MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 447de9f98d9a2e15fd94809353e7489e4448a3f48aa3c8937d8dbac8ad4c11b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 447de9f98d9a2e15fd94809353e7489e4448a3f48aa3c8937d8dbac8ad4c11b2
SHA3-384 hash: f92b146eb542d1d67e5057d5f70396fe64c02aa56f4dccab7c121beb62ae64046bbda944774009d7a7630af8297349bb
SHA1 hash: 2fb8ed4fa65a8106e482613768e067dd0847cc36
MD5 hash: 300131621ccf76718104b9ba1e10b3da
humanhash: angel-blue-cold-saturn
File name:IMG_1123.JPG......................................scr
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:602'624 bytes
First seen:2023-06-14 04:53:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:aYF7XPD/BZYsxhJ5QWyLuhsw+4ZDNoNl7ODRSLLh:ai7XPDgsV6Ha+4ZS74R2d
Threatray 1'114 similar samples on MalwareBazaar
TLSH T111D4E03C26AA8B2AD83E47F910B1151457F87D5B3496EB1E4EC278CF5F72B810522A73
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 7df1f3f3dd9d1f7f (1 x AveMariaRAT)
Reporter abuse_ch
Tags:AveMariaRAT exe RAT scr

Intelligence

File Origin
# of uploads :
1
# of downloads :
298
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
avemaria
Create hunting rule
ID:
1
File name:
IMG_1123.JPG......................................scr
Verdict:
Malicious activity
Analysis date:
2023-06-14 04:56:25 UTC
Tags:
stealer rat avemaria warzone
Link:
https://app.any.run/tasks/62c4b79b-445b-4fa0-8bf0-e142e3d5ff93

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/398566/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.208.22101.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/648947ed3bcfe6e1271ee744/reports/309170dc-8c10-493a-961b-df1b973ee9bd/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/447de9f98d9a2e15fd94809353e7489e4448a3f48aa3c8937d8dbac8ad4c11b2
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/50b43265-4605-4fa8-9483-5f166f4c4873
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1254083
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 887102 Sample: IMG_1123.JPG.................. Startdate: 14/06/2023 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 8 other signatures 2->47 7 IMG_1123.JPG......................................scr.exe 7 2->7         started        11 JThYOmTyYEzo.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\...\JThYOmTyYEzo.exe, PE32 7->31 dropped 33 C:\Users\...\JThYOmTyYEzo.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp2574.tmp, XML 7->35 dropped 37 IMG_1123.JPG.................scr.exe.log, ASCII 7->37 dropped 49 Uses schtasks.exe or at.exe to add and modify task schedules 7->49 51 Writes to foreign memory regions 7->51 53 Adds a directory exclusion to Windows Defender 7->53 13 RegSvcs.exe 3 6 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        55 Multi AV Scanner detection for dropped file 11->55 57 Machine Learning detection for dropped file 11->57 59 Injects a PE file into a foreign processes 11->59 21 schtasks.exe 1 11->21         started        23 RegSvcs.exe 1 11->23         started        signatures5 process6 dnsIp7 39 1140.ninqshing.net 34.238.152.149, 1140, 49699 AMAZON-AESUS United States 13->39 61 Tries to steal Mail credentials (via file / registry access) 13->61 63 Tries to harvest and steal browser information (history, passwords, etc) 13->63 65 Increases the number of concurrent connection per server for Internet Explorer 13->65 67 2 other signatures 13->67 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        signatures8 process9
Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/447de9f98d9a2e15fd94809353e7489e4448a3f48aa3c8937d8dbac8ad4c11b2/
Threat name:
Win32.Spyware.Taskun
Create hunting rule
Status:
Malicious
First seen:
2023-06-13 22:56:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
33
AV detection:
16 of 24 (66.67%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ir66t6mntixbl7muqcjvhz2itzceri7urkr4re35rw5mrlkmcgza._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
1c01c5a95d637bd542273db79548f463e2821fda9c82d972050754b68c0025e2
AveMariaRAT
5004dccfea55cb7c7338390ef12adf835341473d9e850e9232aee6e7c7b6f1f6
AveMariaRAT
62ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec
AveMariaRAT
c6e161181e3f246471f546f84655f3de28e86860db5c449293a56efc17024aac
AveMariaRAT
f5f15c0824e07bfb0838592f6d542c1d3b236c158b23df1392b7562fb94ef1d4
AveMariaRAT
f6f9f7b0dda34e762db1c1d5362ad44638246bc1ff5832789177869d0e393203
AveMariaRAT
fec53b388671f2f82fd8c743a3695f432037caffe5f2e04ea77c206809efd048
AveMariaRAT
+ 1'104 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat collection infostealer rat
Link:
https://tria.ge/reports/230614-fjjszadc8x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Loads dropped DLL
Warzone RAT payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
1140.ninqshing.net:1140
Unpacked files
SH256 hash:
4127a2ccd2741a06c37322f635bb52ae6327cf75fbab9c41970667380c04c373
MD5 hash:
432d7d542f8f0c848f89b7036284e8f8
SHA1 hash:
d67566106d4f1bd7afddda98f98337988088ab1c
Link:
https://www.unpac.me/results/0bbab07f-79d0-4da9-9773-6c6c9ce3f296/
SH256 hash:
ea69cff680c47ad5eb0966803b183f71a83963202ea3a9f711db43d2e560a27d
MD5 hash:
470d862fc5dcf40816a93013bd5510e7
SHA1 hash:
9e3772b6f02bf4dacfd50be6114487e0cf27765c
Link:
https://www.unpac.me/results/0bbab07f-79d0-4da9-9773-6c6c9ce3f296/
SH256 hash:
bc328eb0e9ed41cce25d10b35e678f90b5f0363b59a48ee467b52d2dcdebb169
MD5 hash:
7fc5f29a5289b1f5d0ee1051f5dc682f
SHA1 hash:
8f9ad01cb21630756a834caef46be63c9d17d8d7
Detections:
Warzone
Create hunting rule
win_ave_maria_auto
Create hunting rule
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/0bbab07f-79d0-4da9-9773-6c6c9ce3f296/
Parent samples :
447de9f98d9a2e15fd94809353e7489e4448a3f48aa3c8937d8dbac8ad4c11b2
bc328eb0e9ed41cce25d10b35e678f90b5f0363b59a48ee467b52d2dcdebb169
SH256 hash:
9402e898a0d2df200ec288886d83f987b46e2d3cb50f0d442643ffce175b0005
MD5 hash:
63d5e12e662ddf3768b88ee7f6eb2bb5
SHA1 hash:
26d01f8a870bc645820f663b7cd105e9b14dab4a
Link:
https://www.unpac.me/results/0bbab07f-79d0-4da9-9773-6c6c9ce3f296/
SH256 hash:
477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52
MD5 hash:
16a9ddc4b32981114fe4f069a4353105
SHA1 hash:
bf73849f57c150f9e2199c61427f631be2dfa595
Link:
https://www.unpac.me/results/0bbab07f-79d0-4da9-9773-6c6c9ce3f296/
SH256 hash:
f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36
MD5 hash:
6c72218c48cd68cbcb654675053a0abb
SHA1 hash:
12207fa32070f99683648d87b44410e5d3cdf2de
Link:
https://www.unpac.me/results/0bbab07f-79d0-4da9-9773-6c6c9ce3f296/
SH256 hash:
447de9f98d9a2e15fd94809353e7489e4448a3f48aa3c8937d8dbac8ad4c11b2
MD5 hash:
300131621ccf76718104b9ba1e10b3da
SHA1 hash:
2fb8ed4fa65a8106e482613768e067dd0847cc36
Link:
https://www.unpac.me/results/0bbab07f-79d0-4da9-9773-6c6c9ce3f296/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/447de9f98d9a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/447de9f98d9a2e15fd94809353e7489e4448a3f48aa3c8937d8dbac8ad4c11b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding command execution via IExecuteCommand COM object
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_WarzoneRAT
Create hunting rule
Author:ditekSHen
Description:Detects AveMaria/WarzoneRAT
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_AveMaria_31d2bce9
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/398566/

Comments