MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69c7e7d8730b4998b848f2731fa5b3db7783c390d23daebb00e02cbc5a53205e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69c7e7d8730b4998b848f2731fa5b3db7783c390d23daebb00e02cbc5a53205e
SHA3-384 hash: dfc423ae2cc869a8d84a149a6864d6aee6893923d49e4bd5d897d948749be4da31d8d10a7e213a0cf03f70d9b7a0d168
SHA1 hash: defb6d7d72e0c25683408a15a8c5aab6889765df
MD5 hash: ff04bd2c686d81f82e902d3023118f0c
humanhash: east-oklahoma-high-april
File name:PO-RFQ 372842997_Recall-Shipment.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'093'120 bytes
First seen:2022-01-21 07:31:28 UTC
Last seen:2022-01-21 16:26:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7d432c16623339e8ab5ce868f795be3f (2 x AveMariaRAT)
ssdeep 12288:AJ2cF5mwV7W+AsAm/CrA1v+81yOgikqqyWEzzy7T8YQ0VJRX4tKa/B1HoGW7T3b7:gB97W+rAm/Ck2Y4y1GZxNXranXKT7vT
Threatray 319 similar samples on MalwareBazaar
TLSH T18435AD23E2914E33D57F17344C0797A5A827BE012E68B6CA7AE85E5C7F352817825F83
File icon (PE):PE icon
dhash icon 12b232f2b98c8681 (12 x Formbook, 12 x RemcosRAT, 2 x AveMariaRAT)
Reporter GovCERT_CH
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/221371/
Detection(s):
SecuriteInfo.com.Malware.AI.4277572501.27965.29467.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending an HTTP GET request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a file in the %AppData% directory
Reading critical registry keys
Creating a file in the %temp% directory
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger packed replace.exe
Link:
https://www.filescan.io/uploads/61ea6177f81da814af953340/reports/572832b5-3ba1-4558-a78f-b49bc7adadb5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a07aa056-e050-4c31-94bb-fbfbcb32f158
Result
Threat name:
AveMaria DBatLoader UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/925026
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected DBatLoader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 557504 Sample: PO-RFQ 372842997_Recall-Shi... Startdate: 21/01/2022 Architecture: WINDOWS Score: 100 45 Multi AV Scanner detection for domain / URL 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 10 other signatures 2->51 8 PO-RFQ 372842997_Recall-Shipment.exe 1 24 2->8         started        13 Sgngbjafup.exe 13 2->13         started        15 Sgngbjafup.exe 14 2->15         started        process3 dnsIp4 43 goloramltd.com 203.191.33.96, 443, 49755, 49756 CYBERNET-BD-ASGrameenCybernetLtdBangladeshASforloca Bangladesh 8->43 33 C:\Users\user\Contacts\propsys.dll, PE32+ 8->33 dropped 35 C:\Users\user\Contacts\Sgngbjafup.exe, PE32 8->35 dropped 37 C:\Users\...\Sgngbjafup.exe:Zone.Identifier, ASCII 8->37 dropped 39 C:\Users\user\Contacts\ComputerDefaults.exe, PE32+ 8->39 dropped 61 Writes to foreign memory regions 8->61 63 Allocates memory in foreign processes 8->63 65 Creates a thread in another existing process (thread injection) 8->65 17 DpiScaling.exe 3 4 8->17         started        21 cmd.exe 1 8->21         started        67 Multi AV Scanner detection for dropped file 13->67 69 Injects a PE file into a foreign processes 13->69 23 DpiScaling.exe 1 13->23         started        25 DpiScaling.exe 1 15->25         started        file5 signatures6 process7 dnsIp8 41 myblessingsfor2022.ddns.net 45.137.22.143, 4246, 49762 ROOTLAYERNETNL Netherlands 17->41 53 Found evasive API chain (may stop execution after checking mutex) 17->53 55 Tries to steal Mail credentials (via file / registry access) 17->55 57 Contains functionality to inject threads in other processes 17->57 59 5 other signatures 17->59 27 cmd.exe 1 21->27         started        29 conhost.exe 21->29         started        signatures9 process10 process11 31 conhost.exe 27->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/69c7e7d8730b4998b848f2731fa5b3db7783c390d23daebb00e02cbc5a53205e/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2022-01-21 05:54:11 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
18 of 28 (64.29%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nhd6pwdtbnezroci6jzr7jnt3n3yhq4q2i625oya4awlywstebpa._file
Verdict:
malicious
Similar samples:
0d9facf6b7073de4e3db19eb64e80589d98cfe35b66942191390a891bb8b241c
AveMariaRAT
1a77fe43c21c77b47c1ea009c8a7c082eb11abcfb48ff4375cce7edc0925e9c6
AveMariaRAT
4cdb484aff91fc4c74a8f2750296212dd12af808fee3e01bf9b8d0feafbd8fc1
AveMariaRAT
6801e72d76e2131ff91a42e054fdcf34f0c024e203b1e314beefe8dee734acf2
AveMariaRAT
897d218b958ece913adb5670a36e54f96f7d5279174c21f11cef92e31876a772
AveMariaRAT
9e1f83813953f38ebc2e39ec795b85cc808e6f5cb36ea8b3a25e7eddb3cf429b
AveMariaRAT
ddfc4415217ec461350071b0965a1132ad43472bdc15980da23c46d8f1da188e
AveMariaRAT
ed063e69d7a5b6e0d14d81df38a1ec039788191dea6bd072aa573bfa90594899
AveMariaRAT
+ 309 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/220121-jcy6vsedf8/
Behaviour
Runs ping.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Executes dropped EXE
Warzone RAT Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
myblessingsfor2022.ddns.net:4246
Unpacked files
SH256 hash:
178ab3315a2bc29e61be0eb6b83970cf622588ca90ce0905e6c2138630163905
MD5 hash:
8f8384a01bbffb026083df6001364525
SHA1 hash:
6c448d033354841722b7c2807f0ee9e9831ddbe4
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/a606b3ae-25d8-4f0d-821f-262c3c8923ce/
Parent samples :
5373c20a65136de3e43b1e86b9fa37baff682541089164b4be57318bb9a52291
a7017af2c60c1c5bc06d07f88e12d3b471a8787e233969d92ac6048d303cd682
1c031e5ad00a53c0138ec05e36045979a920dfabeed6751292c59b695af80291
6801e72d76e2131ff91a42e054fdcf34f0c024e203b1e314beefe8dee734acf2
69c7e7d8730b4998b848f2731fa5b3db7783c390d23daebb00e02cbc5a53205e
112bdfee4547b7d7d8cb4fdc7a47021a17e164441ca10f4177bcf9980a46d89c
SH256 hash:
69c7e7d8730b4998b848f2731fa5b3db7783c390d23daebb00e02cbc5a53205e
MD5 hash:
ff04bd2c686d81f82e902d3023118f0c
SHA1 hash:
defb6d7d72e0c25683408a15a8c5aab6889765df
Link:
https://www.unpac.me/results/a606b3ae-25d8-4f0d-821f-262c3c8923ce/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/69c7e7d8730b4998b848f2731fa5b3db7783c390d23daebb00e02cbc5a53205e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 69c7e7d8730b4998b848f2731fa5b3db7783c390d23daebb00e02cbc5a53205e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/221371/

Comments