MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b46c6363eb8fab2e969bef3a3cde6843f82e405b446e645207c9e9f97a89ed1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b46c6363eb8fab2e969bef3a3cde6843f82e405b446e645207c9e9f97a89ed1
SHA3-384 hash: b84676fb9826d2714fb114d57498be2cdce732598b8c154f11fd744059ee61f7d3baf92b01c2daad8033434a4990f06b
SHA1 hash: 7035952fb7089f59b8102c7f4a57c8cd8ba39135
MD5 hash: ea3601e5f794f959bf0ed824393a0840
humanhash: beer-september-august-crazy
File name:SecuriteInfo.com.Variant.Zusy.434746.14893.23161
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:816'640 bytes
First seen:2022-08-01 02:35:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash db4b2c1174dbbcff022ad594d311bf09 (3 x DBatLoader, 2 x AveMariaRAT, 1 x Formbook)
ssdeep 24576:QCWYilFBNf4sLUY8qEDGX8whubd52Ep8r:QXPL65or
Threatray 4'068 similar samples on MalwareBazaar
TLSH T1E905AF3AB2D0C537D0631D788C5B67F8986D7E502D28A4595BE83E4C9F3A7513C2A2B3
TrID 68.5% (.OCX) Windows ActiveX control (116521/4/18)
8.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
7.7% (.SCR) Windows screen saver (13101/52/3)
6.1% (.EXE) Win64 Executable (generic) (10523/12/4)
2.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 509dca9acccc4b90 (5 x DBatLoader, 2 x AveMariaRAT, 1 x Formbook)
Reporter SecuriteInfoCom
Tags:AveMariaRAT exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
85.31.46.136:8008 https://threatfox.abuse.ch/ioc/840595/

Intelligence

File Origin
# of uploads :
1
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295442/
Detection(s):
SecuriteInfo.com.Variant.Zusy.434746.14893.23161.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Setting a keyboard event handler
Creating a file in the %AppData% directory
Reading critical registry keys
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27946/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/62e73c289ca9b9bfcbe1dd2d/reports/d5cfa9dd-377f-4071-ac40-87019e084051/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8594fea6-6dbb-4197-9768-4737c6eafb92
Result
Threat name:
AveMaria, DBatLoader, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1043906
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AveMaria stealer
Yara detected DBatLoader
Yara detected UAC Bypass using ComputerDefaults
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 676400 Sample: SecuriteInfo.com.Variant.Zu... Startdate: 01/08/2022 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Yara detected UAC Bypass using ComputerDefaults 2->55 57 5 other signatures 2->57 6 SecuriteInfo.com.Variant.Zusy.434746.14893.exe 1 17 2->6         started        11 Zisclp.exe 15 2->11         started        13 Zisclp.exe 15 2->13         started        process3 dnsIp4 27 onedrive.live.com 6->27 29 ci4kvw.am.files.1drv.com 6->29 31 am-files.fe.1drv.com 6->31 23 C:\Users\Public\Libraries\Zisclp.exe, PE32 6->23 dropped 25 C:\Users\...\Zisclp.exe:Zone.Identifier, ASCII 6->25 dropped 59 Injects a PE file into a foreign processes 6->59 15 SecuriteInfo.com.Variant.Zusy.434746.14893.exe 3 6 6->15         started        33 onedrive.live.com 11->33 37 2 other IPs or domains 11->37 19 Zisclp.exe 1 11->19         started        35 onedrive.live.com 13->35 39 2 other IPs or domains 13->39 21 Zisclp.exe 1 13->21         started        file5 signatures6 process7 dnsIp8 41 online-3450.home-webserver.de 85.31.46.136, 49761, 8008 CLOUDCOMPUTINGDE Germany 15->41 43 Tries to steal Mail credentials (via file / registry access) 15->43 45 Tries to harvest and steal browser information (history, passwords, etc) 15->45 47 Increases the number of concurrent connection per server for Internet Explorer 15->47 49 2 other signatures 15->49 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b46c6363eb8fab2e969bef3a3cde6843f82e405b446e645207c9e9f97a89ed1/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-08-01 02:36:11 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nndmmnr6xd5lf2ljx3z2htpgqq7yfzafwrdomrjapspj7f5it3iq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
032b470bea30ebbb1171b302b3fbcea932ef7602c475f14abd05ac789d9f0188
AveMariaRAT
0bf912b223d9f0a3bb0e52a30194486f37e31b7b55627b485d2bb70919124fa2
AveMariaRAT
36981ea2e9ccb73809a6fe8956552f0e84a39e7684fc1982b6f52a2ce0ffd11d
AveMariaRAT
549d8f67e615fb4a17084e884f285947b9a4cd6c46bdd32d18bf44e71993fac4
AveMariaRAT
59f442a1ef0ed0ce7891f868e1aa234cff02ae471c6ab9bffdfbdb308065cd9f
AveMariaRAT
60aaad543aa7fbea9a59269872d18029c46e93a0a37d54a1956e1139ac8dc91a
AveMariaRAT
7815d7ba1693ba293e64e6d8052c559ec87cb905d27b9c462b5b10aee4dcb9a3
AveMariaRAT
9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf
AveMariaRAT
f3c1c5cfc3e095b3ae94a810e13d707bc0e7b07ab3c6ecc9f165729a48c1cb4b
AveMariaRAT
+ 4'058 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat collection infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220801-c3kmtsgadr/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
ModiLoader Second Stage
Warzone RAT payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
online-3450.home-webserver.de:8008
Unpacked files
SH256 hash:
df5188834ad47e3f01711c40fa863a1117e26df67fbe7bb116d9f3721dd4449e
MD5 hash:
6381d1e28338c4262a7bbe4e1f3fc66d
SHA1 hash:
8f8ab1deb41db7a0a74ef63dafe9b51a8e02e68c
Link:
https://www.unpac.me/results/e832eb83-116a-4b94-883c-a006eec15058/
SH256 hash:
6b46c6363eb8fab2e969bef3a3cde6843f82e405b446e645207c9e9f97a89ed1
MD5 hash:
ea3601e5f794f959bf0ed824393a0840
SHA1 hash:
7035952fb7089f59b8102c7f4a57c8cd8ba39135
Link:
https://www.unpac.me/results/e832eb83-116a-4b94-883c-a006eec15058/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6b46c6363eb8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b46c6363eb8fab2e969bef3a3cde6843f82e405b446e645207c9e9f97a89ed1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/295442/

Comments