MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 463b268cd4afa5d7aada344628ece50e60ae207254032ce2ac0b510c3b8596a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 25 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 463b268cd4afa5d7aada344628ece50e60ae207254032ce2ac0b510c3b8596a7
SHA3-384 hash: 3034e668a7474ee8741f779550eab9e26a16cf2ee226a0bb2d96b5f2f47488c29ae3508fb5c051b947356ef358b16351
SHA1 hash: e00fa263f060ef0a10f72ffe4ce18fefaf19dbd6
MD5 hash: 99ef3cad54ddee0fced96d3da2a2a6c9
humanhash: thirteen-crazy-angel-lake
File name:Payment confirmation HA-9VVNL7.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'088'512 bytes
First seen:2023-05-25 06:15:15 UTC
Last seen:2023-06-05 15:35:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b3b7f3046623191c43621fd310d374b1 (2 x AveMariaRAT, 2 x ModiLoader, 1 x Formbook)
ssdeep 24576:GSWrMz8C3kJ+VnkaJ56TxIN84Mm/3vfJM5GJB:GS0o8YXMFIN84X3vfu5WB
Threatray 102 similar samples on MalwareBazaar
TLSH T12535BF63F7D14433D1666E39AD57E7E55A1E7E202928744E2FF82D08AF352813C6039B
TrID 51.9% (.EXE) InstallShield setup (43053/19/16)
17.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.7% (.SCR) Windows screen saver (13097/50/3)
5.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon e3e1e3f1d9c9dbe2 (11 x AveMariaRAT, 9 x ModiLoader, 2 x Neurevt)
Reporter abuse_ch
Tags:AveMariaRAT exe RAT


Avatar
abuse_ch
AveMariaRAT C2:
45.88.67.63:4545

Intelligence

File Origin
# of uploads :
2
# of downloads :
279
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
avemaria
Create hunting rule
ID:
1
File name:
Payment confirmation HA-9VVNL7.exe
Verdict:
Malicious activity
Analysis date:
2023-05-25 06:21:22 UTC
Tags:
installer dbatloader stealer rat avemaria warzone
Link:
https://app.any.run/tasks/88daa44a-6eb1-46d6-96cc-284d2c0985cf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/391400/
Detection(s):
SecuriteInfo.com.Variant.Zusy.468669.6599.7108.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Network activity
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/87802/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger lolbin packed
Link:
https://www.filescan.io/uploads/646efd2266909cc8cb11f6ed/reports/88137754-edb2-4496-8f08-1a09072e5aea/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/463b268cd4afa5d7aada344628ece50e60ae207254032ce2ac0b510c3b8596a7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dc59eeba-6039-49f7-8b8a-0d9c974edc68
Result
Threat name:
AveMaria, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1242185
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Detected unpacking (creates a PE file in dynamic memory)
Drops PE files with a suspicious file extension
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 875201 Sample: Payment_confirmation_HA-9VV... Startdate: 25/05/2023 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 9 other signatures 2->59 6 Payment_confirmation_HA-9VVNL7.exe 1 4 2->6         started        11 Hlavqmkl.exe 2->11         started        13 Hlavqmkl.exe 2->13         started        process3 dnsIp4 29 web.fe.1drv.com 6->29 31 onedrive.live.com 6->31 37 2 other IPs or domains 6->37 23 C:\Users\Public\Libraries\lkmqvalH.pif, PE32 6->23 dropped 25 C:\Users\Public\Libraries\Hlavqmkl.exe, PE32 6->25 dropped 27 C:\Users\...\Hlavqmkl.exe:Zone.Identifier, ASCII 6->27 dropped 61 Drops PE files with a suspicious file extension 6->61 63 Writes to foreign memory regions 6->63 65 Allocates memory in foreign processes 6->65 15 lkmqvalH.pif 3 8 6->15         started        33 web.fe.1drv.com 11->33 39 3 other IPs or domains 11->39 67 Antivirus detection for dropped file 11->67 69 Multi AV Scanner detection for dropped file 11->69 71 Machine Learning detection for dropped file 11->71 19 lkmqvalH.pif 1 11->19         started        35 web.fe.1drv.com 13->35 41 3 other IPs or domains 13->41 73 Creates a thread in another existing process (thread injection) 13->73 75 Injects a PE file into a foreign processes 13->75 21 lkmqvalH.pif 13->21         started        file5 signatures6 process7 dnsIp8 43 donelpacino.ddns.net 45.88.67.63, 4545, 49713 LVLT-10753US Bulgaria 15->43 45 Detected unpacking (creates a PE file in dynamic memory) 15->45 47 Tries to steal Mail credentials (via file / registry access) 15->47 49 Tries to harvest and steal browser information (history, passwords, etc) 15->49 51 2 other signatures 15->51 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/463b268cd4afa5d7aada344628ece50e60ae207254032ce2ac0b510c3b8596a7/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2023-05-25 06:16:04 UTC
File Type:
PE (Exe)
Extracted files:
52
AV detection:
14 of 36 (38.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iy5sndguv6s5pkw2grdcr3hfbzqk4idskqbszyvmbniqyo4fs2tq._file
Verdict:
malicious
Similar samples:
0d5a138754a0bcb2bf5557f158c342e8f7e32a509a3d93775e5aeb59d5d4e0d0
AveMariaRAT
511770fdae6585f7a8bd8cd9f77b5f214744d0ff2ed418237a2fd18434deda7e
AveMariaRAT
6894716ecdc2dc8c9df8522345f04945c0d90df9c2b5426c72fb4eee7d809c79
AveMariaRAT
8ca26ad3a105ee3dd82c2141db2f837651ec21079d1aceb993abd8c705de6648
AveMariaRAT
dac4faa0ae9110acaed3d4890a20d2600d11d040386f40603891aa0880fe825d
AveMariaRAT
e6b6b597f8f07b529a9bf027c549b0b9476fdbf8d01e089faa97972e17908dd4
AveMariaRAT
ee6b50f8cadc8d210bca98b2a164f66e6a48317450edf99a2c84ee2cde5a8338
AveMariaRAT
+ 92 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader trojan
Link:
https://tria.ge/reports/230525-g1gklsgc98/
Behaviour
Script User-Agent
Suspicious use of WriteProcessMemory
Program crash
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
463b268cd4afa5d7aada344628ece50e60ae207254032ce2ac0b510c3b8596a7
MD5 hash:
99ef3cad54ddee0fced96d3da2a2a6c9
SHA1 hash:
e00fa263f060ef0a10f72ffe4ce18fefaf19dbd6
Detections:
DbatLoaderStage1
Create hunting rule
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/79cd12a4-20ad-4ceb-8113-9a461e4b8a3a/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/463b268cd4af/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AveMaria
Create hunting rule
Author:@bartblaze
Description:Identifies AveMaria aka WarZone RAT.
Rule name:avemaria_rat_yhub
Create hunting rule
Author:Billy Austin
Description:Detects AveMaria RAT a.k.a. WarZone
Rule name:AveMaria_WarZone
Create hunting rule
Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_1_RID2C2D
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2_RID2C2E
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding command execution via IExecuteCommand COM object
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_EXEPWSH_DLAgent
Create hunting rule
Author:ditekSHen
Description:Detects SystemBC
Rule name:MALWARE_Win_WarzoneRAT
Create hunting rule
Author:ditekSHen
Description:Detects AveMaria/WarzoneRAT
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Windows_Trojan_AveMaria_31d2bce9
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

rar dffe351852b4d59a792f31ab4369c339f7ba61936453b6f9b9724adf5f4a42ce

AveMariaRAT

Executable exe 463b268cd4afa5d7aada344628ece50e60ae207254032ce2ac0b510c3b8596a7

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/391400/
  
Dropped by
SHA256 dffe351852b4d59a792f31ab4369c339f7ba61936453b6f9b9724adf5f4a42ce
  
Dropped by
MD5 2e33427db3e3f85a33a157401d2f7a5a

Comments