MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2abb40e1c44d49d21b659a40add389d70784b4315ef528e80ec1962cda1a1a97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	2abb40e1c44d49d21b659a40add389d70784b4315ef528e80ec1962cda1a1a97
SHA3-384 hash:	a54246c0c76e161c46b274b56d8417c213e1564e9cd88387a979827c5762fe937ed1522077ab8425a6d2685334ae8204
SHA1 hash:	5e365148ed86b44d815fd95eff049aa5adc7e24f
MD5 hash:	2286fb47f9c9937bb12f8fe94fe003cb
humanhash:	carpet-mars-july-east
File name:	SecuriteInfo.com.W32.MSIL_Agent.CLA.genEldorado.11059.17703
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	7'168 bytes
First seen:	2022-04-20 14:43:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	96:q3/QgnMffdgTb4HNuwlmeoA6BEgDVIAmW4GMDz3iALzNt:snMXdg4tuXeoLBj5IAmMM/bN
Threatray	3'487 similar samples on MalwareBazaar
TLSH	T19EE1F911DBD85732EEAA0E3278639380C234E3116C93D76F3988516BBD532D919B27A9
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	SecuriteInfoCom
Tags:	AveMariaRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

257

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/265169/

Detection(s):

SecuriteInfo.com.W32.MSIL_Agent.CLA.genEldorado.11059.17703.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% directory

Reading critical registry keys

Creating a file in the %temp% directory

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/62601bf8482f2f41cad9ca94/reports/83d9c21a-b980-41dc-add7-efe81057960a/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Love You Malspam

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3ed25faa-3cc5-4ec3-8ea2-9ae5d1875e11

Result

Threat name:

AveMaria UACMe

Detection:

malicious

Classification:

phis.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/979707

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to hide user accounts

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Increases the number of concurrent connection per server for Internet Explorer

Injects a PE file into a foreign processes

Installs a global keyboard hook

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AveMaria stealer

Yara detected UACMe UAC Bypass tool

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2abb40e1c44d49d21b659a40add389d70784b4315ef528e80ec1962cda1a1a97/

Threat name:

ByteCode-MSIL.Spyware.AveMaria

Status:

Malicious

First seen:

2022-04-19 11:58:39 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fk5ubyoejve5eg3ftjak3u4j24dyjnbrl32sr2aoyglczwq2dklq._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

09acaed1582d4f3da067862bc15fb60d54d8e65c2a64bd2432d354941daf716f

AveMariaRAT

0fa46517fa64c2d4aab6c75f3bdb210f1736947b81a4ff6b934085af88be129e

AveMariaRAT

4fd5308871e64c013989aa09faee94095127770aee308b8f73fdfeac61accde0

AveMariaRAT

50f014eb139c831542b16fd7a1439e4a33c77f34e5373062cbe66911056e7001

AveMariaRAT

541edd0b23eb209ff5c4dba556e429099a86e6aa2d1ac57213dffb43bc5d0f2a

AveMariaRAT

6a388696745c133ba5ea711f6413c3c10c082df2d70ca70b2f015c5f83c53c75

AveMariaRAT

c16e26e9b8d56c149eccfbc4f160694b3bbe8e21b38c2c1df62aa426f7f190de

AveMariaRAT

f43ec67b5158f58273a216cbc49003c55b8f0e6316a3390823348924e38507be

AveMariaRAT

+ 3'477 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat infostealer rat

Link:

https://tria.ge/reports/220420-r3lmfsdgg6/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Warzone RAT Payload

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

84.38.132.36:5200

Unpacked files

SH256 hash:

2abb40e1c44d49d21b659a40add389d70784b4315ef528e80ec1962cda1a1a97

MD5 hash:

2286fb47f9c9937bb12f8fe94fe003cb

SHA1 hash:

5e365148ed86b44d815fd95eff049aa5adc7e24f

Link:

https://www.unpac.me/results/34209266-3613-4543-98c0-0ede17e90879/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2abb40e1c44d49d21b659a40add389d70784b4315ef528e80ec1962cda1a1a97

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/265169/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample