MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7aa7c19de5eaa2409006038a7d0d7423dd0c7d9b3d9514ffb8d790e4fdc51d2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7aa7c19de5eaa2409006038a7d0d7423dd0c7d9b3d9514ffb8d790e4fdc51d2c
SHA3-384 hash: c8c2c27343126c8f7704f402e3fd6b0e6b0c0b9c8e24a9fe866d362144e944968b89c9a4e085cd003ac7fc6bf40c0601
SHA1 hash: f9f68f691644f7be60128ede3005699e7d6f4941
MD5 hash: 15833f92c23ba3afbba0f4f273274452
humanhash: juliet-east-lactose-batman
File name:15833f92c23ba3afbba0f4f273274452
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:2'468'352 bytes
First seen:2024-11-01 23:32:31 UTC
Last seen:2024-11-02 01:20:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8d8bd43b8986aa50a374d1412396c73b (1 x LummaStealer, 1 x AveMariaRAT)
ssdeep 49152:vslBubuANjnMenjn+TH2dfdWVOm+C8tNPd1Zyiu+vbFxqiedJBBmUdP:vslgb9lMkhd1WYmpktd1ZDvbTqRfBrdP
Threatray 1'534 similar samples on MalwareBazaar
TLSH T1ABB52303F6C3C0B3F79349B00F29DA59A42DBAB36B100DDBB15486548DA66E7C5B2927
TrID 49.9% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.6% (.EXE) OS/2 Executable (generic) (2029/13)
9.5% (.EXE) Generic Win/DOS Executable (2002/3)
9.4% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter zbetcheckin
Tags:32 AveMariaRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
461
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
15833f92c23ba3afbba0f4f273274452
Verdict:
No threats detected
Analysis date:
2024-11-01 23:34:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/40d61b87-25ee-4ff8-a434-4e73979cab00

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.1987.32645.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=672565338d23d90491329b36
Tags:
malware
Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/67256530b9dd804e948d9b35/reports/1232cb4b-06ca-43f9-89c9-1e91da2372c8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/7aa7c19de5eaa2409006038a7d0d7423dd0c7d9b3d9514ffb8d790e4fdc51d2c
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/78c49630-c576-48b0-88a9-687ac3aea64d
Result
Threat name:
LummaC, AveMaria, LummaC Stealer, UACMe
Create hunting rule
Detection:
malicious
Classification:
evad.phis.troj.spyw.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1547182
Signature
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide user accounts
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Drops VBS files to the startup folder
Found evasive API chain checking for user administrative privileges
Found malware configuration
Found stalling execution ending in API Sleep call
Hides that the sample has been downloaded from the Internet (zone.identifier)
High number of junk calls founds (likely related to sandbox DOS / API hammering)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected Costura Assembly Loader
Yara detected LummaC Stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1547182 Sample: cPds84vxfC.exe Startdate: 02/11/2024 Architecture: WINDOWS Score: 100 62 seallysl.site 2->62 64 opposezmny.site 2->64 66 goalyfeastz.site 2->66 80 Suricata IDS alerts for network traffic 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 12 other signatures 2->86 11 cPds84vxfC.exe 1 2->11         started        14 wscript.exe 2->14         started        signatures3 process4 signatures5 110 Contains functionality to inject code into remote processes 11->110 112 Injects a PE file into a foreign processes 11->112 16 cPds84vxfC.exe 3 11->16         started        19 WerFault.exe 21 16 11->19         started        21 conhost.exe 11->21         started        114 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->114 23 CountOut.exe 14->23         started        process6 file7 52 C:\Users\user\AppData\...\b0MRpOU9Eo.exe, PE32 16->52 dropped 54 C:\Users\user\AppData\...\Zhziwe1FGm.exe, PE32 16->54 dropped 26 b0MRpOU9Eo.exe 4 16->26         started        30 Zhziwe1FGm.exe 1 16->30         started        56 C:\ProgramData\Microsoft\...\Report.wer, Unicode 19->56 dropped 102 Contains functionality to hide user accounts 23->102 104 Machine Learning detection for dropped file 23->104 106 Writes to foreign memory regions 23->106 108 Injects a PE file into a foreign processes 23->108 32 InstallUtil.exe 23->32         started        signatures8 process9 file10 58 C:\Users\user\AppData\Roaming\CountOut.exe, PE32 26->58 dropped 60 C:\Users\user\AppData\...\CountOut.vbs, ASCII 26->60 dropped 116 Contains functionality to hide user accounts 26->116 118 Machine Learning detection for dropped file 26->118 120 Drops VBS files to the startup folder 26->120 128 2 other signatures 26->128 34 InstallUtil.exe 3 2 26->34         started        122 Multi AV Scanner detection for dropped file 30->122 124 Injects a PE file into a foreign processes 30->124 126 LummaC encrypted strings found 30->126 38 Zhziwe1FGm.exe 30->38         started        40 WerFault.exe 19 16 30->40         started        42 conhost.exe 30->42         started        signatures11 process12 dnsIp13 68 162.230.48.189, 49720, 49721, 49729 ATT-INTERNET4US United States 34->68 88 Found stalling execution ending in API Sleep call 34->88 90 Contains functionality to inject threads in other processes 34->90 92 Increases the number of concurrent connection per server for Internet Explorer 34->92 100 2 other signatures 34->100 70 goalyfeastz.site 172.67.145.203, 443, 49722, 49724 CLOUDFLARENETUS United States 38->70 94 Query firmware table information (likely to detect VMs) 38->94 96 Tries to harvest and steal browser information (history, passwords, etc) 38->96 98 Tries to steal Crypto Currency Wallets 38->98 44 chrome.exe 38->44         started        signatures14 process15 dnsIp16 72 192.168.11.20, 137, 138, 1900 unknown unknown 44->72 74 239.255.255.250, 1900 unknown Reserved 44->74 47 chrome.exe 44->47         started        50 chrome.exe 44->50         started        process17 dnsIp18 76 www.google.com 142.250.80.100, 443, 49728, 49730 GOOGLEUS United States 47->76 78 142.251.35.164, 443, 49769 GOOGLEUS United States 50->78
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7aa7c19de5eaa2409006038a7d0d7423dd0c7d9b3d9514ffb8d790e4fdc51d2c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7aa7c19de5eaa2409006038a7d0d7423dd0c7d9b3d9514ffb8d790e4fdc51d2c/
Threat name:
Win32.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2024-11-01 23:33:05 UTC
File Type:
PE (Exe)
AV detection:
15 of 24 (62.50%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pkt4dhpf5krebeagaofh2dluepoqy7m3hwkrj75y26ioj7ofduwa._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
04fe976406935bc0225304b1f6c0bb6edcd850b39ccd23a0ce8299ae4e0a8bc4
AveMariaRAT
0c81f7d71edf18ecab3266e864dfb4d6ff5cd1dfa860e0e429ae35863bbf7130
AveMariaRAT
11ff90a33d73be660d1408cf99f48baa9dbaf0d15572848a7a024aab03973476
AveMariaRAT
4462fe31398d14f44cbfc3cc31c3198a5bf6ca0a54225ef874c7cd6c1d31437c
AveMariaRAT
92a3d5b50db0cd8d8328faf9d2ce8f583d6fc20e81c03b1a99836bd58558a892
AveMariaRAT
956d35ea5fc53269ca00d84d9f765ca6e7bb33e30eb376c54c94eebc4f5b7ef9
AveMariaRAT
ecc79919e41b1ded8a01aa38ede45755f216d0f490c44f7e1386c9f140daa972
AveMariaRAT
error
AveMariaRAT
+ 1'524 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:warzonerat discovery infostealer rat stealer
Link:
https://tria.ge/reports/241101-3jtz9svmgt/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Executes dropped EXE
Warzone RAT payload
Lumma Stealer, LummaC
Lumma family
Suspicious use of NtCreateUserProcessOtherParentProcess
WarzoneRat, AveMaria
Warzonerat family
Malware Config
C2 Extraction:
162.230.48.189:56001
https://goalyfeastz.site/api
https://contemteny.site/api
https://dilemmadu.site/api
https://authorisev.site/api
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f71ddf81-6fbe-4ab3-af63-225b820bc7c6
Unpacked files
SH256 hash:
7aa7c19de5eaa2409006038a7d0d7423dd0c7d9b3d9514ffb8d790e4fdc51d2c
MD5 hash:
15833f92c23ba3afbba0f4f273274452
SHA1 hash:
f9f68f691644f7be60128ede3005699e7d6f4941
Link:
https://www.unpac.me/results/ec54c420-cc7e-4ec7-a0f9-4d11c4c35d54/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7aa7c19de5eaa2409006038a7d0d7423dd0c7d9b3d9514ffb8d790e4fdc51d2c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe 7aa7c19de5eaa2409006038a7d0d7423dd0c7d9b3d9514ffb8d790e4fdc51d2c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3270432/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments


Avatar
zbet commented on 2024-11-01 23:32:32 UTC

url : hxxp://45.149.241.37/z.exe