MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4782eddb9ab8bac26615543aab44d368e333862217eaa8408181a4e565997d54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4782eddb9ab8bac26615543aab44d368e333862217eaa8408181a4e565997d54
SHA3-384 hash: 362efd9edef117dfeea5b2cb3713ff5a6e5575f019b4faa90884d50a58d3cb57f8ba00fe9c944349c2c6c2448e6027f5
SHA1 hash: 09538c1693b98ade287f24dd7b64c310cf1b7526
MD5 hash: 0c82d87c494f8b80c88c826ba0552134
humanhash: oven-floor-idaho-mountain
File name:SecuriteInfo.com.Trojan.PackedNET.1444.23865.28507
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:692'224 bytes
First seen:2022-07-13 15:41:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:zq/ynI7TkGyAYxewN3taOvGvwmpLIo0g5dAFTZ:OLktz9NsQWIo0xT
Threatray 11'874 similar samples on MalwareBazaar
TLSH T1FFE4AD7F27EEAC50C03E77F9A25B905053F4E2CF4522EA9B48D481E17B232453EA14E6
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.PackedNET.1444.23865.28507
Verdict:
Malicious activity
Analysis date:
2022-07-13 16:34:13 UTC
Tags:
warzone
Link:
https://app.any.run/tasks/3ff6b795-1a1c-43ce-9418-4382ba2de3de

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/287651/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1444.23865.28507.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Running batch commands
Launching a process
Creating a file
Creating a file in the %AppData% directory
Creating a process from a recently created file
Searching for the window
Сreating synchronization primitives
DNS request
Enabling autorun
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62cee8390b00dfa734ec991b/reports/f4281971-503e-43d3-8188-e9fe4d12e50f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1030338
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for dropped file
Contains functionality to hide user accounts
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides user accounts
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected Generic Downloader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 662832 Sample: SecuriteInfo.com.Trojan.Pac... Startdate: 13/07/2022 Architecture: WINDOWS Score: 100 69 www.google.com 2->69 93 Malicious sample detected (through community Yara rule) 2->93 95 Antivirus detection for dropped file 2->95 97 Multi AV Scanner detection for dropped file 2->97 99 7 other signatures 2->99 12 SecuriteInfo.com.Trojan.PackedNET.1444.23865.exe 15 3 2->12         started        signatures3 process4 dnsIp5 77 www.google.com 172.217.16.196, 443, 49715, 49755 GOOGLEUS United States 12->77 67 SecuriteInfo.com.T....1444.23865.exe.log, ASCII 12->67 dropped 123 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->123 17 cmd.exe 3 12->17         started        21 cmd.exe 1 12->21         started        file6 signatures7 process8 file9 57 C:\Users\user\AppData\Roaming\dreshj.exe, PE32 17->57 dropped 59 C:\Users\user\...\dreshj.exe:Zone.Identifier, ASCII 17->59 dropped 89 Uses ping.exe to sleep 17->89 23 dreshj.exe 14 6 17->23         started        28 conhost.exe 17->28         started        30 PING.EXE 1 17->30         started        32 PING.EXE 1 17->32         started        91 Uses ping.exe to check the status of other devices and networks 21->91 34 reg.exe 1 1 21->34         started        36 PING.EXE 1 21->36         started        38 conhost.exe 21->38         started        signatures10 process11 dnsIp12 71 www.google.com 23->71 61 C:\Users\user\AppData\Local\Temp\Smmres.exe, PE32 23->61 dropped 101 Machine Learning detection for dropped file 23->101 103 Writes to foreign memory regions 23->103 105 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->105 107 Injects a PE file into a foreign processes 23->107 40 AddInProcess32.exe 6 8 23->40         started        45 Smmres.exe 2 23->45         started        109 Creates an undocumented autostart registry key 34->109 73 127.0.0.1 unknown unknown 36->73 file13 signatures14 process15 dnsIp16 75 untyaru.casacam.net 23.105.131.196, 2301, 49759 LEASEWEB-USA-NYC-11US United States 40->75 63 C:\Users\user\AppData\Local\Temp\45.exe, PE32 40->63 dropped 65 C:\Program Files\Microsoft DN1\sqlmap.dll, PE32+ 40->65 dropped 111 Hides user accounts 40->111 113 Increases the number of concurrent connection per server for Internet Explorer 40->113 115 Hides that the sample has been downloaded from the Internet (zone.identifier) 40->115 117 Installs a global keyboard hook 40->117 47 45.exe 40->47         started        119 Antivirus detection for dropped file 45->119 121 Multi AV Scanner detection for dropped file 45->121 51 Smmres.exe 45->51         started        file17 signatures18 process19 dnsIp20 79 239.255.255.250 unknown Reserved 47->79 81 Antivirus detection for dropped file 47->81 83 Multi AV Scanner detection for dropped file 47->83 85 Uses netsh to modify the Windows network and firewall settings 47->85 87 Modifies the windows firewall 47->87 53 netsh.exe 47->53         started        signatures21 process22 process23 55 conhost.exe 53->55         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4782eddb9ab8bac26615543aab44d368e333862217eaa8408181a4e565997d54/
Threat name:
ByteCode-MSIL.Infostealer.Pretoria
Create hunting rule
Status:
Malicious
First seen:
2022-07-13 08:33:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
43
AV detection:
13 of 41 (31.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i6bo3w42xc5mezqvkq5kwrgtndrthbrcc7vkqqebqgsokzmzpvka._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
060b0e65ae129b5c84b802b3b4e49b71f3f25514317c3294d006e643f05b6ed6
AveMariaRAT
0c78222c8ba928915a4daa3332b2bf6129e243676c9de511332e95caa14c573d
AveMariaRAT
0d4a3bfbe869c2ae0f0713b38b6e4fe4d73ee2b35c94ec17568fdecf2aaee894
AveMariaRAT
39c3c62719694bfbbfe16ed4eb9c67b70ca43c9df2641658de388e74d31c0058
AveMariaRAT
598b1677f6ceca86896ca050d5410cdaa9a5d2b192f1acee9ba0b764ea41de8f
AveMariaRAT
6987377a1118969bd5be9bc61cbad585f85fcb41f7f52cf8d9998ac3241f87eb
AveMariaRAT
80b458b5e4d287b9500da26df1a56d769d8c1cae3d524d8319e26ea190293125
AveMariaRAT
a3ba59c3eed3e07db5cce83c2f9b463f5c5f2296310a2e7853ad558ccdae2285
AveMariaRAT
bd6e789f312094e2d4a5caf66739fc0dda356a5c6c15603a6f73cab7a9f73366
AveMariaRAT
e964a10af1e43365b03fbc73be9eb905bd14df40398ea17090b870a5f01c6962
AveMariaRAT
+ 11'864 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat evasion infostealer persistence rat upx
Link:
https://tria.ge/reports/220713-s5bqpsbbg8/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Sets DLL path for service in the registry
UPX packed file
Warzone RAT payload
Modifies WinLogon for persistence
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
4782eddb9ab8bac26615543aab44d368e333862217eaa8408181a4e565997d54
MD5 hash:
0c82d87c494f8b80c88c826ba0552134
SHA1 hash:
09538c1693b98ade287f24dd7b64c310cf1b7526
Link:
https://www.unpac.me/results/751ac97c-d6b0-4edd-8581-e4157b8307aa/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4782eddb9ab8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4782eddb9ab8bac26615543aab44d368e333862217eaa8408181a4e565997d54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/287651/

Comments