MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e604a080ddaa906e8e74171c393bcea4af00c95e0d8c919e2838c08195078a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e604a080ddaa906e8e74171c393bcea4af00c95e0d8c919e2838c08195078a7
SHA3-384 hash: cc67f89152c7fb457c92fd93a717f908ba0d1997cc3575bc4c37f03eb8876b377d69e9d5829709c8de941dc50f1e9321
SHA1 hash: 400337de290c93ed81d89945211ebe3f7b5696bf
MD5 hash: 08dfac88e9c3613f61610a305c8b69c3
humanhash: don-echo-snake-kitten
File name:Payment.pdf.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:776'704 bytes
First seen:2022-05-09 11:52:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8aaab755596d4e153deff3d89570bbae (2 x RemcosRAT, 1 x AveMariaRAT, 1 x BitRAT)
ssdeep 12288:8l9yyrn6OMyZINEg+Cu9aZvofn7EqNNY0ENwMeBAFCvU9r4FKI4/8:ClLRZId+d9aZvcVLOGHswJ
Threatray 9'121 similar samples on MalwareBazaar
TLSH T176F4BF22E2D19537C07225348C1B76AA6E3AFD102E38A94637E57C4C9F397D5393A393
TrID 22.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
20.6% (.SCR) Windows screen saver (13101/52/3)
16.5% (.EXE) Win64 Executable (generic) (10523/12/4)
15.7% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
7.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon bab0f1ecccce9e98 (17 x Formbook, 4 x SnakeKeylogger, 4 x RemcosRAT)
Reporter GovCERT_CH
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment.pdf.exe
Verdict:
Suspicious activity
Analysis date:
2022-05-09 11:56:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e78f4d64-c052-4488-a7c7-f6f5ab5d1d8f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Generic-9938653-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Sending an HTTP GET request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a file in the %AppData% directory
Reading critical registry keys
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/16825/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe greyware keylogger packed replace.exe
Link:
https://www.filescan.io/uploads/627900a44b517e213c2675d6/reports/18911998-f495-4878-b33a-33fed219cbfd/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/58a0ed1c-f9e9-4ee9-bc3b-6f29f0594a3d
Result
Threat name:
AveMaria, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/990147
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 622642 Sample: Payment.pdf.exe Startdate: 09/05/2022 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 8 other signatures 2->49 8 Payment.pdf.exe 1 21 2->8         started        13 Lbqaptl.exe 13 2->13         started        15 Lbqaptl.exe 13 2->15         started        process3 dnsIp4 39 167.235.29.244, 49717, 49719, 49749 ALBERTSONSUS United States 8->39 33 C:\Users\Public\Libraries\Lbqaptl.exe, PE32 8->33 dropped 35 C:\Users\...\Lbqaptl.exe:Zone.Identifier, ASCII 8->35 dropped 59 Writes to foreign memory regions 8->59 61 Allocates memory in foreign processes 8->61 63 Creates a thread in another existing process (thread injection) 8->63 17 DpiScaling.exe 3 4 8->17         started        21 cmd.exe 1 8->21         started        41 192.168.2.1 unknown unknown 13->41 65 Multi AV Scanner detection for dropped file 13->65 67 Injects a PE file into a foreign processes 13->67 23 DpiScaling.exe 1 13->23         started        25 DpiScaling.exe 1 15->25         started        file5 signatures6 process7 dnsIp8 37 45.143.147.163, 49752, 5200 BANDWIDTH-ASGB United Kingdom 17->37 51 Tries to steal Mail credentials (via file / registry access) 17->51 53 Contains functionality to inject threads in other processes 17->53 55 Contains functionality to steal Chrome passwords or cookies 17->55 57 4 other signatures 17->57 27 cmd.exe 1 21->27         started        29 conhost.exe 21->29         started        signatures9 process10 process11 31 conhost.exe 27->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6e604a080ddaa906e8e74171c393bcea4af00c95e0d8c919e2838c08195078a7/
Threat name:
Win32.Trojan.Warzonerat
Create hunting rule
Status:
Malicious
First seen:
2022-05-09 08:54:02 UTC
File Type:
PE (Exe)
Extracted files:
63
AV detection:
23 of 41 (56.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nzqeucan3kuqn2hhify4he545jfpadev4dmmsgpcqogaqgkqpctq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0d9facf6b7073de4e3db19eb64e80589d98cfe35b66942191390a891bb8b241c
AveMariaRAT
40901dc70e02ccd60768da1dcb23556f9ab77cafd4bb074fba8440eb0470af21
AveMariaRAT
4e3b7e84edc257cfc5c6d581272695e2ef520f47b6fa8e179960d52f0f0a3140
AveMariaRAT
6299e5f3946878e16130c6454bcd90bf319b3dcf8bd13d9a56bb867ba82eb655
AveMariaRAT
6458542795cc0a40d4ab238e2be5fb15546d5ca38e52d1f9c7d4157dca27679a
AveMariaRAT
6a388696745c133ba5ea711f6413c3c10c082df2d70ca70b2f015c5f83c53c75
AveMariaRAT
a1e72ad944e02ee8ada1e6b4b98217e7eeb8fa0c0c19aeebaf7401e2f35ee54d
AveMariaRAT
c16b9319edf591f4b75c3b69e09451de772816ed5a7915c9112bb8dd14e4aea3
AveMariaRAT
f43ec67b5158f58273a216cbc49003c55b8f0e6316a3390823348924e38507be
AveMariaRAT
+ 9'111 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat collection infostealer persistence rat trojan
Link:
https://tria.ge/reports/220509-n2al1sfhep/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Accesses Microsoft Outlook profiles
Adds Run key to start application
Loads dropped DLL
ModiLoader Second Stage
Warzone RAT Payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
45.143.147.163:5200
Unpacked files
SH256 hash:
6e604a080ddaa906e8e74171c393bcea4af00c95e0d8c919e2838c08195078a7
MD5 hash:
08dfac88e9c3613f61610a305c8b69c3
SHA1 hash:
400337de290c93ed81d89945211ebe3f7b5696bf
Link:
https://www.unpac.me/results/7c6141b0-8412-40d9-b8a7-c4a24d00e4b1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6e604a080dda/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/6e604a080ddaa906e8e74171c393bcea4af00c95e0d8c919e2838c08195078a7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 6e604a080ddaa906e8e74171c393bcea4af00c95e0d8c919e2838c08195078a7

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments