MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1dfcccdd32ed323bbe2749f317ce31dc0b9ae06c8972558d76b46df0b437d30e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AveMariaRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1

SHA256 hash: 1dfcccdd32ed323bbe2749f317ce31dc0b9ae06c8972558d76b46df0b437d30e
SHA3-384 hash: 674deaa939f695b97962d8a9846893335ecc39eeae79ee11dbefe3142b2380dc5d98cde3a06bef729acc211a9b385ff4
SHA1 hash: 238481c1679e119fbce6453afcb6b62aa349e4d8
MD5 hash: 3c1002fea3af96e1a3931e67241b1ecf
humanhash: chicken-blossom-emma-alabama
File name:3c1002fea3af96e1a3931e67241b1ecf
Download: download sample
Signature AveMariaRAT
File size:636'765 bytes
First seen:2022-09-27 10:21:27 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:fESIR+qIGxDmjS6tDxFixuqyA1eyxvczVnfO:s7+326tPCneuM9O
TLSH T1F2D423A709299902DFA6F4F3D32B9BE44693D3D45BC1534A8E301B8A6B225F0327C5D7
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter zbetcheckin
Tags:AveMariaRAT zip

Intelligence


File Origin
# of uploads :
1
# of downloads :
391
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm formbook packed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Threat name:
Win32.Trojan.Leonem
Status:
Malicious
First seen:
2022-09-21 10:33:27 UTC
File Type:
Binary (Archive)
Extracted files:
29
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Result
Malware family:
warzonerat
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Warzone RAT payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
171.22.30.72:52011
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

zip 1dfcccdd32ed323bbe2749f317ce31dc0b9ae06c8972558d76b46df0b437d30e

(this sample)

  
Delivery method
Distributed via web download

Comments



Avatar
zbet commented on 2022-09-27 10:21:33 UTC

url : hxxp://172.245.120.8/Aj%C3%A1nlatk%C3%A9r%C3%A9s%20sz%C3%A1m222109%C2%B710397%C2%B7pdf.zip