MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c3b6893fa601ddbd5c625e1841582c57bc4a1273993c43472d9a9b45b218c19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 15

Intelligence 15 IOCs YARA 19 File information Comments

SHA256 hash:	4c3b6893fa601ddbd5c625e1841582c57bc4a1273993c43472d9a9b45b218c19
SHA3-384 hash:	b60ec0c6633bc204d5947bca91d902e0c79812304a5eabcd1ef522181fc00658ca71523253cdc759cbe61859e402776e
SHA1 hash:	87164296a8dd66e787fb1d89f5d1f8c0c11a1e9b
MD5 hash:	0c776a61320c658100231fbdf3ae35b9
humanhash:	spaghetti-alabama-india-happy
File name:	rPO2978745374834O.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	563'632 bytes
First seen:	2023-07-04 12:01:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:p0mEFtBV7q0J4Dtg2YDD22U49rUsK9xqcp/3TcG7thyUrTGInL+Drr29wwJ5NSgx:m97rl2b
Threatray	1'091 similar samples on MalwareBazaar
TLSH	T1E1C4B3A3FAA2D444E605C2B6D623D2F18532DCBDCD8195D71F203FAB793578AEA13061
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	6f69432373733579 (1 x AveMariaRAT)
Reporter	FXOLabs
Tags:	AveMariaRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

295

Origin country :

Vendor Threat Intelligence

Malware family:

avemaria

ID:

File name:

rPO2978745374834O.exe

Verdict:

Malicious activity

Analysis date:

2023-07-04 12:03:12 UTC

Tags:

stealer rat avemaria arkei warzone

Link:

https://app.any.run/tasks/36320833-5b17-4542-b710-726c5841c869

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/406475/

Detection(s):

Porcupine.MSIL.Kryptik.AHUA.143893.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Сreating synchronization primitives

DNS request

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Creating a file in the %AppData% directory

Reading critical registry keys

Creating a file in the %temp% directory

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated overlay packed packed

Link:

https://www.filescan.io/uploads/64a40a0451710bcd8d4425a3/reports/19414f2c-3312-4ffd-9afc-e752809d1446/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/4c3b6893fa601ddbd5c625e1841582c57bc4a1273993c43472d9a9b45b218c19

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/30781347-1d6e-4ef3-9ff3-ab00917c2b8a

Result

Threat name:

AveMaria

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1266561

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to hide user accounts

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected AveMaria stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

avemaria

Link:

https://mwdb.cert.pl/sample/4c3b6893fa601ddbd5c625e1841582c57bc4a1273993c43472d9a9b45b218c19/

Threat name:

Win32.Backdoor.Warzone

Status:

Malicious

First seen:

2023-07-03 08:05:34 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 23 (86.96%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jq5wre72mao5xvogexqyifmcyv54jijhhgj4inds3gu3iwzbrqmq._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

2653f3dd62470c0775b52c9ddcfc778e70eba60080520ffc7193f3a02bb52dc3

AveMariaRAT

2e10481c61f217bbc42147262a054dd570c58a083ec0d8ea7af36f3a0cd4c3c6

AveMariaRAT

379b6dc80db881fdf83e9b8b413a793392f14b876ece65b5351b0052707c8302

AveMariaRAT

5e55b972a4b1e7a202f9d20f8f7e74162f89590e3c0fd19e489d1a7d52d1a439

AveMariaRAT

649acc4a8ec45c2b3d6e217e3818db8174eb3a3bd923d8b907f6164fd42bb751

AveMariaRAT

99666c2694dd18e4c1d6398e68305c8540dc88b98a667f223d11a70fbd3fb45f

AveMariaRAT

f2dd00932b9f5d109eb2c69bc510cf3738d33044505bb4b8c0923472cb3c251b

AveMariaRAT

+ 1'081 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat collection infostealer rat

Link:

https://tria.ge/reports/230704-n6wp2scd26/

Behaviour

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Loads dropped DLL

Uses the VBS compiler for execution

Warzone RAT payload

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

charlesdnsoh.duckdns.org:77

Unpacked files

SH256 hash:

477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52

MD5 hash:

16a9ddc4b32981114fe4f069a4353105

SHA1 hash:

bf73849f57c150f9e2199c61427f631be2dfa595

Link:

https://www.unpac.me/results/3cd3dafe-1e86-47b2-8bab-99b56152f45b/

SH256 hash:

fa8174b86ffc6792fc3a8fe89eb5a8d7935564b578b84a67159a8af308886357

MD5 hash:

df6432d7b5d130e609a403a46801fa96

SHA1 hash:

