MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79b178f16c3beec99f059c8f3f60953dd7a8bb5dfcb5302cf2b9edac59e9ef59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 17

Intelligence 17 IOCs YARA 19 File information Comments

SHA256 hash:	79b178f16c3beec99f059c8f3f60953dd7a8bb5dfcb5302cf2b9edac59e9ef59
SHA3-384 hash:	c06f7f055244331e2c01c75b41c1618d88465f5bce6dafed8e13d066da20d5c7d802ce24c9053c52d003e1a2e1ea75dd
SHA1 hash:	cb2df2b75d380a38137e3a84d39b4cc209c1fd81
MD5 hash:	266db8032c246c537e6a9a150387c9a5
humanhash:	delaware-low-social-aspen
File name:	bin_new.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	115'712 bytes
First seen:	2023-04-25 15:25:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	51a1d638436da72d7fa5fb524e02d427 (124 x AveMariaRAT, 1 x njrat)
ssdeep	1536:h0jP7/L1B5rVmN8sxHv2M28ix8EUaJxWZoB4u0OVE01:K1VmhaH8EFvW+0OVE0
Threatray	3'192 similar samples on MalwareBazaar
TLSH	T179B39E13F7E54835F3B201B01ABD7E7ACBEDF9700628C49FA394858A2D31946E925397
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	malwarelabnet
Tags:	AveMariaRAT exe WarzoneRAT

Intelligence

File Origin

# of uploads :

# of downloads :

278

Origin country :

Vendor Threat Intelligence

Detection:

WarzoneRAT

Link:

https://www.capesandbox.com/analysis/384832/

Detection(s):

Win.Malware.AveMaria-8799014-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Setting a keyboard event handler

Creating a window

DNS request

Sending an HTTP GET request

Creating a file in the %AppData% directory

Reading critical registry keys

Creating a file in the %temp% directory

Searching for the window

Stealing user critical data

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/81420/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm cmd.exe cobalt crypto dde evasive explorer.exe fingerprint gh0st greyware hacktool keylogger shell32.dll stealer

Link:

https://www.filescan.io/uploads/6447f10eb9bd3bd21cc0eb74/reports/bc87c5ee-c854-45d4-93e7-f7bf368099d6/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/79b178f16c3beec99f059c8f3f60953dd7a8bb5dfcb5302cf2b9edac59e9ef59

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AVE_MARIA

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8699a43c-55fa-4343-9fee-6cb2cef4fdce

Result

Threat name:

AveMaria, UACMe

Detection:

malicious

Classification:

phis.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1220843

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to hide user accounts

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Increases the number of concurrent connection per server for Internet Explorer

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected AveMaria stealer

Yara detected UACMe UAC Bypass tool

Behaviour

Behavior Graph:

Download SVG

Detection:

warzone

Link:

https://mwdb.cert.pl/sample/79b178f16c3beec99f059c8f3f60953dd7a8bb5dfcb5302cf2b9edac59e9ef59/

Threat name:

Win32.Spyware.AveMaria

Status:

Malicious

First seen:

2023-04-25 15:26:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 24 (95.83%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pgyxr4lmhpxmthyftsht6yevhxl2ro257s2talhsxhw2ywpj55mq._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

8115050b039a64c67c668b93d1c7106f6ab758db5a037b4f08a46a39200d8c2b

AveMariaRAT

8277ded95ca557ee07ed92ce3460f4f9f28aa5e87486837968f4f893efa42e7c

AveMariaRAT

8ab6895551c1b4cb68242c164d4c78363b683554674c3231a405b663d0684485

AveMariaRAT

d1543ba4cb80a8be6b500b8a1d35a82e85197bc46db79430c8df2dc677054f48

AveMariaRAT

f24d707fa75b81ddd51ff597f98cd38951ce0558cd653b392bca75c15fdeb1ed

AveMariaRAT

+ 3'182 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat collection infostealer rat spyware stealer

Link:

https://tria.ge/reports/230425-st63gada2v/

Behaviour

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Drops file in Program Files directory

Accesses Microsoft Outlook profiles

Loads dropped DLL

Reads user/profile data of web browsers

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

104.223.19.96:80

Unpacked files

SH256 hash:

79b178f16c3beec99f059c8f3f60953dd7a8bb5dfcb5302cf2b9edac59e9ef59

MD5 hash:

266db8032c246c537e6a9a150387c9a5

SHA1 hash:

cb2df2b75d380a38137e3a84d39b4cc209c1fd81

Detections:

Warzone

win_ave_maria_auto

win_ave_maria_g0

Link:

https://www.unpac.me/results/da872da3-2195-4cd3-9caf-b36e86ad406b/

Parent samples :

9d23ef1df51ca5f49d86bf9790e32a441525dadd86c3435658e51a012c51e3af
189d5e75f300e21f30ae87cef1c384a3e33e26b5546b8404090bffe3251d4a34
e67b8e186d6def3657f50903699a231bb16a97b73e9857da0382585e26851d60
b3010cac8bedcf678f523c8ac38194dbc083b5fb0a64306113326788afe3d9cc
79b178f16c3beec99f059c8f3f60953dd7a8bb5dfcb5302cf2b9edac59e9ef59

Malware family:

Warzone

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/79b178f16c3b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/79b178f16c3beec99f059c8f3f60953dd7a8bb5dfcb5302cf2b9edac59e9ef59

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AveMaria Create hunting rule
Author:	@bartblaze
Description:	Identifies AveMaria aka WarZone RAT.

Rule name:	avemaria_rat_yhub Create hunting rule
Author:	Billy Austin
Description:	Detects AveMaria RAT a.k.a. WarZone

Rule name:	AveMaria_WarZone Create hunting rule

Rule name:	ave_maria_warzone_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_1_RID2C2D Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2_RID2C2E Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding command execution via IExecuteCommand COM object

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_WarzoneRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AveMaria/WarzoneRAT

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	Windows_Trojan_AveMaria_31d2bce9 Create hunting rule
Author:	Elastic Security

Rule name:	win_ave_maria_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.ave_maria.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/384832/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample