MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 284fe4243b097f48a25331d564e74fa79e02664470092dd6491e20e00c578a1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 10 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 284fe4243b097f48a25331d564e74fa79e02664470092dd6491e20e00c578a1f
SHA3-384 hash: 54b4e80da0c7fbc4a56676b76f8a6387779a88198a2548520b092c716ef297a3fc910c22ee15b55600a85eb9d92e87d3
SHA1 hash: 2173914f7bef61424c71905d41fbc5484aa09281
MD5 hash: 2c088bc2980ba15e3500f929a7d13019
humanhash: ohio-low-eighteen-happy
File name:2c088bc2980ba15e3500f929a7d13019
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:100'352 bytes
First seen:2021-08-14 17:10:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b76aafdc988ade2ab3db3b02fa4c6d00 (26 x AveMariaRAT, 1 x njrat, 1 x NanoCore)
ssdeep 1536:5Csejmb+6BQyusX1UjtA0uWRf/eloc/9T1jVEyp:AtD6jSm0uWRfCogTjVEG
Threatray 1'072 similar samples on MalwareBazaar
TLSH T169A39D2377D1483DF67502B02ABCBE7A97FEB9750321895FA36811836E72548E926343
Reporter zbetcheckin
Tags:32 AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2c088bc2980ba15e3500f929a7d13019
Verdict:
No threats detected
Analysis date:
2021-08-14 17:12:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/91ff568e-4523-4a5f-866b-928aa9619868

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179271/
Detection(s):
Win.Malware.Sllg-9774396-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7a3d232b-a0ca-466e-b0e7-ae4aca07ef18
Result
Threat name:
AveMaria UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/832956
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Found malware configuration
Increases the number of concurrent connection per server for Internet Explorer
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/284fe4243b097f48a25331d564e74fa79e02664470092dd6491e20e00c578a1f/
Threat name:
Win32.Trojan.WarzoneRAT
Create hunting rule
Status:
Malicious
First seen:
2021-08-14 16:35:19 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fbh6ijb3bf7uristghkwjz2pu6paezseoaes3vsjdyqoadcxripq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
1e0cc4051f5ea6cb75b0df551bc5be60abc54ca51cd1611dc760aa245a0055dd
AveMariaRAT
3b84ae0d295425279c7636ff3de98950d1f6ebf935b79a23049842d85c9d905c
AveMariaRAT
4467e78c9356062cd52d9d9da5dee3329558749d764ef8c72c14977ae65d139e
AveMariaRAT
5e74989efa96ead9311c5927e6f6a2be657a418de923461ec520d09aeaee970a
AveMariaRAT
6c08295f40c3b798331023edf5166fc3dc159f120eaf02db0991f6d682c7df13
AveMariaRAT
788fb7921aa27add6ee4a6e7927c8475236eb9cf82faef193c4d113b8da886c0
AveMariaRAT
b01d0e871f96ddcf4df2358b7a452c488d628829d14d5ede0a58243cdd1dbdc7
AveMariaRAT
bcf2e22757bf6abba668fcc0c627beb1d6e0c22491cdc723ebd5c55c90640e40
AveMariaRAT
f1b5c3f7c1ee438590757e114f1c379f6c3d5fc7b349cad583976106737beb61
AveMariaRAT
f3f654a41d57053362f7306f9a432c1341cbd57dce82f0940108a73917a8a934
AveMariaRAT
+ 1'062 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer rat
Link:
https://tria.ge/reports/210814-v2v71nb7ex/
Behaviour
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
127.0.0.1:5200
Unpacked files
SH256 hash:
284fe4243b097f48a25331d564e74fa79e02664470092dd6491e20e00c578a1f
MD5 hash:
2c088bc2980ba15e3500f929a7d13019
SHA1 hash:
2173914f7bef61424c71905d41fbc5484aa09281
Detections:
win_ave_maria_auto
Create hunting rule
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/7e33ec22-70f4-4ce1-93f4-e9b915648c0a/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/284fe4243b09/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/284fe4243b097f48a25331d564e74fa79e02664470092dd6491e20e00c578a1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AveMaria
Create hunting rule
Author:@bartblaze
Description:Identifies AveMaria aka WarZone RAT.
Rule name:AveMaria_WarZone
Create hunting rule
Rule name:AveMaria_WarZone
Create hunting rule
Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_WarzoneRAT
Create hunting rule
Author:ditekSHen
Description:Detects AveMaria/WarzoneRAT
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.ave_maria.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe 284fe4243b097f48a25331d564e74fa79e02664470092dd6491e20e00c578a1f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1534153/
Cape
Cape
https://www.capesandbox.com/analysis/179271/

Comments


Avatar
zbet commented on 2021-08-14 17:10:53 UTC

url : hxxp://135.125.172.201/warzone.exe