MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 326745ba0eb9019ac4d6cf06cb5667b3237fe185b096aff60d44f19ebd794340. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 326745ba0eb9019ac4d6cf06cb5667b3237fe185b096aff60d44f19ebd794340
SHA3-384 hash: 8c214c825be7e49ebc0a8d84a3b1dbf744de2f505bb9859cd01d0f4ab2b197d0432b963e22831d33a59bbc87d1f948f2
SHA1 hash: 349eabf8a48c8557a3c08e03c0daae557335db34
MD5 hash: d4d16161204b98e803d6c9fd05ba3e0c
humanhash: massachusetts-montana-five-triple
File name:INQUIRY SAMPLES 20231104.PDF.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'067'304 bytes
First seen:2023-04-11 10:27:57 UTC
Last seen:2023-04-17 05:17:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:1rA62fKzJ5qbpfEFsAIID4iyZX48qu202JybvgnPGxy9B+YOvpKNbMb1KSIE4Ali:1rA62fdj48f2JyboG3VZI+v9Z28q
Threatray 1'299 similar samples on MalwareBazaar
TLSH T15535393439FA501AB273EFA68BE4759ADA6FB7733B07A45D1051038A0723A81DDC153E
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:AveMariaRAT exe signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-04-10T23:30:25Z
Valid to:2024-04-10T23:30:25Z
Serial number: 3cee800d5bf43ac18fb0d8b5d896927e
Thumbprint Algorithm:SHA256
Thumbprint: 937ee8b19859ed18de1d98eeb7826c9e8c0daf441ed7efed29c21088ff0f8427
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
243
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
avemaria
Create hunting rule
ID:
1
File name:
INQUIRY SAMPLES 20231104.PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-04-11 10:38:40 UTC
Tags:
stealer trojan rat avemaria warzone
Link:
https://app.any.run/tasks/cd85ab51-0500-4722-87dc-bfbe9f45a246

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381408/
Detection(s):
SecuriteInfo.com.Variant.Ser.Tedy.4263.8725.7331.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a service
Loading a system driver
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Changing a file
Creating a file
Launching cmd.exe command interpreter
DNS request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a file in the %AppData% directory
Reading critical registry keys
Enabling autorun for a service
Blocking the User Account Control
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6435363440ffb6ba5fad2a7e/reports/34c6269e-d039-4f53-8219-0a38f130cf04/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/326745ba0eb9019ac4d6cf06cb5667b3237fe185b096aff60d44f19ebd794340
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a76c85fc-0b06-4cd1-9d49-e426b2c25ca3
Result
Threat name:
AveMaria, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1211687
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Disables UAC (registry)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected UAC Bypass using CMSTP
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/326745ba0eb9019ac4d6cf06cb5667b3237fe185b096aff60d44f19ebd794340/
Threat name:
Win64.Malware.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-04-11 00:01:59 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
7
AV detection:
2 of 37 (5.41%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gjtuloqoxeazvrgwz4dmwvthwmrx7ymfwclk75qnityz5plzinaa._file
Verdict:
malicious
Similar samples:
37eda95e8e4f33010283becccc7313f454f1c34e28f30999f3ec643f73b68d4e
AveMariaRAT
529ebe4ffb398f3610005b26f83941e754add3685be6f8846515e105b5765fab
AveMariaRAT
6664a11aa055492bef2eb4d78c3063879dbda17e6178517f6c52d7aeaaa0112a
AveMariaRAT
930a63282cb708987359d4c68a18b8d31ce83bd112bb792ecd803556714741d6
AveMariaRAT
a4b88076b93151b45a51e3d53b71a107b64470b2276f65ebbb9297380d37f3c5
AveMariaRAT
b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4
AveMariaRAT
de4d5fe6b3744b36652a30941937268460a66533be8cdc57051e9b3b64a746b3
AveMariaRAT
ed6e2f3fdad9004e984881db746a5188169933d73c1b8f3cc5a3cf87c1263149
AveMariaRAT
+ 1'289 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat collection evasion infostealer persistence rat trojan
Link:
https://tria.ge/reports/230411-mhnh4abh23/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks whether UAC is enabled
Checks computer location settings
Loads dropped DLL
Uses the VBS compiler for execution
Windows security modification
Sets service image path in registry
Warzone RAT payload
UAC bypass
WarzoneRat, AveMaria
Windows security bypass
Malware Config
C2 Extraction:
panchak.duckdns.org:5050
Unpacked files
SH256 hash:
326745ba0eb9019ac4d6cf06cb5667b3237fe185b096aff60d44f19ebd794340
MD5 hash:
d4d16161204b98e803d6c9fd05ba3e0c
SHA1 hash:
349eabf8a48c8557a3c08e03c0daae557335db34
Link:
https://www.unpac.me/results/c664f021-91dc-498f-b175-94f978016843/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/326745ba0eb9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/326745ba0eb9019ac4d6cf06cb5667b3237fe185b096aff60d44f19ebd794340

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 326745ba0eb9019ac4d6cf06cb5667b3237fe185b096aff60d44f19ebd794340

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/381408/

Comments