MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 799ad611c58e732adb2d296f4f4050b9d7b869ab34272ae51fc2c1c818be33f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AveMariaRAT
Vendor detections: 13
| SHA256 hash: | 799ad611c58e732adb2d296f4f4050b9d7b869ab34272ae51fc2c1c818be33f1 |
|---|---|
| SHA3-384 hash: | abf38224066e4fd479243daf089c23d3e16e1fd15c00b85697eb97898919b393bfb5326d3199c376cb3ba5cbfc63f6db |
| SHA1 hash: | b9bdac42c7586560337dc85bceea2d6cd5238bc8 |
| MD5 hash: | e0add3edafa9192c3fa09224517fe66a |
| humanhash: | early-green-kilo-pizza |
| File name: | e0add3edafa9192c3fa09224517fe66a |
| Download: | download sample |
| Signature | AveMariaRAT |
| File size: | 844'288 bytes |
| First seen: | 2022-02-02 10:53:55 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 854d5095b28b9ad272060d4d463a6c99 (2 x NetWire, 2 x Formbook, 1 x AveMariaRAT) |
| ssdeep | 12288:klwxOYgJ9j9s1sve0B3FWZRb8uno+IbjlqV7buNlpl1+ZUR3:k+0z9j9isve0BcZx8uoj87SNlpTCUR3 |
| Threatray | 2'613 similar samples on MalwareBazaar |
| TLSH | T1EB05A0A3B1C0857ECB2B1AB5AE1FC1D87915FD645E1CA50A3FD92D180FB93812825ED3 |
| File icon (PE): |  |
| dhash icon | 63111616171fffee (13 x Formbook, 5 x RemcosRAT, 3 x AveMariaRAT) |
| Reporter |  zbetcheckin |
| Tags: | 32 AveMariaRAT exe |
Intelligence
File Origin
# of uploads :
1
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
6/10
Tags:
n/a
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
control.exe keylogger
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Verdict:
Malicious
Result
Threat name:
AveMaria DBatLoader UACMe
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Behaviour
Behavior Graph:
n/a
Threat name:
Win32.Trojan.Delf
Status:
Malicious
First seen:
2022-02-02 09:34:49 UTC
File Type:
PE (Exe)
Extracted files:
51
AV detection:
22 of 28 (78.57%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
avemaria
Similar samples:
+ 2'603 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Score:
10/10
Tags:
family:warzonerat infostealer persistence rat
Behaviour
Checks processor information in registry
Suspicious use of WriteProcessMemory
Adds Run key to start application
Warzone RAT Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
152.67.253.163:5300
Unpacked files
SH256 hash:
d56dcedfe9f4d0a030a551f94424ce1948fb419d114429019e2c0b769b7bfcf7
MD5 hash:
0c0de81954d7c4ac102c28514739efb7
SHA1 hash:
1820e2812b38be4bdbe40349d05e65c9f81f4a60
Detections:
win_dbatloader_w0
Parent samples :
074991cefc03a7683cb3c81e83c383010f45c130fdc6dafa13469bfffaf87867
15697b64ded63ae55e1a224cb4309a49a9cc475ae98f0ddfa951804afc3ee32e
ac24ac478aaa88087714b8249c93d92d5edbc511bdb04c6b623479ed8fc6c8de
527036f9e449de86dc23ca03f80ea7da2d0ee7d7752203bbfad4ffb9237a19a8
b054b0a613909898688c3a25ebc355d1e62289641b1103fa4d1defb1c04aa9a2
69142989b11074332c57d4f64b2ce684dbc998af67928c3f38a2f7a6b05644c0
28562d1e97597dbe302d550277e91bd4aa6869bd3d356668bc7c48b2b6eaa3d1
aac09011a3c3e7adce5c2fa1672b428d6a565993641bf350dd65f8c0319dbfd8
09effc5108b5ca6e852a9712180ad493ad2e4aa5e3693056953583fbce18cf92
fcdf1e07c91a675bb415f4406e709795964d3a177e6c6afc68437be8f6013d6a
8dcd0243ce72784ad2782b0021d6692133fe314cdd1cf7b44ded3ac7c04b36b0
b324d1babd989b4a671dff38634d8eaba21673730315b40f2005b28c4732a5b6
799ad611c58e732adb2d296f4f4050b9d7b869ab34272ae51fc2c1c818be33f1
e576b18c7eb5581bb16e0e0f9e69b2f1462b491669a2a82d0fb6df7e55f7b3cc
1108f751687ce7947a548233e2c57fc9d2bdc71df78fb757d3d8c7820ddbbe90
3245f88de02600ae1053fa8260fa02a63e46bf9d8f50aeba8ceea66b7b6488a5
4877dd469af0e1ac31efa295325a3024d10abdc0a7eeaf74fe5b4eb9d0518bd9
c180bb8451472fc5931d0dc3aac6ef18ca417665b958d1480dd0787ba3de238a
09be7801c1d01256f48f6c72beb080dc5947487b3e54260a2d5b16ad127e5091
b1d4e3af02c434b479ff7305d57cb5d1e64a6411fe4cc5d5335cc4eb5e7cf8f4
568cfb6f770f6fbec1f18595bb78183e1fb5d2e7086f747230f2706ce29ed381
cc455bbac9ab070aa72fb73ea9dea1215cae08f8d14fb45b9f86468e27a3a20b
51673b1856a0e3342e6ecb4dabdddbeb84ae4323de1e1f8b9da92eab74cc2758
23d09e266528b3ffbd4fc656743303461b9c8a5780d02e28b666243406915401
a75badb1c9ed280cc239b0d7659799d31cf2c63c609667c69a0e5d9d06d53896
74d2b78e8ac7268cf8c0c1b97aa0ea37fde7945cd1867587f3c9de7a898d7f74
8b7ae9f195b075a789d6d8277d500d27754bfa3c53ecca8db7beac8ccd07884f
f677570815857242b83340d50410dfbc9da7d77b87dff3ce887b0cf47b16095e
0f93f8bfa92a0387d3076d636200ce5a4f474a1bfaf591d17c40111816c4de8b
5f079a7612eb05e8574d8604154ea233b8da905cc59ba6fbaa4485c99fc2933e
31fa37041b3f218ac8e44e16ae4bc549e962ce1cda58a1df870179ee94ed1753
60bf53eb4a1c93e2956fb3bb5f60a18579aeb270206ce6c4a3b32c6c4e9165d2
3de53b4ea3e4c8c8522ca9fc9d38a1556cf645298b0fe18c937b0f307dba129f
36d637499adcbc01c5783e66b5d9a2678426c7e8265087b8db47a002816d6fd4
2179647ebf96503deb5fae78827c5d99757f2926f0226cb5a6e4181e2f0c1a07
98e33ebe79b9c93602af7b79bb4f3f63c2f3c1417b1c41be6e814a9930e43b3e
faa817223ef389f3ee864d27cf1ec44f2c09b51686b0957cd344fe18e5144635
ee66580c236649c4fa02f530ea8c5bd2eecc290e46d5a562bae98858ba1bc893
ea222f4ca18d4bd57e605742a68c0f6b40436d9219700a75ade966e9488db34e
177b480007813a30ee6c8e267b76848fe9f66b11557eb3e7422e680b46368b03
aa38c8327df5d1755de504ea0eccf988a34c786d80f0becb3e99491527289089
edae9d57ca54a66ec71baef31fff690098c5196b44f1140f897f3bc02caeef1c
5c8973990d63bf969c6fca63d2856c35641d63774d3b362123059fbb5a74a578
be910ed7df930a3d74f01ac74e72f8c3ed89d791f29b731cb2076d632b6ce9cd
10b8fbcea2f59c78bdbf498297dbbe4c8156f80b371bf1bee8cedd196e911d27
a0c5d20304a9b2339bd9ed8ec0eca757bb7f69fecc7167857600cf4853f7b2c2
15697b64ded63ae55e1a224cb4309a49a9cc475ae98f0ddfa951804afc3ee32e
ac24ac478aaa88087714b8249c93d92d5edbc511bdb04c6b623479ed8fc6c8de
527036f9e449de86dc23ca03f80ea7da2d0ee7d7752203bbfad4ffb9237a19a8
b054b0a613909898688c3a25ebc355d1e62289641b1103fa4d1defb1c04aa9a2
69142989b11074332c57d4f64b2ce684dbc998af67928c3f38a2f7a6b05644c0
28562d1e97597dbe302d550277e91bd4aa6869bd3d356668bc7c48b2b6eaa3d1
aac09011a3c3e7adce5c2fa1672b428d6a565993641bf350dd65f8c0319dbfd8
09effc5108b5ca6e852a9712180ad493ad2e4aa5e3693056953583fbce18cf92
fcdf1e07c91a675bb415f4406e709795964d3a177e6c6afc68437be8f6013d6a
8dcd0243ce72784ad2782b0021d6692133fe314cdd1cf7b44ded3ac7c04b36b0
b324d1babd989b4a671dff38634d8eaba21673730315b40f2005b28c4732a5b6
799ad611c58e732adb2d296f4f4050b9d7b869ab34272ae51fc2c1c818be33f1
e576b18c7eb5581bb16e0e0f9e69b2f1462b491669a2a82d0fb6df7e55f7b3cc
1108f751687ce7947a548233e2c57fc9d2bdc71df78fb757d3d8c7820ddbbe90
3245f88de02600ae1053fa8260fa02a63e46bf9d8f50aeba8ceea66b7b6488a5
4877dd469af0e1ac31efa295325a3024d10abdc0a7eeaf74fe5b4eb9d0518bd9
c180bb8451472fc5931d0dc3aac6ef18ca417665b958d1480dd0787ba3de238a
09be7801c1d01256f48f6c72beb080dc5947487b3e54260a2d5b16ad127e5091
b1d4e3af02c434b479ff7305d57cb5d1e64a6411fe4cc5d5335cc4eb5e7cf8f4
568cfb6f770f6fbec1f18595bb78183e1fb5d2e7086f747230f2706ce29ed381
cc455bbac9ab070aa72fb73ea9dea1215cae08f8d14fb45b9f86468e27a3a20b
51673b1856a0e3342e6ecb4dabdddbeb84ae4323de1e1f8b9da92eab74cc2758
23d09e266528b3ffbd4fc656743303461b9c8a5780d02e28b666243406915401
a75badb1c9ed280cc239b0d7659799d31cf2c63c609667c69a0e5d9d06d53896
74d2b78e8ac7268cf8c0c1b97aa0ea37fde7945cd1867587f3c9de7a898d7f74
8b7ae9f195b075a789d6d8277d500d27754bfa3c53ecca8db7beac8ccd07884f
f677570815857242b83340d50410dfbc9da7d77b87dff3ce887b0cf47b16095e
0f93f8bfa92a0387d3076d636200ce5a4f474a1bfaf591d17c40111816c4de8b
