MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 635dfd1efd705394c8911da4fdcd0777fcc7c1078010c448e12d3f0624659ed6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AveMariaRAT
Vendor detections: 13
| SHA256 hash: | 635dfd1efd705394c8911da4fdcd0777fcc7c1078010c448e12d3f0624659ed6 |
|---|---|
| SHA3-384 hash: | 4abc4e1504e31d256a98a8892ab9d59b11647a3b1e0d5f51abbebe5810fc12e93604e076257cdbefae06e307e926a356 |
| SHA1 hash: | 6221ab15ad7392d90e204553a665a07940e417d4 |
| MD5 hash: | 67d8d1bfdb887a867555b9c41672453d |
| humanhash: | nebraska-nuts-triple-yankee |
| File name: | IMG_Scan Copy P-O for Quote Speificiations.exe |
| Download: | download sample |
| Signature | AveMariaRAT |
| File size: | 958'976 bytes |
| First seen: | 2022-05-19 13:40:50 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | fa4f15293bf39cacb7254553c7ce6e53 (2 x AveMariaRAT, 1 x RemcosRAT, 1 x BitRAT) |
| ssdeep | 24576:8guIsJAkkCasjr6+aCuT8kt7fyIkd73h5:fWAVLTRhkRh |
| TLSH | T19515BF23F3914433C03325748C1B96A45529BF152F38B97B6BEA2E4C5F3A7827929397 |
| TrID | 44.6% (.EXE) InstallShield setup (43053/19/16) 14.7% (.EXE) Win32 Executable Delphi generic (14182/79/4) 13.5% (.SCR) Windows screen saver (13101/52/3) 10.9% (.EXE) Win64 Executable (generic) (10523/12/4) 4.6% (.EXE) Win32 Executable (generic) (4505/5/1) |
| File icon (PE): |  |
| dhash icon | e69296968e9e9ea6 (4 x AveMariaRAT, 4 x RemcosRAT, 3 x BitRAT) |
| Reporter |  James_inthe_box |
| Tags: | AveMariaRAT exe |
Intelligence
File Origin
# of uploads :
1
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IMG_Scan Copy P-O for Quote Speificiations.r01
Verdict:
Malicious activity
Analysis date:
2022-05-19 04:16:27 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
6/10
Tags:
n/a
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
control.exe keylogger packed replace.exe
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Verdict:
Malicious
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Signature
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Tnega
Status:
Malicious
First seen:
2022-05-19 03:56:21 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
20 of 26 (76.92%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Result
Malware family:
warzonerat
Score:
10/10
Tags:
family:modiloader family:warzonerat infostealer persistence rat trojan
Behaviour
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader Second Stage
Warzone RAT Payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
luckyfavour2022.ddns.net:4468
Unpacked files
SH256 hash:
21c0fb2b53a8dc9d38a9cef684adce53f0dd311c3e8861cddda7946408f00b77
MD5 hash:
e91f52a1d9b8f23ae40be2e76017452c
SHA1 hash:
f86fd2cfcc8513e76c7c3ae74ae03d509aa3f453
SH256 hash:
635dfd1efd705394c8911da4fdcd0777fcc7c1078010c448e12d3f0624659ed6
MD5 hash:
67d8d1bfdb887a867555b9c41672453d
SHA1 hash:
6221ab15ad7392d90e204553a665a07940e417d4
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | AveMaria |
|---|---|
| Author: | @bartblaze |
| Description: | Identifies AveMaria aka WarZone RAT. |
| Rule name: | AveMaria_WarZone |
|---|
| Rule name: | ave_maria_warzone_rat |
|---|---|
| Author: | jeFF0Falltrades |
| Rule name: | Codoso_Gh0st_1 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Codoso APT Gh0st Malware |
| Reference: | https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks |
| Rule name: | Codoso_Gh0st_1_RID2C2D |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Codoso APT Gh0st Malware |
| Reference: | https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks |
| Rule name: | Codoso_Gh0st_2 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Codoso APT Gh0st Malware |
| Reference: | https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks |
| Rule name: | Codoso_Gh0st_2_RID2C2E |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Codoso APT Gh0st Malware |
| Reference: | https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks |
| Rule name: | INDICATOR_SUSPICIOUS_Binary_References_Browsers |
|---|---|
| Author: | ditekSHen |
| Description: | Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables embedding command execution via IExecuteCommand COM object |
| Rule name: | MALWARE_Win_AveMaria |
|---|---|
| Author: | ditekSHen |
| Description: | AveMaria variant payload |
| Rule name: | MALWARE_Win_WarzoneRAT |
|---|---|
| Author: | ditekSHen |
| Description: | Detects AveMaria/WarzoneRAT |
| Rule name: | MAL_Envrial_Jan18_1 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Encrial credential stealer malware |
| Reference: | https://twitter.com/malwrhunterteam/status/953313514629853184 |
| Rule name: | MAL_Envrial_Jan18_1_RID2D8C |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Encrial credential stealer malware |
| Reference: | https://twitter.com/malwrhunterteam/status/953313514629853184 |
| Rule name: | MAL_Lokibot_Stealer |
|---|---|
| Description: | Detects Lokibot Stealer Variants |
| Rule name: | RDPWrap |
|---|---|
| Author: | @bartblaze |
| Description: | Identifies RDP Wrapper, sometimes used by attackers to maintain persistence. |
| Reference: | https://github.com/stascorp/rdpwrap |
| Rule name: | win_ave_maria_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.ave_maria. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Delivery method
Other
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.