MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75a25fe05bbcefe44a5965015d178374e74b2d2be3ec2fba5d15cf37dc93df20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75a25fe05bbcefe44a5965015d178374e74b2d2be3ec2fba5d15cf37dc93df20
SHA3-384 hash: ba14e8a453f22c87e27c1ad3a0a5197b7d5c84011d0814bedb3e561634312c1d8ce3ab415ca27a2190806901f1404334
SHA1 hash: acf58fee939957b9dbb8df32b2024377328c7b4d
MD5 hash: 3346c56f56dd3704fae1702388f0dcab
humanhash: mars-skylark-december-ack
File name:PO_IN00043INBOM_Specifications Sheet^^^^^dwg.scr
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:388'280 bytes
First seen:2022-03-01 18:27:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:KjcR8S7ToRXRORJaod/Ais3WBUdhobu9m/Ttt67tXDOmFpzK0eHlUQ:KjcRsOvabismYgu9m/BU7tbZJQ
Threatray 2'269 similar samples on MalwareBazaar
TLSH T19484E02E97DB86A3CA7527FB04B677241F92E4762937D35B188624484863BF93F007C2
File icon (PE):PE icon
dhash icon c88cc8c8982850f8 (18 x AgentTesla, 16 x AveMariaRAT, 1 x RedLineStealer)
Reporter GovCERT_CH
Tags:AveMariaRAT exe WarzoneRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RDPWrap
Create hunting rule
Link:
https://www.capesandbox.com/analysis/245962/
Detection(s):
SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/621e65c5b94fb38cb430c311/reports/8be6152d-a570-4d8f-abe8-a8d823b10d1e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/05d3ef2c-fd39-4800-bdc2-4c5cf5264b54
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/948488
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/75a25fe05bbcefe44a5965015d178374e74b2d2be3ec2fba5d15cf37dc93df20/
Threat name:
ByteCode-MSIL.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2022-03-01 18:28:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=owrf7yc3xtx6isszmuav2f4dottuwljl4pwc7os5cxhtpxet34qa._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
364aedff57905c2b2828c999f3d08db45d75854cd0beb44f3331dff02714e03c
AveMariaRAT
489a2e9c82e83a219e62ded379b4dd8323be026889a3453bc97f0cca67a8828d
AveMariaRAT
649acc4a8ec45c2b3d6e217e3818db8174eb3a3bd923d8b907f6164fd42bb751
AveMariaRAT
6c50f2ce4c1837beeeae5f03ae740dc759955eabb63ef41bda72bc89312657c8
AveMariaRAT
85b125dd1a4f4b71bee8596b964c5b0d6e40c9f179fba745d0e10e2c637f7f64
AveMariaRAT
9454554ff02715a0e17bde7743b9fa2eb0795058d02c178b148d2c090396dfba
AveMariaRAT
995c82e7ea2a4f8882876f17fe0e3cacb47860744d48f250bdee6a7e9b01f0f7
AveMariaRAT
a097de1f208326efba15c15db8abd10aae2cf392d90c5207c18aa79ec14255a9
AveMariaRAT
e961ac85380ccd346de98c4a55e10b837b9a77b7d31ec7a312b61b484e32c932
AveMariaRAT
+ 2'259 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat collection infostealer persistence rat spyware stealer
Link:
https://tria.ge/reports/220301-w4bk4acgap/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
185.156.175.51:64832
Unpacked files
SH256 hash:
9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
MD5 hash:
9fbb8cec55b2115c00c0ba386c37ce62
SHA1 hash:
e2378a1c22c35e40fd1c3e19066de4e33b50f24a
Link:
https://www.unpac.me/results/4cceee01-0380-4b05-b2a1-1def7227f400/
SH256 hash:
477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52
MD5 hash:
16a9ddc4b32981114fe4f069a4353105
SHA1 hash:
bf73849f57c150f9e2199c61427f631be2dfa595
Link:
https://www.unpac.me/results/4cceee01-0380-4b05-b2a1-1def7227f400/
SH256 hash:
3b4841b788ef4c6275b3b9ff5cb1d4d17b7a3ec2fa26f9c2db4b505f7c5d1b06
MD5 hash:
2258b010b783443ffc905dd875c759b5
SHA1 hash:
bc08a1e513d74b21830e04b73662eb7d0051d205
Link:
https://www.unpac.me/results/4cceee01-0380-4b05-b2a1-1def7227f400/
SH256 hash:
c9978912440e98fcd830dd066a0028fcc23cb025e0460d991b95f90f2f73ccb8
MD5 hash:
1371d297a1e1f4bbff9ec0589992bf13
SHA1 hash:
50e4c95d86f2aab46b43779d1c8db0f178601a4b
Detections:
win_ave_maria_g0
Create hunting rule
win_ave_maria_auto
Create hunting rule
Link:
https://www.unpac.me/results/4cceee01-0380-4b05-b2a1-1def7227f400/
SH256 hash:
f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36
MD5 hash:
6c72218c48cd68cbcb654675053a0abb
SHA1 hash:
12207fa32070f99683648d87b44410e5d3cdf2de
Link:
https://www.unpac.me/results/4cceee01-0380-4b05-b2a1-1def7227f400/
SH256 hash:
75a25fe05bbcefe44a5965015d178374e74b2d2be3ec2fba5d15cf37dc93df20
MD5 hash:
3346c56f56dd3704fae1702388f0dcab
SHA1 hash:
acf58fee939957b9dbb8df32b2024377328c7b4d
Link:
https://www.unpac.me/results/4cceee01-0380-4b05-b2a1-1def7227f400/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/75a25fe05bbc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/75a25fe05bbcefe44a5965015d178374e74b2d2be3ec2fba5d15cf37dc93df20

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 75a25fe05bbcefe44a5965015d178374e74b2d2be3ec2fba5d15cf37dc93df20

(this sample)

  
Dropped by
warzonerat
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/245962/

Comments