MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 696aaa0a2d06804fd98c3b16ae704eb779ddc833a6782fd289716dcf7fda35c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 696aaa0a2d06804fd98c3b16ae704eb779ddc833a6782fd289716dcf7fda35c8
SHA3-384 hash: 483d443a450d3c730871f136469258c1863b102955abcbcf997f2a4bfe8abf046d24ab0ba7b083ce9d328f34c420ae0c
SHA1 hash: 21fb61892722310ea7bfbc4581d6bc8549e747ac
MD5 hash: 425ab00f6f0c6428a0edc8eea44a72c6
humanhash: five-hotel-london-alanine
File name:425AB00F6F0C6428A0EDC8EEA44A72C6.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:675'328 bytes
First seen:2023-10-21 10:36:07 UTC
Last seen:2023-10-21 11:49:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:66RsEwmhzfqBu4aqwQcY5AsmK0S5FejZ0UuMd6XXH93zVqajynHLAN4QAPrvAkkb:fjwCT6baqbcY5AsmXvjLus6djJ
Threatray 1'032 similar samples on MalwareBazaar
TLSH T109E4BFC8B600B19ECC17CA768974DC70DA523C7B532BD11664CB3DABBA7E5968E005E3
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d4c4c4d8ccd4f0c4 (63 x Formbook, 23 x AgentTesla, 8 x RemcosRAT)
Reporter abuse_ch
Tags:AveMariaRAT exe RAT


Avatar
abuse_ch
AveMariaRAT C2:
163.123.143.8:8901

Intelligence

File Origin
# of uploads :
2
# of downloads :
334
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
avemaria
Create hunting rule
ID:
1
File name:
425AB00F6F0C6428A0EDC8EEA44A72C6.exe
Verdict:
Malicious activity
Analysis date:
2023-10-21 10:40:30 UTC
Tags:
rat avemaria remote trojan stealer warzone
Link:
https://app.any.run/tasks/2a768a02-627b-4db7-917e-b19f1569e2cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
86%
Tags:
packed
Link:
https://www.filescan.io/uploads/6533a9ce2b74b3f20dd623a9/reports/680743ab-d704-4645-a098-35428044919a/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/696aaa0a2d06804fd98c3b16ae704eb779ddc833a6782fd289716dcf7fda35c8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/51d9895f-c3c8-4022-b94b-aad51f1eaf4c
Result
Threat name:
AveMaria, PrivateLoader, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1329626
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected PrivateLoader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1329626 Sample: ZsWWFj4101.exe Startdate: 21/10/2023 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 13 other signatures 2->58 7 ZsWWFj4101.exe 7 2->7         started        11 IEPBuzFgUzc.exe 5 2->11         started        process3 file4 38 C:\Users\user\AppData\...\IEPBuzFgUzc.exe, PE32 7->38 dropped 40 C:\Users\user\AppData\Local\...\tmp209B.tmp, XML 7->40 dropped 60 Detected unpacking (changes PE section rights) 7->60 62 Detected unpacking (overwrites its own PE header) 7->62 64 Contains functionality to hide user accounts 7->64 72 2 other signatures 7->72 13 ZsWWFj4101.exe 3 12 7->13         started        18 powershell.exe 23 7->18         started        20 powershell.exe 23 7->20         started        28 2 other processes 7->28 66 Antivirus detection for dropped file 11->66 68 Multi AV Scanner detection for dropped file 11->68 70 Found evasive API chain (may stop execution after checking mutex) 11->70 74 5 other signatures 11->74 22 IEPBuzFgUzc.exe 11->22         started        24 schtasks.exe 11->24         started        26 IEPBuzFgUzc.exe 11->26         started        signatures5 process6 dnsIp7 50 163.123.143.8, 49721, 8901 ILIGHT-NETUS Reserved 13->50 42 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 13->42 dropped 44 C:\Users\user\AppData\Local\Temp\nss3.dll, PE32 13->44 dropped 46 C:\Users\user\AppData\Local\...\mozglue.dll, PE32 13->46 dropped 48 3 other files (1 malicious) 13->48 dropped 76 Tries to steal Mail credentials (via file / registry access) 13->76 78 Tries to harvest and steal browser information (history, passwords, etc) 13->78 80 Increases the number of concurrent connection per server for Internet Explorer 13->80 82 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->82 30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        84 Contains functionality to hide user accounts 22->84 34 conhost.exe 24->34         started        36 conhost.exe 28->36         started        file8 signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/696aaa0a2d06804fd98c3b16ae704eb779ddc833a6782fd289716dcf7fda35c8
Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/696aaa0a2d06804fd98c3b16ae704eb779ddc833a6782fd289716dcf7fda35c8/
Threat name:
Win32.Backdoor.Warzone
Create hunting rule
Status:
Suspicious
First seen:
2023-10-17 07:37:12 UTC
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nfvkucrna2ae7wmmhmlk44cow5453sbtuz4c7uujofw46762gxea._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
1df652cc00fc5d79f97886e2056713907cf9a819c22eba3562d88b776003c39c
AveMariaRAT
1fe0659929bf6a67424138eddac1876c3fcc771e614bf90b286ecfe083641bdf
AveMariaRAT
305362809f5dba8394aadc7d504a87af728d70173c1941c3a111f8479b9deb04
AveMariaRAT
57bab10af9424bb39b4261d8938d946851694f2ff4841b3cf8f82364a40814f4
AveMariaRAT
6ecfbc791bb4c1d373497ab2d3d87d90a3931da5cafd3c72c52b811171a803e9
AveMariaRAT
85f6360167007d5c4d5f8fdaacf17c69448b7c87cfe87f46014e413bbe14da28
AveMariaRAT
8df743bfde0cc4b44753b7efdeb0f37e381a302f3248470cb949ed16730dd106
AveMariaRAT
d805990336c360dcf888e9bd917d3a5f70cf65c9d78ec6015d2b44982528ef33
AveMariaRAT
e360dcf6f40f9eb2ae5ceb98825ca3c8942fe935463594cfcf9c29ccd7f28707
AveMariaRAT
f9d809924aac74eb9e5b65b31006836dab351f74d12639158be83f9d7b84d75f
AveMariaRAT
+ 1'022 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat collection infostealer rat spyware stealer
Link:
https://tria.ge/reports/231021-mntbjaeb6t/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Warzone RAT payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
163.123.143.8:8901
Gathering data
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/696aaa0a2d06/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/696aaa0a2d06804fd98c3b16ae704eb779ddc833a6782fd289716dcf7fda35c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments