MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f83219e709b7a876c79306a5e0a7f1773a44e537b4223d74f2e4d2d2d805f11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 20 File information Comments

SHA256 hash:	1f83219e709b7a876c79306a5e0a7f1773a44e537b4223d74f2e4d2d2d805f11
SHA3-384 hash:	9e9672101f269c8ef190cc14556e3816657f66cdf72f7f01fc66e0fb959581fd2c2faf00e80a7e89b05487cb420d8858
SHA1 hash:	842eb9054b31caf8b91b93bc4a9475a6737a95e5
MD5 hash:	7f811cd3168b50a987154efb0a5e8543
humanhash:	double-kitten-april-twelve
File name:	7F811CD3168B50A987154EFB0A5E8543.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	785'120 bytes
First seen:	2023-06-26 12:10:18 UTC
Last seen:	2023-06-26 12:36:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	02d762f1aaf16e6c8e03fe60f0c9d48e (2 x ModiLoader, 1 x RemcosRAT, 1 x AveMariaRAT)
ssdeep	12288:eTlUbdpW5/5o8FF2FENOeqBWJz4RC7A/tkCizoHm8gn7hQELz5dHK:eTqC/5otAqYOo8/tkCizoH9gnGEnm
Threatray	110 similar samples on MalwareBazaar
TLSH	T13EF4BFA3B6B04137C3F32E7D9842E7F9B928796129143A196EF45A087F78281783475F
TrID	51.9% (.EXE) InstallShield setup (43053/19/16) 17.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 15.7% (.SCR) Windows screen saver (13097/50/3) 5.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	e3e1e3f1d9c9dbe2 (11 x AveMariaRAT, 9 x ModiLoader, 2 x Neurevt)
Reporter	abuse_ch
Tags:	AveMariaRAT exe RAT

abuse_ch

AveMariaRAT C2:
79.110.49.161:4545

Intelligence

File Origin

# of uploads :

# of downloads :

327

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

7F811CD3168B50A987154EFB0A5E8543.exe

Verdict:

No threats detected

Analysis date:

2023-06-26 12:12:44 UTC

Tags:

installer

Link:

https://app.any.run/tasks/9cbd507d-ad73-42b5-a91b-eca74c35f607

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/402871/

Detection(s):

SecuriteInfo.com.Variant.Zusy.470739.26972.8721.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Creating a file

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Network activity

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/92750/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

keylogger lolbin overlay packed

Link:

https://www.filescan.io/uploads/6499805776927ec2c0079f2d/reports/00ae764e-70e7-4a4b-8b3d-04ad5cfede68/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/1f83219e709b7a876c79306a5e0a7f1773a44e537b4223d74f2e4d2d2d805f11

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Dbatloader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/41bb9512-08e4-4cb8-978f-0581c9a3fa1f

Result

Threat name:

AveMaria, DBatLoader, UACMe

Detection:

malicious

Classification:

phis.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1261434

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Contains functionality to hide user accounts

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Increases the number of concurrent connection per server for Internet Explorer

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample uses process hollowing technique

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected AveMaria stealer

Yara detected DBatLoader

Yara detected UACMe UAC Bypass tool

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1f83219e709b7a876c79306a5e0a7f1773a44e537b4223d74f2e4d2d2d805f11/

Threat name:

Win32.Spyware.AveMaria

Status:

Malicious

First seen:

2023-06-25 16:55:58 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 35 (71.43%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=d6bsdhtqtn5io3dzgbvf4ct7c5z2itstpnbchv2pfzgs2lmal4iq._file

Verdict:

malicious

AveMariaRAT

463b268cd4afa5d7aada344628ece50e60ae207254032ce2ac0b510c3b8596a7

AveMariaRAT

511770fdae6585f7a8bd8cd9f77b5f214744d0ff2ed418237a2fd18434deda7e

AveMariaRAT

ee6b50f8cadc8d210bca98b2a164f66e6a48317450edf99a2c84ee2cde5a8338

AveMariaRAT

+ 100 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:modiloader family:warzonerat collection infostealer persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/230626-pck7wshf29/

Behaviour

Script User-Agent

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

ModiLoader Second Stage

Warzone RAT payload

ModiLoader, DBatLoader

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

donelpacino.ddns.net:4545

Unpacked files

SH256 hash:

d9d75897f3e27e941c6e90a6142c1c44c3a6251ddb73a6e1059a77af6eb7d02b

MD5 hash:

7df1198d0578f28bd0f6001adae0f70f

SHA1 hash:

d42d5732c12563a634127b6460506718a7d8e67f

Detections:

win_dbatloader_g1

Link:

https://www.unpac.me/results/18b0c9fe-578a-4333-bc49-30932af21d79/

Parent samples :

1cb71707945bdd125f22f53b0965eb2538c91aad7bffb2ff3d0c4209d6a3f11f
7cfdbb46f90befe58e3f7487c9a807328f69c223fa0fc240ce292bb7d85ef099
17be5ebb05d5ecda4b88767177423b1198ec32869d58f244a9a63f7d2133f0f1
1f83219e709b7a876c79306a5e0a7f1773a44e537b4223d74f2e4d2d2d805f11

SH256 hash:

1f83219e709b7a876c79306a5e0a7f1773a44e537b4223d74f2e4d2d2d805f11

MD5 hash:

7f811cd3168b50a987154efb0a5e8543

SHA1 hash:

842eb9054b31caf8b91b93bc4a9475a6737a95e5

Detections:

DbatLoaderStage1

Link:

https://www.unpac.me/results/18b0c9fe-578a-4333-bc49-30932af21d79/

Malware family:

Warzone

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1f83219e709b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/1f83219e709b7a876c79306a5e0a7f1773a44e537b4223d74f2e4d2d2d805f11

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AveMaria Create hunting rule
Author:	@bartblaze
Description:	Identifies AveMaria aka WarZone RAT.

Rule name:	ave_maria_warzone_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	CMD_Ping_Localhost Create hunting rule

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_1_RID2C2D Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding command execution via IExecuteCommand COM object

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_EXEPWSH_DLAgent Create hunting rule
Author:	ditekSHen
Description:	Detects SystemBC

Rule name:	MALWARE_Win_WarzoneRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AveMaria/WarzoneRAT

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Typical_Malware_String_Transforms_RID3473 Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Windows_Trojan_AveMaria_31d2bce9 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/402871/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample