/292955/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample