MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1fe35b6261f34b2c8d291ea332bd90a1529540e9ca3d4d86f543f4575b626fd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1fe35b6261f34b2c8d291ea332bd90a1529540e9ca3d4d86f543f4575b626fd3
SHA3-384 hash: cd80e9e45610b4acb37f3c43e0e6d11edba598df9685be1d60e6ec279d48e958724662e74d0a4f3e51c5046c3feac8e6
SHA1 hash: 8f71451ffff8e642bffd96dabb0333652416fc27
MD5 hash: e573a0885812fd76bfc487a6d22742d9
humanhash: december-oregon-gee-mockingbird
File name:Cargo Doc.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:843'264 bytes
First seen:2022-02-21 18:54:11 UTC
Last seen:2022-02-21 20:34:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:NLbKby0chFFQWNX+zDAcGGQgsmOmMC4KaqZmcVGkOs9jOtbrPohZ3:obHchFjc0mvMkaqZmOGkebrSZ3
Threatray 2'610 similar samples on MalwareBazaar
TLSH T12405584EE8B3C0EAE6B549F91EFC9A209EF79DDE1810D5F937C13AC2233160059D91A5
File icon (PE):PE icon
dhash icon 00ccf0f0f0f0c800 (7 x SnakeKeylogger, 1 x AveMariaRAT)
Reporter GovCERT_CH
Tags:AveMariaRAT exe WarzoneRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RDPWrap
Create hunting rule
Link:
https://www.capesandbox.com/analysis/243031/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.44053.15574.12517.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/6213dfdaa2660f3bb91d8a63/reports/de935faf-8788-44ea-8367-fdb3f5f92a29/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/14c5696f-7c9d-4041-b22d-b491811fd384
Result
Threat name:
AveMaria UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/943439
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Found evasive API chain checking for user administrative privileges
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Add Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 575917 Sample: Cargo Doc.exe Startdate: 21/02/2022 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for dropped file 2->39 41 16 other signatures 2->41 7 Cargo Doc.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\...\pEZJBtxvaAe.exe, PE32 7->23 dropped 25 C:\Users\...\pEZJBtxvaAe.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmp55EA.tmp, XML 7->27 dropped 29 C:\Users\user\AppData\...\Cargo Doc.exe.log, ASCII 7->29 dropped 43 Writes to foreign memory regions 7->43 45 Allocates memory in foreign processes 7->45 47 Adds a directory exclusion to Windows Defender 7->47 49 Injects a PE file into a foreign processes 7->49 11 RegSvcs.exe 3 2 7->11         started        15 powershell.exe 23 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 31 136.144.41.180, 49762, 5200 WORLDSTREAMNL Netherlands 11->31 51 Contains functionality to inject threads in other processes 11->51 53 Contains functionality to steal Chrome passwords or cookies 11->53 55 Contains functionality to steal e-mail passwords 11->55 57 3 other signatures 11->57 33 192.168.2.1 unknown unknown 15->33 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1fe35b6261f34b2c8d291ea332bd90a1529540e9ca3d4d86f543f4575b626fd3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-21 18:55:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d7rvwytb6nfszdjjd2rtfpmqufjjkqhjzi6u3bxvip2fow3cn7jq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
05e84562001d02e9ef09ef20c37104dc784e7c6e32d101d2e9b73ccee25c39c4
AveMariaRAT
0758171eb92e029d38cef3237e2cdd899827cdeeb3386761933254981b707809
AveMariaRAT
09acaed1582d4f3da067862bc15fb60d54d8e65c2a64bd2432d354941daf716f
AveMariaRAT
4fd5308871e64c013989aa09faee94095127770aee308b8f73fdfeac61accde0
AveMariaRAT
541edd0b23eb209ff5c4dba556e429099a86e6aa2d1ac57213dffb43bc5d0f2a
AveMariaRAT
80fa88690cc6490e1eb7f735ff4421fc5f813505d41987747ac4c5a9e268272d
AveMariaRAT
abc5f306aae4ed8a42216e5b16b14b312eac674877724fe3b9beb56b8e6cfb47
AveMariaRAT
b8792eb1beaba9a56b5263992d4c4df57ed1598d45dd86ea4f864aaa40c6be74
AveMariaRAT
c16e26e9b8d56c149eccfbc4f160694b3bbe8e21b38c2c1df62aa426f7f190de
AveMariaRAT
e41578bc2d18e9eb7359e062697ecdf2ea32afc0bcbbece876b3b75b406eb619
AveMariaRAT
+ 2'600 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer rat
Link:
https://tria.ge/reports/220221-xkts1aage4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Warzone RAT Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
136.144.41.180:5200
Unpacked files
SH256 hash:
6a83e40451c253d10367f67fd9bc543aa385a6462de63c5bcbf7c4a57d7e198f
MD5 hash:
5467b7e9917d1d859b5ac765aae60ebe
SHA1 hash:
7f27a9c62b3c53d72424b1a3f638b9fc4ed3ec50
Link:
https://www.unpac.me/results/6faf5ea7-f1a3-4497-b643-03520f2e02a4/
SH256 hash:
e33254e2ad4d279914a29450f98d1750a9f513fc8ddb853e0dd8346b805faa43
MD5 hash:
b597cce7bfc65e56fa69ebb7f413a33f
SHA1 hash:
7ee40df5ac783432e7c9f7be4f7ed1f286345d58
Link:
https://www.unpac.me/results/6faf5ea7-f1a3-4497-b643-03520f2e02a4/
SH256 hash:
1fe35b6261f34b2c8d291ea332bd90a1529540e9ca3d4d86f543f4575b626fd3
MD5 hash:
e573a0885812fd76bfc487a6d22742d9
SHA1 hash:
8f71451ffff8e642bffd96dabb0333652416fc27
Link:
https://www.unpac.me/results/6faf5ea7-f1a3-4497-b643-03520f2e02a4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1fe35b6261f34b2c8d291ea332bd90a1529540e9ca3d4d86f543f4575b626fd3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 1fe35b6261f34b2c8d291ea332bd90a1529540e9ca3d4d86f543f4575b626fd3

(this sample)

  
Dropped by
warzonerat
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/243031/

Comments