MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 291e48a84fe8aa0fd59df0a786b8a61c5f57a8850cc620afdf3873487f4704d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 11 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 291e48a84fe8aa0fd59df0a786b8a61c5f57a8850cc620afdf3873487f4704d0
SHA3-384 hash: e0d63d31d0ae3153bdb9931aeac165c34d93cc7409fdf15c20a83d30614b32d23ed9b2124808453c117db2638f9116b0
SHA1 hash: 34be3a169fb11e0b26ab36d1a2acbab537a6f4a0
MD5 hash: a6960e8e123608442081a9d87ea46c2b
humanhash: stream-nine-hydrogen-december
File name:a6960e8e123608442081a9d87ea46c2b
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:964'096 bytes
First seen:2022-02-25 07:04:01 UTC
Last seen:2022-02-25 09:07:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 24576:s072w6q5fH6kntO2l8pEzcyUkgxl99fu1:1p6q5v6utObmcyUkgx3
Threatray 6'844 similar samples on MalwareBazaar
TLSH T16125121023E8CA0AD2BF9BF5C4760A119735F917E423E79F0A85A0ED2D73311AE06767
Reporter zbetcheckin
Tags:32 AveMariaRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RDPWrap
Create hunting rule
Link:
https://www.capesandbox.com/analysis/244625/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39070016.23321.21221.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Adding an access-denied ACE
Launching a process
Сreating synchronization primitives
Creating a file
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/62187f6ddfdfa8501c5901f5/reports/c50804b5-eb8b-43a0-b463-d32b0334320e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3be04fdf-1c44-41d5-92db-e662d9b43b31
Result
Threat name:
AveMaria UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/946244
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Found evasive API chain checking for user administrative privileges
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: CobaltStrike Process Patterns
Sigma detected: Suspicious Remote Thread Created
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected UAC Bypass using CMSTP
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/291e48a84fe8aa0fd59df0a786b8a61c5f57a8850cc620afdf3873487f4704d0/
Threat name:
ByteCode-MSIL.Backdoor.WarzoneRAT
Create hunting rule
Status:
Malicious
First seen:
2022-02-24 20:22:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=feperkcp5cva7vm56ctynofgdrpvpkefbtdcbl67hbzuq72hatia._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
09acaed1582d4f3da067862bc15fb60d54d8e65c2a64bd2432d354941daf716f
AveMariaRAT
1e0b33518be1cc3fe076bee2172cbafa46dd07308c7caff22089cbef64201988
AveMariaRAT
48fc2a2b117078759fb794cccdc9ed738006f81ee44bf4fff209b55667186bcd
AveMariaRAT
541edd0b23eb209ff5c4dba556e429099a86e6aa2d1ac57213dffb43bc5d0f2a
AveMariaRAT
77e52baf34129234cd5ed5355f3dc8510e11b5bc9f91a61a98517f7ecd9d47d0
AveMariaRAT
885ccbb351bc8b6d463201afb558fabe763c536a5853ef762db311b5e0c8e50f
AveMariaRAT
9f757d2f4f32c2a275ece72412fa3b1b55d9cab054d3f38175092a609cca78ba
AveMariaRAT
+ 6'834 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer rat
Link:
https://tria.ge/reports/220225-hvysdafdc4/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Warzone RAT Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
152.67.253.163:5300
Unpacked files
SH256 hash:
401ff45cc53b9f3117d772b71905168c1c50fdd38a1a49fa683da4c3a667288c
MD5 hash:
6190c07c5acc1abdba5d2297be95998b
SHA1 hash:
08f3fa5fd97b7953b097181b504b2b45687b54bb
Link:
https://www.unpac.me/results/948b5fb5-8a1b-463c-a09d-6c7746aba364/
SH256 hash:
70b785e5cb5b2e61c0f5da4a71ab0bbd14d9a0849387f037e0d75cc1ffe0a082
MD5 hash:
5951b52c9b4d11ca7f4f33e5a3fb2c31
SHA1 hash:
0bc54fd699fff7b93e5c447a141c0d904924ab0d
Link:
https://www.unpac.me/results/948b5fb5-8a1b-463c-a09d-6c7746aba364/
SH256 hash:
291e48a84fe8aa0fd59df0a786b8a61c5f57a8850cc620afdf3873487f4704d0
MD5 hash:
a6960e8e123608442081a9d87ea46c2b
SHA1 hash:
34be3a169fb11e0b26ab36d1a2acbab537a6f4a0
Link:
https://www.unpac.me/results/948b5fb5-8a1b-463c-a09d-6c7746aba364/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/291e48a84fe8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/291e48a84fe8aa0fd59df0a786b8a61c5f57a8850cc620afdf3873487f4704d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AveMaria
Create hunting rule
Author:@bartblaze
Description:Identifies AveMaria aka WarZone RAT.
Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_1_RID2C2D
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding command execution via IExecuteCommand COM object
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_WarzoneRAT
Create hunting rule
Author:ditekSHen
Description:Detects AveMaria/WarzoneRAT
Rule name:pe_imphash
Create hunting rule
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe 291e48a84fe8aa0fd59df0a786b8a61c5f57a8850cc620afdf3873487f4704d0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2059383/
Cape
Cape
https://www.capesandbox.com/analysis/244625/

Comments


Avatar
zbet commented on 2022-02-25 07:04:02 UTC

url : hxxp://52.161.2.12/rmr/photos.exe