MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7aa19913253d9a036b10df1f8f0bdb25567edda11fe99050d85a47249142bec2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	7aa19913253d9a036b10df1f8f0bdb25567edda11fe99050d85a47249142bec2
SHA3-384 hash:	a46065c2c7696926dbab2b65adf8d84f0678ed66e7032ad8b758a2edc60b5ecefec961a72b2284552b60dab76ab57a87
SHA1 hash:	06dc707bd66f484f02a09ac21043c7078e3b6591
MD5 hash:	4fed1cf956ddf6883bbaa0d633937162
humanhash:	spaghetti-september-illinois-foxtrot
File name:	Axia Consult.docx_____________________________________________________________________________________________________________________________________________________________________.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	3'157'871 bytes
First seen:	2022-06-10 14:35:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep	49152:KyvSw3UZiOBvk+arQ3S+HNmw1MO6sqdDe7E3Qja1wsYdK2sDNyy6NNei0U:KyvfE4EslwHsoMOPqdDHRYdEQQU
Threatray	1'756 similar samples on MalwareBazaar
TLSH	T1A9E5331172C51031DE22287106EA7F30B93DBD615B28C6DBA3E46E2E1A701D1EB35B7B
TrID	89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.5% (.EXE) Win64 Executable (generic) (10523/12/4) 2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 1.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter	TeamDreier
Tags:	AveMariaRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

300

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

08e27b0e-ad33-4f9f-9edf-bd776e6e5190

Verdict:

Malicious activity

Analysis date:

2022-06-10 16:21:13 UTC

Tags:

warzone

Link:

https://app.any.run/tasks/dd84acc5-184c-4c62-a980-65a098e72678

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

WarzoneRAT

Link:

https://www.capesandbox.com/analysis/278700/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.44081008.21193.10752.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Sending a custom TCP request

Searching for analyzing tools

Launching a process

DNS request

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay packed setupapi.dll shdocvw.dll shell32.dll

Link:

https://www.filescan.io/uploads/62a356d673b91c38f67d7b9c/reports/c88f9d68-9383-47b2-8dd2-5f90b3b5f69f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/bd0dc6c9-030d-48a8-8678-41a3616369da

Result

Threat name:

AveMaria, UACMe

Detection:

malicious

Classification:

phis.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1010919

Signature

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Contains functionality to hide user accounts

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal e-mail passwords

Found API chain indicative of debugger detection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Increases the number of concurrent connection per server for Internet Explorer

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Uses dynamic DNS services

Yara detected AveMaria stealer

Yara detected UACMe UAC Bypass tool

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7aa19913253d9a036b10df1f8f0bdb25567edda11fe99050d85a47249142bec2/

Threat name:

Win32.Spyware.AveMaria

Status:

Malicious

First seen:

2022-06-10 14:36:17 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 41 (43.90%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pkqzsezfhwnag2yq34py6c63evlh5xnbd7uzaugyljdsjekcx3ba._file

Verdict:

malicious

AveMariaRAT

4bf7e42dbb9b672b3ad79dcece4dbf8a0ffdea5634ce7f6425d05b31ca1a92ff

AveMariaRAT

659784641effc7de35c04bd4ca5e1a343d23047827cc57166fbb26fd39484767

AveMariaRAT

ac0b18ae0851cf5cb499bdcba6bce5d260f114768425aeed65cf6086b27a323d

AveMariaRAT

b2114af6bb8149e6c3860e64aa47475e5c35726dcd8e28891caab5d04054f6d0

AveMariaRAT

beea56a23dafd425aa57b3b05cd4d44c7615633292b20fb9bb22e08469fa6634

AveMariaRAT

c404cc3a18e98ff81b63518df694118ecdec9948ce72f511cc828f93af5c4e7e

AveMariaRAT

db5d4a5090c7303616f88db08a22abc975804ae1abdef9740c208c004648255b

AveMariaRAT

+ 1'746 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat evasion infostealer rat themida trojan

Link:

https://tria.ge/reports/220610-ryj8tscbbk/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Office loads VBA resources, possible macro or embedded object present

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Themida packer

Executes dropped EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Warzone RAT Payload

Suspicious use of NtCreateUserProcessOtherParentProcess

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

banta.ddns.net:7200

Unpacked files

SH256 hash:

2f1e5bee1ae14b23471640e72bc733fade0229c7205c851ed0fc0ba4a2dc345c

MD5 hash:

6c09d5bdefd7369d7acbeef9bc6a9e4d

SHA1 hash:

ed560faa5562df68ab5c8eafea4ba8eb82cbe843

Link:

https://www.unpac.me/results/fd5075b0-7768-4a25-913a-0be346ba7f8d/

SH256 hash:

27f126ed1be90669a39d983b98ea0aad80b780d46a5423abb23b7aeaf990c3d5

MD5 hash:

57f8e455c117f33ad1c10f2895f3d781

SHA1 hash:

e193bb00a6b27290fac18b5b59078e729617f265

Link:

https://www.unpac.me/results/fd5075b0-7768-4a25-913a-0be346ba7f8d/

SH256 hash:

7aa19913253d9a036b10df1f8f0bdb25567edda11fe99050d85a47249142bec2

MD5 hash:

4fed1cf956ddf6883bbaa0d633937162

SHA1 hash:

06dc707bd66f484f02a09ac21043c7078e3b6591

Link:

https://www.unpac.me/results/fd5075b0-7768-4a25-913a-0be346ba7f8d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7aa19913253d9a036b10df1f8f0bdb25567edda11fe99050d85a47249142bec2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

exe 7aa19913253d9a036b10df1f8f0bdb25567edda11fe99050d85a47249142bec2

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/278700/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample