MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b251cd96731540018f009f2bba5781785dccb7cd707a2b2da745c8fffead22d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b251cd96731540018f009f2bba5781785dccb7cd707a2b2da745c8fffead22d
SHA3-384 hash: ffbc36d8faab6673518789908def93f53bb5ded559d25c4f6b034a0055910c61d91997914d3b9d99ba7cab61886d54df
SHA1 hash: d4231cf0fa234234db07dc0481ff2d86d062be7d
MD5 hash: d4eeb984eb487a78d9d463f677dc1d22
humanhash: oven-illinois-cup-nebraska
File name:Shipping Document.scr.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:3'000'320 bytes
First seen:2023-10-26 17:10:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:AgZjcz5YC/Nmxhorodv8eHBK5WvXJ9o90/0bZ8EV3BP/:xo9k8eHBK5WfJCm0bZ8EV35
Threatray 59 similar samples on MalwareBazaar
TLSH T17AD5E513BB46C9A3C5485337C597C63403A0DFA2631BE61B2BEB2B6774433A6D946327
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f8f8f0f0e4c4c4d0 (13 x AveMariaRAT, 2 x AsyncRAT, 1 x NanoCore)
Reporter abuse_ch
Tags:AveMariaRAT exe RAT


Avatar
abuse_ch
AveMariaRAT C2:
185.254.37.81:5200

Intelligence

File Origin
# of uploads :
1
# of downloads :
375
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Shipping Document.scr.bin.zip
Verdict:
Malicious activity
Analysis date:
2023-10-26 23:24:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/515d2693-18dc-4df9-8938-3e3632bb0147

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/456581/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.120103.16829.8140.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Setting a keyboard event handler
DNS request
Network activity
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control lolbin masquerade
Link:
https://www.filescan.io/uploads/653a9da772356e4f29e78a7d/reports/4d6e86c9-72bd-4c41-baa0-2e4ccd316634/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/4b251cd96731540018f009f2bba5781785dccb7cd707a2b2da745c8fffead22d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5bd71437-6299-4b20-be8a-b23bf0073eaf
Result
Threat name:
AveMaria, PrivateLoader, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1332844
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if Internet connection is working
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AveMaria stealer
Yara detected Costura Assembly Loader
Yara detected PrivateLoader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4b251cd96731540018f009f2bba5781785dccb7cd707a2b2da745c8fffead22d
Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4b251cd96731540018f009f2bba5781785dccb7cd707a2b2da745c8fffead22d/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jmsrzwlhgfkaaghqbhzlxjlyc6c5zs3424d2fmw2oroi777k2iwq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
7e14eb0d8ffd572c51067f4d3d3706251ab6631e38a8536db71891d3902997ce
AveMariaRAT
85a1f398d30b7efd27dee5b78472a000c6303ebd29b067df1012cfb9d61bcffa
AveMariaRAT
8868ea6af3214fc758c93c1cb909231a76e22e718a4917aae5f2a60cf12af094
AveMariaRAT
9d4040bf5689a6d0022bcd062cfd40c3d17601e4713cf424876a2b65680dcdbe
AveMariaRAT
a726ad80960cf547e9154a39a704a48b98079786d896c5544044a7c3044d5a18
AveMariaRAT
a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115
AveMariaRAT
b33b594b66841e5852e2806741af2952539af5f54b3f92473ee3743db000b37f
AveMariaRAT
d5d458f4a27cf9399d10cbaeefa0dfe9281642a75449b328b940a4256dd95951
AveMariaRAT
+ 49 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat collection infostealer rat spyware stealer
Link:
https://tria.ge/reports/231026-vp9nxadd4y/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads user/profile data of web browsers
Warzone RAT payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
185.254.37.81:5200
Unpacked files
SH256 hash:
4b251cd96731540018f009f2bba5781785dccb7cd707a2b2da745c8fffead22d
MD5 hash:
d4eeb984eb487a78d9d463f677dc1d22
SHA1 hash:
d4231cf0fa234234db07dc0481ff2d86d062be7d
Link:
https://www.unpac.me/results/744fe302-45e2-4858-93f7-ba4a0920bcfc/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4b251cd96731/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/456581/

Comments