9c4d522c840d6a8ad630f021ecb5046201283106

Detections:

Warzone

win_ave_maria_auto

win_ave_maria_g0

Warzone

win_ave_maria_auto

win_ave_maria_g0

Warzone

win_ave_maria_auto

win_ave_maria_g0

Link:

https://www.unpac.me/results/3cd3dafe-1e86-47b2-8bab-99b56152f45b/

SH256 hash:

f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36

MD5 hash:

6c72218c48cd68cbcb654675053a0abb

SHA1 hash:

12207fa32070f99683648d87b44410e5d3cdf2de

Link:

https://www.unpac.me/results/3cd3dafe-1e86-47b2-8bab-99b56152f45b/

SH256 hash:

477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52

MD5 hash:

16a9ddc4b32981114fe4f069a4353105

SHA1 hash:

bf73849f57c150f9e2199c61427f631be2dfa595

Link:

https://www.unpac.me/results/3cd3dafe-1e86-47b2-8bab-99b56152f45b/

SH256 hash:

fa8174b86ffc6792fc3a8fe89eb5a8d7935564b578b84a67159a8af308886357

MD5 hash:

df6432d7b5d130e609a403a46801fa96

SHA1 hash:

9c4d522c840d6a8ad630f021ecb5046201283106

Detections:

Warzone

win_ave_maria_auto

win_ave_maria_g0

Warzone

win_ave_maria_auto

win_ave_maria_g0

Warzone

win_ave_maria_auto

win_ave_maria_g0

Link:

https://www.unpac.me/results/3cd3dafe-1e86-47b2-8bab-99b56152f45b/

SH256 hash:

477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52

MD5 hash:

16a9ddc4b32981114fe4f069a4353105

SHA1 hash:

bf73849f57c150f9e2199c61427f631be2dfa595

Link:

https://www.unpac.me/results/3cd3dafe-1e86-47b2-8bab-99b56152f45b/

SH256 hash:

f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36

MD5 hash:

6c72218c48cd68cbcb654675053a0abb

SHA1 hash:

12207fa32070f99683648d87b44410e5d3cdf2de

Link:

https://www.unpac.me/results/3cd3dafe-1e86-47b2-8bab-99b56152f45b/

SH256 hash:

fa8174b86ffc6792fc3a8fe89eb5a8d7935564b578b84a67159a8af308886357

MD5 hash:

df6432d7b5d130e609a403a46801fa96

SHA1 hash:

9c4d522c840d6a8ad630f021ecb5046201283106

Detections:

Warzone

win_ave_maria_auto

win_ave_maria_g0

Warzone

win_ave_maria_auto

win_ave_maria_g0

Warzone

win_ave_maria_auto

win_ave_maria_g0

Link:

https://www.unpac.me/results/3cd3dafe-1e86-47b2-8bab-99b56152f45b/

SH256 hash:

f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36

MD5 hash:

6c72218c48cd68cbcb654675053a0abb

SHA1 hash:

12207fa32070f99683648d87b44410e5d3cdf2de

Link:

https://www.unpac.me/results/3cd3dafe-1e86-47b2-8bab-99b56152f45b/

SH256 hash:

4c3b6893fa601ddbd5c625e1841582c57bc4a1273993c43472d9a9b45b218c19

MD5 hash:

0c776a61320c658100231fbdf3ae35b9

SHA1 hash:

87164296a8dd66e787fb1d89f5d1f8c0c11a1e9b

Link:

https://www.unpac.me/results/3cd3dafe-1e86-47b2-8bab-99b56152f45b/

Malware family:

Warzone

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4c3b6893fa60/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	avemaria_rat_yhub Create hunting rule
Author:	Billy Austin
Description:	Detects AveMaria RAT a.k.a. WarZone

Rule name:	AveMaria_WarZone Create hunting rule

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding command execution via IExecuteCommand COM object

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_WarzoneRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AveMaria/WarzoneRAT

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_AveMaria_31d2bce9 Create hunting rule
Author:	Elastic Security

Rule name:	win_ave_maria_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.ave_maria.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

exe 4c3b6893fa601ddbd5c625e1841582c57bc4a1273993c43472d9a9b45b218c19

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/406475/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample