MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1dfcccdd32ed323bbe2749f317ce31dc0b9ae06c8972558d76b46df0b437d30e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1dfcccdd32ed323bbe2749f317ce31dc0b9ae06c8972558d76b46df0b437d30e
SHA3-384 hash: 674deaa939f695b97962d8a9846893335ecc39eeae79ee11dbefe3142b2380dc5d98cde3a06bef729acc211a9b385ff4
SHA1 hash: 238481c1679e119fbce6453afcb6b62aa349e4d8
MD5 hash: 3c1002fea3af96e1a3931e67241b1ecf
humanhash: chicken-blossom-emma-alabama
File name:3c1002fea3af96e1a3931e67241b1ecf
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:636'765 bytes
First seen:2022-09-27 10:21:27 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:fESIR+qIGxDmjS6tDxFixuqyA1eyxvczVnfO:s7+326tPCneuM9O
TLSH T1F2D423A709299902DFA6F4F3D32B9BE44693D3D45BC1534A8E301B8A6B225F0327C5D7
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter zbetcheckin
Tags:AveMariaRAT zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
391
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.6660.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.389.UNOFFICIAL
Create hunting rule

Win.Dropper.Formbook-9970817-0
Create hunting rule

Sanesecurity.Malware.27245.ZipHeur.HideExt.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm formbook packed
Link:
https://www.filescan.io/uploads/6332cecb665fcdb8807a316c/reports/4eebe14a-a671-4388-be95-a18907189f39/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/1dfcccdd32ed323bbe2749f317ce31dc0b9ae06c8972558d76b46df0b437d30e
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1dfcccdd32ed323bbe2749f317ce31dc0b9ae06c8972558d76b46df0b437d30e/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-09-21 10:33:27 UTC
File Type:
Binary (Archive)
Extracted files:
29
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dx6mzxjs5uzdxprhjhzrptrr3qfzvydmrfzfldlwwrw7bnbx2mha._file
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/220927-md8ngaedan/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Warzone RAT payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
171.22.30.72:52011
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1dfcccdd32ed323bbe2749f317ce31dc0b9ae06c8972558d76b46df0b437d30e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

zip 1dfcccdd32ed323bbe2749f317ce31dc0b9ae06c8972558d76b46df0b437d30e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2315116/

Comments


Avatar
zbet commented on 2022-09-27 10:21:33 UTC

url : hxxp://172.245.120.8/Aj%C3%A1nlatk%C3%A9r%C3%A9s%20sz%C3%A1m222109%C2%B710397%C2%B7pdf.zip