MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22b7dde7f4c3f4329aba183decf69504b78120f893260df14cd91ba56cd63bff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 17 File information Comments 1

SHA256 hash:	22b7dde7f4c3f4329aba183decf69504b78120f893260df14cd91ba56cd63bff
SHA3-384 hash:	2aaac27b50846d392e8a59c263c98f93f419dcee202d186f47e156a58f259a5eae90242eeaa47ccf93ee7e8d1909b0c1
SHA1 hash:	35b2323fa57a7ff6e4ce86522f89ebb70d4cdb17
MD5 hash:	b58b3851ff86785ae8bca735976cd54e
humanhash:	hot-missouri-oregon-golf
File name:	b58b3851ff86785ae8bca735976cd54e
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	135'168 bytes
First seen:	2022-07-20 19:47:00 UTC
Last seen:	2022-07-22 11:05:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ef804870e7f7c9feae20101fdf049fe7 (15 x AveMariaRAT)
ssdeep	3072:5sAEZmjIxrUObrt/CRkQE2hB8qWjJ+oCz4bVVLTPmU:52YIhrrtqvoTCzgTLTPmU
Threatray	2'216 similar samples on MalwareBazaar
TLSH	T158D38D23BBF74436F6F206B02DB87E6597ADFA300625C59BA3944546AC32C44FD26353
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	zbetcheckin
Tags:	32 AveMariaRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

313

Origin country :

n/a

Vendor Threat Intelligence

Detection:

WarzoneRAT

Link:

https://www.capesandbox.com/analysis/293005/

Detection(s):

Win.Malware.AveMaria-8799014-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/26879/overview

Behaviour

MalwareBazaar

CheckCmdLine

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AVE_MARIA

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b511d6e9-f9ba-4a10-a5a7-44e7604fbe27

Result

Threat name:

AveMaria, UACMe

Detection:

malicious

Classification:

phis.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1037904

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/22b7dde7f4c3f4329aba183decf69504b78120f893260df14cd91ba56cd63bff/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2022-07-20 19:47:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ek353z7uyp2dfgv2da66z5uvas3ycihysmta34km3en2k3gwhp7q._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

0c78222c8ba928915a4daa3332b2bf6129e243676c9de511332e95caa14c573d

AveMariaRAT

28b7b46f61a94073b0d77b148830eabfcec7345aa69d0cb0a48d5752c82720dd

AveMariaRAT

4782eddb9ab8bac26615543aab44d368e333862217eaa8408181a4e565997d54

AveMariaRAT

4b4f618f12ac211ecbabd1e40da2da32137a3d73f09d1e87b837cd77311e581e

AveMariaRAT

5bda1600f24476d9b8848116b25f02097f698d828940a02263ba3d5d4f924dd1

AveMariaRAT

5e284f5f5230d28a867b1bf55a2c710c2794b60105f0009f42ca3d330020a45a

AveMariaRAT

82cdb1c3b2df16088518f6524b3966c2678bc33cc8f3e887868de775633f0edd

AveMariaRAT

bd6e789f312094e2d4a5caf66739fc0dda356a5c6c15603a6f73cab7a9f73366

AveMariaRAT

e693a994119d8f95c2a52ccdf683bcc9b3974c99f2719f98d88d27204be5e69b

AveMariaRAT

+ 2'206 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat infostealer rat

Link:

https://tria.ge/reports/220720-yhhtdshffk/

Behaviour

WarzoneRat, AveMaria

Unpacked files

SH256 hash:

22b7dde7f4c3f4329aba183decf69504b78120f893260df14cd91ba56cd63bff

MD5 hash:

b58b3851ff86785ae8bca735976cd54e

SHA1 hash:

35b2323fa57a7ff6e4ce86522f89ebb70d4cdb17

Detections:

win_ave_maria_g0

Link:

https://www.unpac.me/results/e3b2160c-0008-4ec8-92fd-159f62bd4adc/

Malware family:

Warzone

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/22b7dde7f4c3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/22b7dde7f4c3f4329aba183decf69504b78120f893260df14cd91ba56cd63bff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AveMaria Create hunting rule
Author:	@bartblaze
Description:	Identifies AveMaria aka WarZone RAT.

Rule name:	AveMaria_WarZone Create hunting rule

Rule name:	ave_maria_warzone_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_1_RID2C2D Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2_RID2C2E Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding command execution via IExecuteCommand COM object

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_EXEPWSH_DLAgent Create hunting rule
Author:	ditekSHen
Description:	Detects SystemBC

Rule name:	MALWARE_Win_WarzoneRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AveMaria/WarzoneRAT

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	RDPWrap Create hunting rule
Author:	@bartblaze
Description:	Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:	https://github.com/stascorp/rdpwrap