MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7661ca31ed888f3f84bb5897d3c9fbf8dbb62fb71429303da2301105dc18d7ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	7661ca31ed888f3f84bb5897d3c9fbf8dbb62fb71429303da2301105dc18d7ab
SHA3-384 hash:	44ed52c35059c41820c92ada4210dd84503ee7666199d52da041ba3280ae3eabf66d69951253d865c642e5cce73cfbc8
SHA1 hash:	13512faf41e2fe2b71ec7c450cda2cd88a85d6cd
MD5 hash:	69ef3ef3505b304fd574d977f24aa7bd
humanhash:	echo-utah-sierra-emma
File name:	Y03156-Payment-Inv0ice.vbs
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	1'600 bytes
First seen:	2021-08-16 15:15:07 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	24:rEEPdqnWahNwDJPpUI0I2rWGItUIZOIIIPITI3uFIJwIEIfILdgcjacdgcquU2bD:3+Ex2Ahn1wE+FIzhg3Nz
Threatray	3'721 similar samples on MalwareBazaar
TLSH	T163318F04703359D3EA06D42231A731DDBD312708AAFB8B71155EEA42AA40DFF9C5CAB7
Reporter	abuse_ch
Tags:	AveMariaRAT vbs

Intelligence

File Origin

# of uploads :

1

# of downloads :

136

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/179593/

Detection(s):

SecuriteInfo.com.VB.Trojan.Valyria.5174.15920.31751.UNOFFICIAL

Result

Verdict:

MALICIOUS

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/833632

Signature

Creates an undocumented autostart registry key

Sigma detected: CrackMapExec PowerShell Obfuscation

VBScript performs obfuscated calls to suspicious functions

Wscript starts Powershell (via cmd or directly)

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7661ca31ed888f3f84bb5897d3c9fbf8dbb62fb71429303da2301105dc18d7ab/

Threat name:

Script-WScript.Trojan.Valyria

Status:

Malicious

First seen:

2021-08-16 15:16:08 UTC

AV detection:

4 of 46 (8.70%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ozq4umpnrcht7bf3lcl5hsp37dn3ml5xcqutapncgaiqlxay26vq._file

Verdict:

malicious

Label(s):

avemaria

nanocorerat

Similar samples:

620428519e13cbb1c4b3d71c1bce411bf3054e0501358f6b27cc92268d2f420b

7f1cd16cd2d2e5644752a3e0fd411c3902bad47051779d5bd539e9650f53787c

89aea7429e8634bbba4d97c8576adb9568cdf91830d15ecd2c34c5a290f7b83f

a0710f6483cebd22f615c3435ee70a971d490f15c9529c3f2450e3cb73d35a16

d1b19d456e97bede86d5bbe8c09b027b00c330e568c0474abb3e60ad154bc62d

f3ca0f6bff094ea564e6b6e7a9947dc6a7a63b1800ec11b64e4e58447cfa61c3

ffec1862f56857ad722abbcb98be7af86f2cf0763371bcb40273f0d884157c32

+ 3'711 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat infostealer persistence rat

Link:

https://tria.ge/reports/210816-ykb72q3g96/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Blocklisted process makes network request

Warzone RAT Payload

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

waromo6700.duckdns.org:6700

Dropper Extraction:

https://transfer.sh/1OWpiXl/bypass.txt

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/7661ca31ed88/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7661ca31ed888f3f84bb5897d3c9fbf8dbb62fb71429303da2301105dc18d7ab

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/179593/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample