MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d888bc6d0a7f5da0c94a55113d93a3f8b894472c4d42af88c7cf7cb885d95ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 12 File information Comments

SHA256 hash:	5d888bc6d0a7f5da0c94a55113d93a3f8b894472c4d42af88c7cf7cb885d95ad
SHA3-384 hash:	8c75129f3b19ea465bfb7f585936f72968421a383f5688930e6fa99adda521e6add5dcae3e199e1e209fab3fa6655b1b
SHA1 hash:	8a5b06b14840ca31017b6ec46319cd7a787ed975
MD5 hash:	12ef0fd781cfabe54c57fb2f5176ec19
humanhash:	saturn-oklahoma-winner-carolina
File name:	1970-11-30__633003.pdf.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	680'448 bytes
First seen:	2021-07-26 14:00:45 UTC
Last seen:	2021-07-26 15:01:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	8334ffffda06cacb2b113ba9de8c078a (1 x AveMariaRAT, 1 x Formbook)
ssdeep	12288:mDPmOzS2AO+GBDfNj/nNImvYGU3F4JDW6xpYMeAEmGQPN+BRKa:0eJ2Aq9p/nWmwG845W6xKMe2P
Threatray	981 similar samples on MalwareBazaar
TLSH	T186E4BF6474D0557AC22732B94D2BE2A80406FF402A5AE44F77EBFDBC1FBA791781D092
dhash icon	c4dcd8c6d4d4ccd4 (3 x RemcosRAT, 2 x Formbook, 1 x AveMariaRAT)
Reporter	abuse_ch
Tags:	AveMariaRAT exe RAT

Intelligence

File Origin

# of uploads :

# of downloads :

180

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1970-11-30__633003.pdf.exe

Verdict:

Suspicious activity

Analysis date:

2021-07-26 15:27:58 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5e6fc569-a268-446f-8dd2-54e1abc5d7a9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

WarzoneRAT

Link:

https://www.capesandbox.com/analysis/174161/

Detection(s):

SecuriteInfo.com.W32.Trojan2.QXKC.16886.12220.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

DNS request

Connection attempt

Sending a custom TCP request

Creating a file

Launching the default Windows debugger (dwwin.exe)

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5bbff8c2-4e2c-41be-956b-33763b9b6492

Result

Threat name:

Unknown

Detection:

malicious

Classification:

phis.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/821838

Signature

Hides that the sample has been downloaded from the Internet (zone.identifier)

Increases the number of concurrent connection per server for Internet Explorer

Initial sample is a PE file and has a suspicious name

Multi AV Scanner detection for submitted file

Uses an obfuscated file name to hide its real file extension (double extension)

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Trojan.AVeMariaRAT

Status:

Malicious

First seen:

2021-07-26 14:01:11 UTC

AV detection:

15 of 28 (53.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=lweixrwqu725udeuuvirhwj2h6fysrdsytkcv6empt34xcc5swwq._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

411a7c0f381354be120c25158756008260b2ba2f3b2a83e4a514602ab09edbea

AveMariaRAT

7666f3d19250bc9b6d75e1b081407ea6a71c81f22a2c027d85b6445a65a0f247

AveMariaRAT

7ee0c62e76613b5cdf12f2fa8d408ba952d9ac828e97d65411f8e9f8619cfc6b

AveMariaRAT

885e34ff7befbdcdb027a017843cbacdba7eebb34d3df2e3113cceb9adafe8b5

AveMariaRAT

8b80c4addd945a6f6dfcf49ffa0c8b6b7cab49b683783e2e7522879ffe2f3475

AveMariaRAT

a5c4e0a33316630d870175895153a056499950d478b2d09491f335ecfaaa4e3d

AveMariaRAT

ac9a96be003388d497db4755c9ca68a2725c901fdec82b942b4fb84683490b01

AveMariaRAT

b59b27b89189fc7fd98bc8f8a70d7d500907439cba4303c1eb812532fa2bc96f

AveMariaRAT

f1b5c3f7c1ee438590757e114f1c379f6c3d5fc7b349cad583976106737beb61

AveMariaRAT

+ 971 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat infostealer rat spyware stealer

Link:

https://tria.ge/reports/210726-nqlgwmbfkn/

Behaviour

Loads dropped DLL

Reads user/profile data of web browsers

Warzone RAT Payload

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

blacice24.hopto.org:5032

Unpacked files

SH256 hash:

d174ea83359cec0b0a35da88fa2a1791a1308e35a5e36e83f51a2723e48582a6

MD5 hash:

5c63077607b089e7045eb5e93d8324d9

SHA1 hash:

9ca12c4d6e4a97269d26fe6755aae441276bff42

Link:

https://www.unpac.me/results/c956f068-407f-4821-b66b-ab7c6000a035/

SH256 hash:

5d888bc6d0a7f5da0c94a55113d93a3f8b894472c4d42af88c7cf7cb885d95ad

MD5 hash:

12ef0fd781cfabe54c57fb2f5176ec19

SHA1 hash:

8a5b06b14840ca31017b6ec46319cd7a787ed975

Link:

https://www.unpac.me/results/c956f068-407f-4821-b66b-ab7c6000a035/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5d888bc6d0a7f5da0c94a55113d93a3f8b894472c4d42af88c7cf7cb885d95ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AveMaria Create hunting rule
Author:	@bartblaze
Description:	Identifies AveMaria aka WarZone RAT.

Rule name:	AveMaria_WarZone Create hunting rule

Rule name:	ave_maria_warzone_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_WarzoneRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AveMaria/WarzoneRAT

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	RDPWrap Create hunting rule
Author:	@bartblaze
Description:	Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:	https://github.com/stascorp/rdpwrap

Rule name:	win_ave_maria_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.ave_maria.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/174161/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample