MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3971845bb66080170f9c166e1fcaf497d598dcfc5fbc380f0363711fc73e0580. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	3971845bb66080170f9c166e1fcaf497d598dcfc5fbc380f0363711fc73e0580
SHA3-384 hash:	395dcce88a00bb8d93f2e07f5e3a35e6f8c67b9722b9c490b20b523c8ef6b6fd53e688897d8bc497f253a39abf0406fc
SHA1 hash:	6f1fc19c1c796117366d744cd33998c34bab8e6f
MD5 hash:	434c581d692f438caa4dcae3d42c32d4
humanhash:	summer-high-river-king
File name:	434c581d692f438caa4dcae3d42c32d4
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	686'008 bytes
First seen:	2021-09-15 07:01:39 UTC
Last seen:	2021-09-15 08:10:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b80f4f0a086ef8167169248061f9b4a4 (4 x RemcosRAT, 1 x AveMariaRAT)
ssdeep	12288:Y32D6sAniEeWwhvT0Xq7FZlUzi5DZ/iFXCjnx:YmYhwhvTf795Z//nx
Threatray	1'251 similar samples on MalwareBazaar
TLSH	T1C4E48C54F38182B2D62B16758C8FFAA89129BE025A21EC1F5FDA7D148F3490275F71CE
dhash icon	4cca4c67d3261aca (6 x RemcosRAT, 4 x Formbook, 2 x AveMariaRAT)
Reporter	JAMESWT_WT
Tags:	Afia Wave Enterprises Oy AveMariaRAT exe signed

Code Signing Certificate

Organisation:	Afia Wave Enterprises Oy
Issuer:	Sectigo Public Code Signing CA R36
Algorithm:	sha384WithRSAEncryption
Valid from:	2021-07-08T00:00:00Z
Valid to:	2022-07-08T23:59:59Z
Serial number:	69ad1e8b5941c93d5017b7c3fdb8e7b6
Intelligence:	53 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	999bbf99f3b3c1a894340918d8f2c6a358e7ec6299bab5d8fd6b9e7570abf929
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

108

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

434c581d692f438caa4dcae3d42c32d4

Verdict:

Malicious activity

Analysis date:

2021-09-15 07:34:39 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b7a5b357-aee0-43a2-b362-9b9d65f1d252

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/188006/

Detection(s):

SecuriteInfo.com.BackDoor.Remcos.336.11442.24838.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6175155d9a5a1e91c5d20279/reports/c4044bbc-3d83-4cfc-8579-b1cd220780f1/overview

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9b561388-cc26-4938-806e-d454a9835d39

Result

Threat name:

AveMaria UACMe

Detection:

malicious

Classification:

troj.expl

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/851419

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to hide user accounts

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Uses dynamic DNS services

Yara detected AveMaria stealer

Yara detected UACMe UAC Bypass tool

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3971845bb66080170f9c166e1fcaf497d598dcfc5fbc380f0363711fc73e0580/

Threat name:

Win32.Backdoor.NetWiredRc

Status:

Malicious

First seen:

2021-08-31 20:18:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 45 (53.33%)

Threat level:

5/5

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

2e4256a1d7bc9f40528cded530aaf91410b3b55eff762908d7bd61cb5962e51e

AveMariaRAT

37997c1eec37f3540a10458aa1e67be3cff20ef13feea966da82ec0f99f4fbc7

AveMariaRAT

501c54e45dcff8ae57742bc1ab0ba09791a68a6345b9a84f6c92af401556af07

AveMariaRAT

5a36b6f9fe8852daabca8093de029904ab5e024426cfe3ffaeca6c14fb093501

AveMariaRAT

8ba4ad166994c100c26c0ba03030f7dd583a5ef90dca076963b8710b406f76ec

AveMariaRAT

9958131d419bbaf7b385485777f83c03f2757f2aa263fbb1280b1e64f961a164

AveMariaRAT

b2df0162081db60f8a9ee6ee0b31611c0ef96d5c272789f995e0c4d887e568cf

AveMariaRAT

+ 1'241 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat infostealer persistence rat spyware stealer

Link:

https://tria.ge/reports/210915-hts6haaae6/

Behaviour

Modifies registry key

Modifies system certificate store

Suspicious use of WriteProcessMemory

Adds Run key to start application

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Warzone RAT Payload

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

pentester01.duckdns.org:60976

Unpacked files

SH256 hash:

4e1202f3e7e04b0b3ca1df164bf5381f24063c142317e774d4e5d88b2b3ac744

MD5 hash:

aa23dee2c34813d67fe9c67ec784782a

SHA1 hash:

10b2e7af7cb9d6f852e6d607875a8c9613538930

Link:

https://www.unpac.me/results/25e72588-8eb0-4830-8a7f-dfac15605a71/

SH256 hash:

3971845bb66080170f9c166e1fcaf497d598dcfc5fbc380f0363711fc73e0580

MD5 hash:

434c581d692f438caa4dcae3d42c32d4

SHA1 hash:

6f1fc19c1c796117366d744cd33998c34bab8e6f

Link:

https://www.unpac.me/results/25e72588-8eb0-4830-8a7f-dfac15605a71/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/3971845bb660/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3971845bb66080170f9c166e1fcaf497d598dcfc5fbc380f0363711fc73e0580

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/188006/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample