MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1814342a47e6ea264ef34d80e36d9363a83d4a2d09a6eaf8fb2759f59697dd74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 11 File information Comments

SHA256 hash:	1814342a47e6ea264ef34d80e36d9363a83d4a2d09a6eaf8fb2759f59697dd74
SHA3-384 hash:	0bcfd1d9150d6d4c00fdee4556e14f55808f504faa543f42fc42db4263235aa31a5a89314debb7e2e70a7e170d039ad0
SHA1 hash:	7375eabd4c19200d12a4fbc084c3184af718c5f1
MD5 hash:	36831003460b60b8aa1af55db5ec6c7b
humanhash:	magazine-autumn-freddie-table
File name:	images0008.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	326'570 bytes
First seen:	2021-12-07 14:09:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	6144:jGiYYzJ08gGhiVwxTH+Xx2VFRzphz3KIF64xkEyLl48C7h5:hWSiVO+XMVFRzphTKm5+XLl+7
Threatray	3'306 similar samples on MalwareBazaar
TLSH	T15364126AF9D12C63D997177302727A38D2FF5EA4D2338B5FA709FE565232003B422A45
File icon (PE):
dhash icon	74e0e2e2e4e4e40b (1 x RemcosRAT, 1 x AveMariaRAT)
Reporter	pr0xylife
Tags:	AveMariaRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

176

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

images0008.exe

Verdict:

Malicious activity

Analysis date:

2021-12-07 14:11:46 UTC

Tags:

installer

Link:

https://app.any.run/tasks/0d5a60ce-bc96-472b-a61b-373c44dd39ca

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/212183/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Delayed reading of the file

Creating a window

Creating a file in the %temp% directory

Creating a file

Unauthorized injection to a recently created process

Сreating synchronization primitives

DNS request

Launching a process

Creating a process with a hidden window

Launching cmd.exe command interpreter

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Setting a keyboard event handler

Sending an HTTP GET request

Creating a file in the Program Files subdirectories

Launching a service

Loading a system driver

Creating a file in the Windows subdirectories

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun for a service

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/1229/overview

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/61af6b3dfa72c81b5b1019ad/reports/06527f42-25c5-4975-8946-056874a47e41/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AVE_MARIA

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3ea6445a-2111-4238-8d15-6db1e681d6aa

Result

Threat name:

AveMaria UACMe

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/903110

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to hide user accounts

Contains functionality to inject threads in other processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal e-mail passwords

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Yara detected AveMaria stealer

Yara detected UACMe UAC Bypass tool

Behaviour

Behavior Graph:

Download SVG

Detection:

avemaria

Link:

https://mwdb.cert.pl/sample/1814342a47e6ea264ef34d80e36d9363a83d4a2d09a6eaf8fb2759f59697dd74/

Threat name:

Win32.Trojan.AveMariaRAT

Status:

Malicious

First seen:

2021-12-07 14:10:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dakdiksh43vcmtxtjwaog3mtmoud2srnbgtov6h3e5m7lfux3v2a._file

Verdict:

malicious

Label(s):

agenttesla

avemaria

hawkeyekeylogger

AveMariaRAT

4f545eb8ba5c677124256edb92f504d8d3a408d8cc4b08953ae72b2c02d11597

AveMariaRAT

53d45018a6164dbd7d2cfeeb0c158d67b60c32dc31a10b3810d714b6b179a843

AveMariaRAT

7331846b7486706bb089a60a9885b54b37c432bf8bfc0de738573f0d2ceb487b

AveMariaRAT

7874dba4574e453fe396d85635c7247d9b769e3d3b5b1011bddb0f0c4d26948d

AveMariaRAT

7f6b099267911103a2ed4968d73900bbdc667fde2d574fe8300f891a25a33f55

AveMariaRAT

8bd87aa08be3aebea3031d2ed817267f3b0a8272e39f396ae4ab4de256956455

AveMariaRAT

9424157324166005c9d1e7304701d70ca83384259cafcf006a0b4ac1d2055acc

AveMariaRAT

f15224a9cc3713a1ffff26de7d7e962bafa436c98962d2f7cc2bbdcf47c977a6

AveMariaRAT

+ 3'296 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat collection infostealer persistence rat spyware stealer

Link:

https://tria.ge/reports/211207-rgqdhschd9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Drops file in System32 directory

Accesses Microsoft Outlook profiles

Adds Run key to start application

Modifies WinLogon

Loads dropped DLL

Reads user/profile data of web browsers

Sets DLL path for service in the registry

Warzone RAT Payload

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

185.157.161.174:1975

Unpacked files

SH256 hash:

1814342a47e6ea264ef34d80e36d9363a83d4a2d09a6eaf8fb2759f59697dd74

MD5 hash:

36831003460b60b8aa1af55db5ec6c7b

SHA1 hash:

7375eabd4c19200d12a4fbc084c3184af718c5f1

Link:

https://www.unpac.me/results/b7c2155d-9af6-4c70-9acc-30ef447de812/

Malware family:

Warzone

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/1814342a47e6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.23

Link:

https://yomi.yoroi.company/submissions/1814342a47e6ea264ef34d80e36d9363a83d4a2d09a6eaf8fb2759f59697dd74

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AveMaria Create hunting rule
Author:	@bartblaze
Description:	Identifies AveMaria aka WarZone RAT.

Rule name:	ave_maria_warzone_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_1_RID2C2D Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding command execution via IExecuteCommand COM object

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_WarzoneRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AveMaria/WarzoneRAT

Rule name:	RDPWrap Create hunting rule
Author:	@bartblaze
Description:	Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:	https://github.com/stascorp/rdpwrap

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/212183/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample