MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7666415f1d2f03e6a14e4f058b012ec6ed4a77cd3ecd1398817b2ac97b25cbc5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7666415f1d2f03e6a14e4f058b012ec6ed4a77cd3ecd1398817b2ac97b25cbc5
SHA3-384 hash: 3f93ccb1e21e8a1be35a618ed4c059f9bb00622f545a65a7753046cfebdd2acd12e832802a512ad61232b93d782b1fae
SHA1 hash: b1cfa49c4ac292f26cd04c1442eb2d7bcffc3e0a
MD5 hash: 0f30923fef1943c6444512e4da3987d4
humanhash: tango-sink-ink-floor
File name:ORDER ENQUIRY 22.11.21.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:988'160 bytes
First seen:2022-11-21 06:40:20 UTC
Last seen:2022-11-27 13:17:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:0pn3wdfEYxdAXYVWYc0Lsz33ygpjbh4+L74mBfNUstzo:yn2fbdAXY8Y9L43yg
TLSH T197256B4F2A7FDEF0EA245DFB221557039D3651DABE8ACA7887944BC620F1B0C5B70825
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AveMariaRAT exe RAT


Avatar
abuse_ch
AveMariaRAT C2:
85.31.46.94:5353

Intelligence

File Origin
# of uploads :
3
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
ORDER ENQUIRY 22.11.21.exe
Verdict:
Malicious activity
Analysis date:
2022-11-21 06:41:35 UTC
Tags:
trojan rat remcos stealer keylogger avemaria warzone
Link:
https://app.any.run/tasks/8d411437-0bf4-4012-86be-c6e1aa488aed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/336586/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1617.21784.26368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/637b1d7f903ba0eaf36cc908/reports/e0730b98-fe8b-407c-8a9c-b91923569b1f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a00a3378-d4e8-4ea5-bb17-09d44aadf723
Result
Threat name:
Remcos, AveMaria, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1117837
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected Remcos RAT
Yara detected UACMe UAC Bypass tool
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 750549 Sample: ORDER ENQUIRY 22.11.21.exe Startdate: 21/11/2022 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic 2->55 57 Multi AV Scanner detection for domain / URL 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 14 other signatures 2->61 10 ORDER ENQUIRY 22.11.21.exe 3 2->10         started        process3 file4 37 C:\Users\...\ORDER ENQUIRY 22.11.21.exe.log, ASCII 10->37 dropped 73 Injects a PE file into a foreign processes 10->73 14 ORDER ENQUIRY 22.11.21.exe 2 18 10->14         started        signatures5 process6 dnsIp7 47 valvesco.duckdns.org 85.31.46.94, 49696, 49697, 49698 CLOUDCOMPUTINGDE Germany 14->47 49 geoplugin.net 178.237.33.50, 49699, 80 ATOM86-ASATOM86NL Netherlands 14->49 39 C:\Users\user\AppData\Local\Temp\dwn.exe, PE32 14->39 dropped 41 C:\ProgramData\remcos\logs.dat, data 14->41 dropped 51 Maps a DLL or memory area into another process 14->51 53 Installs a global keyboard hook 14->53 19 dwn.exe 3 14->19         started        22 ORDER ENQUIRY 22.11.21.exe 1 14->22         started        24 ORDER ENQUIRY 22.11.21.exe 1 14->24         started        26 25 other processes 14->26 file8 signatures9 process10 dnsIp11 63 Machine Learning detection for dropped file 19->63 65 Injects a PE file into a foreign processes 19->65 29 dwn.exe 19->29         started        67 Tries to steal Instant Messenger accounts or passwords 22->67 69 Tries to steal Mail credentials (via file / registry access) 22->69 43 192.168.2.1 unknown unknown 26->43 71 Tries to harvest and steal browser information (history, passwords, etc) 26->71 signatures12 process13 dnsIp14 45 valvesco.duckdns.org 29->45 75 Writes to foreign memory regions 29->75 77 Allocates memory in foreign processes 29->77 79 Increases the number of concurrent connection per server for Internet Explorer 29->79 81 3 other signatures 29->81 33 cmd.exe 29->33         started        signatures15 process16 process17 35 conhost.exe 33->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7666415f1d2f03e6a14e4f058b012ec6ed4a77cd3ecd1398817b2ac97b25cbc5/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-11-21 01:05:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
