MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d77d28cbf980edcc459ac5f2e56e8ea1ce9534c97cbeeb57739dbb66756fc33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 21 File information Comments

SHA256 hash:	4d77d28cbf980edcc459ac5f2e56e8ea1ce9534c97cbeeb57739dbb66756fc33
SHA3-384 hash:	97e3a800be2497e9ef49fdff7ab53fe7548445e4a7a75d44d0566853cab42977f75ddf3fc45dfbcbd38a5ec2398b5884
SHA1 hash:	642aa05ed3cddba9784a7499637c05eb79471ff8
MD5 hash:	b70564d880ae73339db8be8b7b387e3b
humanhash:	monkey-berlin-victor-texas
File name:	4D77D28CBF980EDCC459AC5F2E56E8EA1CE9534C97CBE.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	943'616 bytes
First seen:	2022-10-04 14:30:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2f81b5c9269910375af465608d2f2ff2 (3 x RemcosRAT, 3 x Formbook, 2 x DBatLoader)
ssdeep	12288:AJUHQf66vLY0QWoYa5RsDDVQdDPf+rKU5IT7greRccA/s/rsGvRcZoYto:AsoUQin8uerHqRcv/sHsoIo
Threatray	2'472 similar samples on MalwareBazaar
TLSH	T12D158E12E3A2CD3FD2371678CD0796DC6C2D7A116934A40A7AE51D487B793A2261F2CF
TrID	61.1% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 24.1% (.EXE) Win32 Executable Borland Delphi 6 (262638/61) 10.7% (.OCX) Windows ActiveX control (116521/4/18) 1.3% (.EXE) Win32 Executable Delphi generic (14182/79/4) 1.2% (.SCR) Windows screen saver (13101/52/3)
File icon (PE):
dhash icon	ecdce4c48c9ce4c4 (14 x RemcosRAT, 9 x DBatLoader, 5 x Formbook)
Reporter	abuse_ch
Tags:	AveMariaRAT exe RAT

abuse_ch

AveMariaRAT C2:
178.170.138.49:5200

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
178.170.138.49:5200	https://threatfox.abuse.ch/ioc/870540/

Intelligence

File Origin

# of uploads :

# of downloads :

281

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/316551/

Detection(s):

SecuriteInfo.com.Variant.Zusy.436143.17787.27254.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Creating a file

Launching a process

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/41093/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

67%

Tags:

exploit formbook keylogger remcos shell32.dll zusy

Link:

https://www.filescan.io/uploads/633c43a6c9e2f3435432a25a/reports/1791828d-a584-45e6-9f8d-350f4274df88/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/6d66c570-4bbf-4100-9067-a7b35702e39b

Result

Threat name:

AveMaria, DBatLoader, UACMe

Detection:

malicious

Classification:

phis.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1083651

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to check if Internet connection is working

Contains functionality to hide user accounts

Contains functionality to inject threads in other processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal e-mail passwords

Creates a thread in another existing process (thread injection)

Found stalling execution ending in API Sleep call

Hides that the sample has been downloaded from the Internet (zone.identifier)

Increases the number of concurrent connection per server for Internet Explorer

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected AveMaria stealer

Yara detected DBatLoader

Yara detected UAC Bypass using ComputerDefaults

Yara detected UACMe UAC Bypass tool

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4d77d28cbf980edcc459ac5f2e56e8ea1ce9534c97cbeeb57739dbb66756fc33/

Threat name:

Win32.Exploit.BypassUac

Status:

Malicious

First seen:

2022-09-27 00:42:47 UTC

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jv35fdf7tahnzrczvrps4vxi5ioosu2ms7f65nlxhhn3mz2w7qzq._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

171465db36f7a839a3e563f16feb0adfbb50b93a3f2d949a7a72b5eddf8333ef

AveMariaRAT

28b7b46f61a94073b0d77b148830eabfcec7345aa69d0cb0a48d5752c82720dd

AveMariaRAT

4782eddb9ab8bac26615543aab44d368e333862217eaa8408181a4e565997d54

AveMariaRAT

6987377a1118969bd5be9bc61cbad585f85fcb41f7f52cf8d9998ac3241f87eb

AveMariaRAT

9807ccfb364f7f20ff558e2dde806c78f0ab863cf7a3ac4dd5aeed8f9775eb2f

AveMariaRAT

d509f13850c42ed1167dbce488855daf8fef40d16fcf8d898d5fc1fd7b76f569

AveMariaRAT

e693a994119d8f95c2a52ccdf683bcc9b3974c99f2719f98d88d27204be5e69b

AveMariaRAT

f9fc679cd72fd47ecd857ca86fffe2f0bbd1c880d5d5cad8c02ae9082b1239f2

AveMariaRAT

+ 2'462 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:modiloader family:warzonerat infostealer persistence rat trojan

Link:

https://tria.ge/reports/221004-rvpn5sbbg4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Adds Run key to start application

Checks computer location settings

Warzone RAT payload

ModiLoader, DBatLoader

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

ekuroekuro.duckdns.org:5200

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/79a420fc-f4ce-46dc-a4f2-e15c14c58bd1

Unpacked files

SH256 hash:

53619866fb7adb9f5dcbed0dce75932a74830dc02351a6b6c819e9701a13ada1

MD5 hash:

38a86eff48873c72ca4d72f191a56f63

SHA1 hash:

25e96f601aa827d3b1ab70b0fdc67d0c15023b73

Link:

https://www.unpac.me/results/e13e7980-0595-4a76-9ac1-a8a56d0f736f/

Parent samples :

e9f4a7f5f39ac0ea1fc287c5d9521667d3eca8344b2e60fe26f9f795d7f53a8d
2e86f98ee2dc99164970b21058123fda31af9feb290e14646c3a6f49525f2fcc
5968fd5908c38e76d8f57fbfe06bfc87956d15b778eaa637816e1630fb3eb7c4
b725d730c210274c7cc33fa90c06467cf9e3416a9d214e060e14f323d31aa3c7
6620f97090422729f9d69268a68b76cc854f81cd97c25f3463315344ba3d639e
eae13c9aa0b286157c56819381b92a4a6d8e2607f553e7b71539b1959f2cd7a2
efa8f5c281c591960f2a8f508f278b1541de0c308f4039432307de4e0f25627c
aa4a3cf409c65c84e33841c92533d1781a01cd5b1b5ba372e0b3d4c333a8f5fe
d9d5ed4a3733ad8d8edcdd4a4e36f965f3ad5b0b0bb38b54acd9091ee99ff7cf
9e6da348b123ec110ed3d923198f378f6398a6e1f87d3a440340c5ab479e6912
ad2c3ee8225bffd3052bb7d77be8e73b14731a65d420a08bac8cd72f979300b9
22c7ed8874209dd96c59fbc16dd829802729f9fa34c09cce41f6f64704af7578

SH256 hash:

4d77d28cbf980edcc459ac5f2e56e8ea1ce9534c97cbeeb57739dbb66756fc33

MD5 hash:

b70564d880ae73339db8be8b7b387e3b

SHA1 hash:

642aa05ed3cddba9784a7499637c05eb79471ff8

Detections:

DbatLoaderStage1

Link:

https://www.unpac.me/results/e13e7980-0595-4a76-9ac1-a8a56d0f736f/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4d77d28cbf98/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4d77d28cbf980edcc459ac5f2e56e8ea1ce9534c97cbeeb57739dbb66756fc33

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AveMaria Create hunting rule
Author:	@bartblaze
Description:	Identifies AveMaria aka WarZone RAT.

Rule name:	AveMaria_WarZone Create hunting rule

Rule name:	ave_maria_warzone_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_1_RID2C2D Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2_RID2C2E Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding command execution via IExecuteCommand COM object

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_EXEPWSH_DLAgent Create hunting rule
Author:	ditekSHen
Description:	Detects SystemBC

Rule name:	MALWARE_Win_WarzoneRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AveMaria/WarzoneRAT

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	RDPWrap Create hunting rule
Author:	@bartblaze
Description:	Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:	https://github.com/stascorp/rdpwrap

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/316551/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample