MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 430af6efaf235407de033571f6b459e9f3af6d9ea67a0febe1829c86af5dceb0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 430af6efaf235407de033571f6b459e9f3af6d9ea67a0febe1829c86af5dceb0
SHA3-384 hash: 2b6197d6baf5636325fd965f018ca6a79cadb2f62a89381bca5244949041b2f68b7899b412d63b5635d7316c35a4e24c
SHA1 hash: 9928c00afdb391518123911181af30bf054cf56c
MD5 hash: 9a8aed85e68f62b931e430cdf467d84a
humanhash: mobile-johnny-nebraska-william
File name:Revised Enquiry.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:812'034 bytes
First seen:2022-11-22 08:50:22 UTC
Last seen:2022-11-22 10:34:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5e4f4986e13f6caa92e648bff9c67e88 (2 x ModiLoader, 1 x AveMariaRAT, 1 x NetWire)
ssdeep 12288:VV2cbnbazcd5JluSVVvkYhrN+k3t+kXPqTdTB2O4rwSMpxwhxStY5:V4cnOcd53uSVVJRsk3QWq5oOqLM2xS+5
TLSH T15D05AEA3E2E09673F025157AAE2F4B9E653A7E213D24FC6612F43C4DAE3D281341E157
TrID 40.4% (.EXE) InstallShield setup (43053/19/16)
13.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
12.3% (.SCR) Windows screen saver (13097/50/3)
9.8% (.EXE) Win64 Executable (generic) (10523/12/4)
9.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
File icon (PE):PE icon
dhash icon 903cec8cb2929e69 (4 x ModiLoader, 1 x Formbook, 1 x AveMariaRAT)
Reporter abuse_ch
Tags:AveMariaRAT exe RAT


Avatar
abuse_ch
AveMariaRAT C2:
37.0.14.195:8585

Intelligence

File Origin
# of uploads :
2
# of downloads :
254
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Revised Enquiry.exe
Verdict:
Malicious activity
Analysis date:
2022-11-22 08:52:41 UTC
Tags:
installer
Link:
https://app.any.run/tasks/8dc5d089-7c7b-472b-a2e6-fbdec898f86e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/337113/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.16980.24943.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
75%
Tags:
evasive keylogger overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/637c8d77903ba0eaf36cfa0a/reports/09793c95-f27a-4f3f-9bdc-e753d1a87ded/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aa03886e-af92-4000-8feb-2e78612a3eba
Result
Threat name:
AveMaria, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1118743
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 751455 Sample: Revised Enquiry.exe Startdate: 22/11/2022 Architecture: WINDOWS Score: 100 88 Snort IDS alert for network traffic 2->88 90 Multi AV Scanner detection for domain / URL 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 9 other signatures 2->94 10 Revised Enquiry.exe 1 11 2->10         started        14 Pdlrkiim.exe 2->14         started        process3 file4 50 C:\Users\Public\Libraries\netutils.dll, PE32+ 10->50 dropped 52 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 10->52 dropped 54 C:\Users\Public\Libraries\Pdlrkiim.exe, PE32 10->54 dropped 56 2 other malicious files 10->56 dropped 100 Writes to foreign memory regions 10->100 102 Allocates memory in foreign processes 10->102 104 Creates a thread in another existing process (thread injection) 10->104 106 Injects a PE file into a foreign processes 10->106 16 cmd.exe 3 10->16         started        19 cmd.exe 1 10->19         started        21 colorcpl.exe 10->21         started        108 Machine Learning detection for dropped file 14->108 24 colorcpl.exe 14->24         started        signatures5 process6 dnsIp7 74 Uses ping.exe to sleep 16->74 76 Drops executables to the windows directory (C:\Windows) and starts them 16->76 26 easinvoker.exe 16->26         started        28 PING.EXE 1 16->28         started        31 xcopy.exe 2 16->31         started        38 6 other processes 16->38 78 Suspicious powershell command line found 19->78 80 Bypasses PowerShell execution policy 19->80 82 Uses ping.exe to check the status of other devices and networks 19->82 34 powershell.exe 15 17 19->34         started        36 conhost.exe 19->36         started        64 victorycolum.ddns.net 37.0.14.195, 49698, 8585 WKD-ASIE Netherlands 21->64 84 Increases the number of concurrent connection per server for Internet Explorer 21->84 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->86 signatures8 process9 dnsIp10 40 cmd.exe 1 26->40         started        66 127.0.0.1 unknown unknown 28->66 58 C:\Windows \System32\easinvoker.exe, PE32+ 31->58 dropped 68 googlehosted.l.googleusercontent.com 172.217.168.1, 443, 49697 GOOGLEUS United States 34->68 70 drive.google.com 172.217.168.46, 443, 49696 GOOGLEUS United States 34->70 72 doc-04-4g-docs.googleusercontent.com 34->72 60 C:\Users\Public\Libraries\png, data 34->60 dropped 62 C:\Windows \System32\netutils.dll, PE32+ 38->62 dropped file11 process12 signatures13 96 Suspicious powershell command line found 40->96 98 Adds a directory exclusion to Windows Defender 40->98 43 powershell.exe 23 40->43         started        46 conhost.exe 40->46         started        process14 signatures15 110 DLL side loading technique detected 43->110 48 conhost.exe 43->48         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/430af6efaf235407de033571f6b459e9f3af6d9ea67a0febe1829c86af5dceb0/
Threat name:
Win32.Trojan.Convagent
Create hunting rule
Status:
Malicious
First seen:
2022-11-22 08:51:10 UTC
File Type:
PE (Exe)
Extracted files:
97
AV detection:
23 of 41 (56.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=imfpn35penkapxqdgvy7nncz5hz263m6uz5a727bqkoinl25z2ya._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat infostealer persistence rat trojan
Link:
https://tria.ge/reports/221122-kr54dsbc7s/
Behaviour
Enumerates system info in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Blocklisted process makes network request
Executes dropped EXE
ModiLoader Second Stage
Warzone RAT payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
victorycolum.ddns.net:8585
Dropper Extraction:
https://drive.google.com/uc?export=download&id=1VYeqnIRBP80Vu3udEWt23pq_2mnbwUeG
Unpacked files
SH256 hash:
2a6f9a095ecd97783727b0097e33961315ff90fd49b21404c4312e549b2fa821
MD5 hash:
76bf3e46049e4821d8352c89ffa55a06
SHA1 hash:
d0cea01177b743d8fe8241ea2afe256ce415a9cd
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/235e3922-dd21-4049-ad60-b8b9c246e1d8/
Parent samples :
d11933411093e586653221106dbd02ee574044b4ca7f1bf9d91c6c558b00acdd
3ed398f02316edd3a2fd9afad8b4748f4b056ab659a8f22a8f4bbec361e9d19c
0d6eb762b7de41274a26d00d166f1798525cc0d7d54180e251cbc2449a5f9391
63816bb5d6e665cefcfaeef55c8978de75d972e2e710830d23b809f7ccc81cb1
430af6efaf235407de033571f6b459e9f3af6d9ea67a0febe1829c86af5dceb0
4c3341068aef37525b30ce34fe17e6e28b77237c248fc5ac3953d8e5bd521493
c410af32a481222f15dd9babe626182317e7d76d603d2eb001cccd213a258873
83935adb12e30326b0a1e7c5e835032e0d6814704f199ba2cc486b21d64d21d2
85465b3e86e0e4a460fcf28729773f52de6777db71890ead00e4bee867a3e3ec
23473106e8e2e1add3756ee0e4101095710b9663791f57e026e08f99218077ff
4c9ca0c4c5eb0311f24580bebc70d9332644c0fa063f76f0c0bc76c61509c989
4b6cc04ec52357c0483d142018e4bd0535581912d5cb2b12e34dd71ed3f43dd0
SH256 hash:
430af6efaf235407de033571f6b459e9f3af6d9ea67a0febe1829c86af5dceb0
MD5 hash:
9a8aed85e68f62b931e430cdf467d84a
SHA1 hash:
9928c00afdb391518123911181af30bf054cf56c
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/235e3922-dd21-4049-ad60-b8b9c246e1d8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/430af6efaf23/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/430af6efaf235407de033571f6b459e9f3af6d9ea67a0febe1829c86af5dceb0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/337113/

Comments