24 of 26 (92.31%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oztecxy5f4b6nikoj4cywajoy3wuu56nh3grhgebpmvms6zfzpcq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
remcos
Create hunting rule
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:remcos family:warzonerat botnet:new rem stub collection infostealer rat spyware stealer
Link:
https://tria.ge/reports/221121-hfr2aabf6y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Warzone RAT payload
Remcos
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
valvesco.duckdns.org:5050
valvesco.duckdns.org:5353
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bbff57aa-18ba-485e-95e1-132c79434c8a
Unpacked files
SH256 hash:
c289ec2f57b341220c33145c8b6474d1011d387ab39dacb7b17d69c359548448
MD5 hash:
bd2adeed00397e7545a539d761458af9
SHA1 hash:
b5a1cbca39c6923308f914accf611771996f7097
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/d5d81968-369f-42eb-8e99-c76f4b578317/
Parent samples :
b6ebe092221b9cb70949480fbc97133fa1e408c657150bb50c41171321b2fb73
788a6a0d67e10a4235043d0f12cc5841ab77bac0518842aea964e720318f674d
dbdfdfd7484f894b17543d60c28c96c570e5f4fb61fc26a7fa6d87b68b3d2831
383f6ffeb727943af4e96cc93ab2615b14fd8b09c7e376aebc455ef82913f07f
d4bee566c89c0e8c89f0539d2d49279f844317c54ee3216c049f038b773de8dc
2fd70cf5a6097502fb9123e63b6674666134a56927943bc8b7d79dc00bb7c02d
f851ccd89ef8f8e28648ff600789364e9caf5c522a5e7238cee619a229cc821d
5542dd26db06cbc6b03f1323db7ff6792a69bcf3dcd6a6c978b91018c7f0a0ee
2068d6dc1ef76f480e3fefd9fb239555d5f136c6c94d35232c273414ef4531f6
d99b0d328a7e19981cc4e1dcfbdeb336c84577a020bd4a84d72d28a7930282ea
84eedf1c6f0b09177547e350d6bb53ee3b84aa48878f8f9d9135fdc69faa3535
0ac5715dbbb22286a1cc79fe33377cd2dcb71ac6ad5d876da8e938684e7d7cf8
8791b0b7f4a499d66dbbc5b41ea20cb13af614bdc62e62392bf041065e9ddb0f
d6ee6bb4bf80fe883da0a277b1f1f12fb40c00d4893cfff05060b1ebf4a5ca96
aeb68306ca8e87ec5421349055053758fe1dcb293f75aac568b6b1752c1ab631
72333871ff2e5b9a7ae7e7c11af0c2ccbac7ac53bb60976cf0bcdfabceb5059f
869b27dcb4475a95c0af50db49fad8c40730df5464a5c5482032ce5ffc578feb
7666415f1d2f03e6a14e4f058b012ec6ed4a77cd3ecd1398817b2ac97b25cbc5
8e2730f5984afe0586003190249b7c9e5c51a3ef2ba0c2194db5dcd21242c20b
1e48f5be58b577bc76423894dadf647800f1da1afab2f3c1c82c08f3b66b4981
SH256 hash:
00e235f40a9e794b9d6cb9fb9244e321a4e632951bdb809044b0e2af07b98d35
MD5 hash:
48c6f000da9a80f92b48ef6099fa8a37
SHA1 hash:
9b43df5e56005d1ee03f16ff02f26e76272aca7c
Link:
https://www.unpac.me/results/d5d81968-369f-42eb-8e99-c76f4b578317/
SH256 hash:
7f272c4db499b1501a5ea1711d23de0e6a0c07faf16275e9b01722dae889c7c9
MD5 hash:
dd8b9511dda8eb7c84e1621046828883
SHA1 hash:
7f715270ffcadcba5c3148d2a0cecfaaf6c2e805
Link:
https://www.unpac.me/results/d5d81968-369f-42eb-8e99-c76f4b578317/
SH256 hash:
1775a87a2b7b47165e687a1b8294f097af0f59766d589b421e157d6c8225dd7a
MD5 hash:
7b2985df62e1d82bd0699dad05a57697
SHA1 hash:
3a06103fb5cbf28159aaf57525fbeeb0b2db85c4
Link:
https://www.unpac.me/results/d5d81968-369f-42eb-8e99-c76f4b578317/
SH256 hash:
4468fbc3ea5d9bf4227ad3efbeb5405b263acea2f5e195b482cdd60fade053b7
MD5 hash:
84525d84d582538c10c94913874cedf7
SHA1 hash:
01967c0cb64f04a476a41f95cb39722ae5dbfefb
Link:
https://www.unpac.me/results/d5d81968-369f-42eb-8e99-c76f4b578317/
SH256 hash:
7666415f1d2f03e6a14e4f058b012ec6ed4a77cd3ecd1398817b2ac97b25cbc5
MD5 hash:
0f30923fef1943c6444512e4da3987d4
SHA1 hash:
b1cfa49c4ac292f26cd04c1442eb2d7bcffc3e0a
Link:
https://www.unpac.me/results/d5d81968-369f-42eb-8e99-c76f4b578317/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7666415f1d2f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/7666415f1d2f03e6a14e4f058b012ec6ed4a77cd3ecd1398817b2ac97b25cbc5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/336586/

Comments