MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 384b9f64f79052db685e1c7cdbf450b861d00b0ed42808ec9b688a604b53c5d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 384b9f64f79052db685e1c7cdbf450b861d00b0ed42808ec9b688a604b53c5d2
SHA3-384 hash: efdeab64da5fa5a38a8ecf708f58a91328db779a637f091b569f265978ed4b3d3a5b568f9ed71ecd6f3e81107f407313
SHA1 hash: 814be15f0a946af240db2c88fbe38e236875879e
MD5 hash: 2a65dcb212c727a67ef77ae3943a4b2c
humanhash: iowa-monkey-paris-black
File name:SecuriteInfo.com.Variant.Tedy.216810.7319.5513
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:494'080 bytes
First seen:2022-10-04 08:18:13 UTC
Last seen:2022-10-10 06:11:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:Z8xcX6dz5Tntn0YslNkGQMRiHu+WK/kAc:ZlX6d1Ttn0dlNkGe1/kP
Threatray 4'833 similar samples on MalwareBazaar
TLSH T1E8B44C2036A66249CC560F71193681D947793D2B7E38C24D34AEB58EFB73A2347337A6
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter SecuriteInfoCom
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316378/
Detection(s):
SecuriteInfo.com.Variant.Tedy.216810.7319.5513.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Searching for the window
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/633bec765c60ccc9fcff2d19/reports/b25e2c2c-e6d3-4904-8462-a192725c57df/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3a349df5-0812-4864-8763-5d9e89f7ed6e
Result
Threat name:
AveMaria, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1083054
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Found evasive API chain checking for user administrative privileges
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/384b9f64f79052db685e1c7cdbf450b861d00b0ed42808ec9b688a604b53c5d2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-04 04:49:17 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
16
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hbfz6zhxsbjnw2c6dr6nx5cqxbq5acyo2quar3e3ncfgas2tyxja._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
1d368cab5447757738b62e47b109e05df74e206884c14572ff5179be1b02d4ef
AveMariaRAT
288aaf8f0ada25a39dc9cbdec687dbd0c79cdc9d61f748427523ed86a91bc143
AveMariaRAT
52e2c9a43a9de0685055f60bd590f2f893882ad710f3b7e8c451985eea69ec07
AveMariaRAT
5c114dfbb27e8ec7ee83a8d8587cf5b179b7bfb68685e52fb9d5314195b6fbd1
AveMariaRAT
86eaa1914e20f44397eefb399da3f9b35b10c06c1fadf5f8d8877f4e24c27227
AveMariaRAT
9d1f73dc28e7c2ae89a87fb4178a025f06466530de42f2de2015538f06866f60
AveMariaRAT
9e2a3d4464636baff78628d870f39d1a9f3ba23da71f8c50ead2576479077702
AveMariaRAT
dbdfbca2dcc01a530cd7c449500dc0f6b564c11f9ed9dc8d746709a235d6826f
AveMariaRAT
+ 4'823 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer rat
Link:
https://tria.ge/reports/221004-j7tvmaacf2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Warzone RAT payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
20.126.95.155:7800
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7a2c026e-3e62-4c2f-b707-21e15ea9f036
Unpacked files
SH256 hash:
384b9f64f79052db685e1c7cdbf450b861d00b0ed42808ec9b688a604b53c5d2
MD5 hash:
2a65dcb212c727a67ef77ae3943a4b2c
SHA1 hash:
814be15f0a946af240db2c88fbe38e236875879e
Link:
https://www.unpac.me/results/9033fa18-a154-49a2-8ff8-00e530a8e818/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/384b9f64f790/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/384b9f64f79052db685e1c7cdbf450b861d00b0ed42808ec9b688a604b53c5d2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/316378/

Comments