5f079a7612eb05e8574d8604154ea233b8da905cc59ba6fbaa4485c99fc2933e
31fa37041b3f218ac8e44e16ae4bc549e962ce1cda58a1df870179ee94ed1753
60bf53eb4a1c93e2956fb3bb5f60a18579aeb270206ce6c4a3b32c6c4e9165d2
3de53b4ea3e4c8c8522ca9fc9d38a1556cf645298b0fe18c937b0f307dba129f
36d637499adcbc01c5783e66b5d9a2678426c7e8265087b8db47a002816d6fd4
2179647ebf96503deb5fae78827c5d99757f2926f0226cb5a6e4181e2f0c1a07
98e33ebe79b9c93602af7b79bb4f3f63c2f3c1417b1c41be6e814a9930e43b3e
faa817223ef389f3ee864d27cf1ec44f2c09b51686b0957cd344fe18e5144635
ee66580c236649c4fa02f530ea8c5bd2eecc290e46d5a562bae98858ba1bc893
ea222f4ca18d4bd57e605742a68c0f6b40436d9219700a75ade966e9488db34e
177b480007813a30ee6c8e267b76848fe9f66b11557eb3e7422e680b46368b03
aa38c8327df5d1755de504ea0eccf988a34c786d80f0becb3e99491527289089
edae9d57ca54a66ec71baef31fff690098c5196b44f1140f897f3bc02caeef1c
5c8973990d63bf969c6fca63d2856c35641d63774d3b362123059fbb5a74a578
be910ed7df930a3d74f01ac74e72f8c3ed89d791f29b731cb2076d632b6ce9cd
10b8fbcea2f59c78bdbf498297dbbe4c8156f80b371bf1bee8cedd196e911d27
a0c5d20304a9b2339bd9ed8ec0eca757bb7f69fecc7167857600cf4853f7b2c2
SH256 hash:
799ad611c58e732adb2d296f4f4050b9d7b869ab34272ae51fc2c1c818be33f1
MD5 hash:
e0add3edafa9192c3fa09224517fe66a
SHA1 hash:
b9bdac42c7586560337dc85bceea2d6cd5238bc8
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | AveMaria |
|---|---|
| Author: | @bartblaze |
| Description: | Identifies AveMaria aka WarZone RAT. |
| Rule name: | AveMaria_WarZone |
|---|
| Rule name: | ave_maria_warzone_rat |
|---|---|
| Author: | jeFF0Falltrades |
| Rule name: | Codoso_Gh0st_1 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Codoso APT Gh0st Malware |
| Reference: | https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks |
| Rule name: | Codoso_Gh0st_1_RID2C2D |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Codoso APT Gh0st Malware |
| Reference: | https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks |
| Rule name: | Codoso_Gh0st_2 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Codoso APT Gh0st Malware |
| Reference: | https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks |
| Rule name: | Codoso_Gh0st_2_RID2C2E |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Codoso APT Gh0st Malware |
| Reference: | https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks |
| Rule name: | INDICATOR_SUSPICIOUS_Binary_References_Browsers |
|---|---|
| Author: | ditekSHen |
| Description: | Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables embedding command execution via IExecuteCommand COM object |
| Rule name: | MALWARE_Win_AveMaria |
|---|---|
| Author: | ditekSHen |
| Description: | AveMaria variant payload |
| Rule name: | MALWARE_Win_WarzoneRAT |
|---|---|
| Author: | ditekSHen |
| Description: | Detects AveMaria/WarzoneRAT |
| Rule name: | MAL_Envrial_Jan18_1 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Encrial credential stealer malware |
| Reference: | https://twitter.com/malwrhunterteam/status/953313514629853184 |
| Rule name: | MAL_Envrial_Jan18_1_RID2D8C |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Encrial credential stealer malware |
| Reference: | https://twitter.com/malwrhunterteam/status/953313514629853184 |
| Rule name: | RDPWrap |
|---|---|
| Author: | @bartblaze |
| Description: | Identifies RDP Wrapper, sometimes used by attackers to maintain persistence. |
| Reference: | https://github.com/stascorp/rdpwrap |
| Rule name: | win_ave_maria_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.ave_maria. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.url : hxxp://20.51.217.113/vv/dcs.exe