MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26d7f04fcb2c0eab9bb99149132bab34b093c79b2cf6227915181bda6e27f2a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26d7f04fcb2c0eab9bb99149132bab34b093c79b2cf6227915181bda6e27f2a6
SHA3-384 hash: 93b954e842c7a83f9f4e8f3f1fd2aeb6cdd902a9e950673c0546e9d69b87ab0264fb4b09ee8f6553b6e9573127f66d1f
SHA1 hash: 3974d241458d21f80cd0897ff8ad31d7fe8319c9
MD5 hash: 744499eec5ea528d6cb43d406f0525bc
humanhash: aspen-high-zebra-speaker
File name:SecuriteInfo.com.Suspicious.Win32.Save.a.13004.31522
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:294'400 bytes
First seen:2022-06-01 21:37:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:kE3kbqr1lbn3nmk5iRAEAZikgADvoVJVt:kE3jLcRAfi+o
Threatray 2'018 similar samples on MalwareBazaar
TLSH T18754F105B3D44D9BE5E679761CD9A2B82278B6A73846C303608C1B0BFD613DE5F0BC5A
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 3af2d2f2faeaf084 (5 x Formbook, 3 x AveMariaRAT, 1 x AgentTesla)
Reporter SecuriteInfoCom
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
356
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Suspicious.Win32.Save.a.13004.31522
Verdict:
No threats detected
Analysis date:
2022-06-01 21:38:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2284811d-fc27-4d24-a221-1be5b2e1df01

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/276181/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.13004.31522.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% directory
Creating a file
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Creating a process from a recently created file
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/40771597-2f01-4992-b80d-65f1b1fd599b
Result
Threat name:
AveMaria, UACMe
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1005377
Signature
Allocates memory in foreign processes
Contains functionality to hide user accounts
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 637873 Sample: SecuriteInfo.com.Suspicious... Startdate: 01/06/2022 Architecture: WINDOWS Score: 100 62 Malicious sample detected (through community Yara rule) 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 Yara detected UACMe UAC Bypass tool 2->66 68 3 other signatures 2->68 7 SecuriteInfo.com.Suspicious.Win32.Save.a.13004.exe 4 2->7         started        11 Microsoft.exe 4 2->11         started        13 Microsoft.exe 3 2->13         started        process3 file4 54 SecuriteInfo.com.S...ave.a.13004.exe.log, ASCII 7->54 dropped 72 Writes to foreign memory regions 7->72 74 Allocates memory in foreign processes 7->74 76 Injects a PE file into a foreign processes 7->76 15 cmd.exe 3 7->15         started        18 cmd.exe 1 7->18         started        21 vbc.exe 7->21         started        78 Multi AV Scanner detection for dropped file 11->78 80 Machine Learning detection for dropped file 11->80 23 cmd.exe 1 11->23         started        25 vbc.exe 11->25         started        27 cmd.exe 1 11->27         started        29 cmd.exe 13->29         started        31 vbc.exe 13->31         started        33 cmd.exe 13->33         started        signatures5 process6 file7 56 C:\Users\user\AppData\Roaming\Microsoft.exe, PE32+ 15->56 dropped 58 C:\Users\...\Microsoft.exe:Zone.Identifier, ASCII 15->58 dropped 35 conhost.exe 15->35         started        70 Uses schtasks.exe or at.exe to add and modify task schedules 18->70 37 conhost.exe 18->37         started        50 3 other processes 18->50 39 WerFault.exe 23 9 21->39         started        52 2 other processes 23->52 41 WerFault.exe 2 9 25->41         started        44 conhost.exe 27->44         started        46 conhost.exe 29->46         started        48 WerFault.exe 31->48         started        signatures8 process9 dnsIp10 60 192.168.2.1 unknown unknown 41->60
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26d7f04fcb2c0eab9bb99149132bab34b093c79b2cf6227915181bda6e27f2a6/
Threat name:
ByteCode-MSIL.Trojan.MortyStealer
Create hunting rule
Status:
Malicious
First seen:
2022-06-01 21:38:08 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
12
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e3l7at6lfqhkxg5zsfergk5lgsyjhr43ft3ce6ivdan5u3rh6kta._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
26d7f04fcb2c0eab9bb99149132bab34b093c79b2cf6227915181bda6e27f2a6
AveMariaRAT
547a73effa2789bdb7c8d66e020e0ec86974de321362e97319be1e6d3fdaf8d2
AveMariaRAT
a1b36c729b1d2dbc3b47d9359285ab2dcc2e0f66c4ed4c0f17dcf4c59ec54e02
AveMariaRAT
afb1a334bcaede92d0245fe29bdddada3662e3490fd52baab981697e8fe96857
AveMariaRAT
e964a10af1e43365b03fbc73be9eb905bd14df40398ea17090b870a5f01c6962
AveMariaRAT
fcf711ee50b22ac9cbe69c1a55a8384c187003c6c536ea70645c7156fd9bd887
AveMariaRAT
+ 2'008 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat collection infostealer rat
Link:
https://tria.ge/reports/220601-1g2afsfcbl/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Loads dropped DLL
Uses the VBS compiler for execution
Executes dropped EXE
Warzone RAT Payload
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
26d7f04fcb2c0eab9bb99149132bab34b093c79b2cf6227915181bda6e27f2a6
MD5 hash:
744499eec5ea528d6cb43d406f0525bc
SHA1 hash:
3974d241458d21f80cd0897ff8ad31d7fe8319c9
Link:
https://www.unpac.me/results/1ebba77f-b3d1-4dc9-8aa9-889d87a96181/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/26d7f04fcb2c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/26d7f04fcb2c0eab9bb99149132bab34b093c79b2cf6227915181bda6e27f2a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AveMaria
Create hunting rule
Author:@bartblaze
Description:Identifies AveMaria aka WarZone RAT.
Rule name:AveMaria_WarZone
Create hunting rule
Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_1_RID2C2D
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2_RID2C2E
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding command execution via IExecuteCommand COM object
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_EXEPWSH_DLAgent
Create hunting rule
Author:ditekSHen
Description:Detects SystemBC
Rule name:MALWARE_Win_WarzoneRAT
Create hunting rule
Author:ditekSHen
Description:Detects AveMaria/WarzoneRAT
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/276181/

Comments