MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7edfa955033153759fc3f3f8e198e3a675e5376cc2a25031ae4f0df1b66cfd07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 15


Intelligence 15 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7edfa955033153759fc3f3f8e198e3a675e5376cc2a25031ae4f0df1b66cfd07
SHA3-384 hash: 9c403e4d5afaec0b2012bfb6921ff3cbcf34afdfa291ac9f4f6f3bdb6ed2d0ca409532f1b575d894fdf154cb8404e3b7
SHA1 hash: 159cb64a0e1f5424163ed371d33cf5b76f37cae2
MD5 hash: 74382612d6ee3a1bbd696f3f12fb98eb
humanhash: floor-johnny-skylark-eleven
File name:74382612d6ee3a1bbd696f3f12fb98eb.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:216'064 bytes
First seen:2022-09-22 15:00:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 69 x LummaStealer, 61 x Rhadamanthys)
ssdeep 3072:QBuGag041K5GWp1icKAArDZz4N9GhbkrNEk13rfn59hr1aQ/vAoGCY0NEZGj3NM:thLp0yN90QE4Xd1aQ/vNGCSO3O
TLSH T16B24DF0263E440F6E4BA53B099F707439E32BCA59AB8C76F1391D95E0E33651BA32717
TrID 83.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
7.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.4% (.EXE) Win64 Executable (generic) (10523/12/4)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:AveMariaRAT exe RAT


Avatar
abuse_ch
AveMariaRAT C2:
159.223.57.212:4110

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
159.223.57.212:4110 https://threatfox.abuse.ch/ioc/851109/

Intelligence

File Origin
# of uploads :
1
# of downloads :
310
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
74382612d6ee3a1bbd696f3f12fb98eb.exe
Verdict:
No threats detected
Analysis date:
2022-09-22 15:01:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e506ae13-43a7-4911-8851-77e0bd45f205

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/312379/
Detection(s):
Win.Malware.AveMaria-8799014-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/38481/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
advpack.dll explorer.exe packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/632c78b6865ed83c011e0d3a/reports/71b3e0b2-e05b-41cc-bf35-812680929251/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dfe94d7a-fba4-4716-8d16-c444bcfa384a
Result
Threat name:
AveMaria, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1075390
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to check if Internet connection is working
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Drops PE files to the document folder of the user
Drops PE files with benign system names
Found evasive API chain checking for user administrative privileges
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 707933 Sample: TrM892WqR2.exe Startdate: 22/09/2022 Architecture: WINDOWS Score: 100 56 Snort IDS alert for network traffic 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus / Scanner detection for submitted sample 2->60 62 7 other signatures 2->62 9 TrM892WqR2.exe 1 3 2->9         started        13 rundll32.exe 2->13         started        process3 file4 40 C:\Users\user\AppData\Local\...\explorer.exe, PE32 9->40 dropped 72 Drops PE files with benign system names 9->72 15 explorer.exe 4 4 9->15         started        19 powershell.exe 14 15 9->19         started        signatures5 process6 dnsIp7 42 C:\Users\user\Documents\explorer.exe, PE32 15->42 dropped 48 Antivirus detection for dropped file 15->48 50 Multi AV Scanner detection for dropped file 15->50 52 Drops PE files to the document folder of the user 15->52 54 9 other signatures 15->54 22 explorer.exe 2 15->22         started        26 powershell.exe 20 15->26         started        44 sheet.duckdns.org 159.223.57.212, 4110, 49711, 49712 CELANESE-US United States 19->44 28 conhost.exe 19->28         started        file8 signatures9 process10 dnsIp11 46 sheet.duckdns.org 22->46 64 Antivirus detection for dropped file 22->64 66 System process connects to network (likely due to code injection or exploit) 22->66 68 Multi AV Scanner detection for dropped file 22->68 70 10 other signatures 22->70 30 cmd.exe 1 22->30         started        32 powershell.exe 22->32         started        34 conhost.exe 26->34         started        signatures12 process13 process14 36 conhost.exe 30->36         started        38 conhost.exe 32->38         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7edfa955033153759fc3f3f8e198e3a675e5376cc2a25031ae4f0df1b66cfd07/
Threat name:
Win64.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-09-22 15:01:08 UTC
File Type:
PE+ (Exe)
Extracted files:
38
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p3p2svidgfjxlh6d6p4odghduz26kn3mykrfamnoj4g7dntm7udq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/220922-sdwa2afecl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Warzone RAT payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
sheet.duckdns.org:4110
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9455cf64-6a81-41df-a2a5-c42a6e8a274d
Unpacked files
SH256 hash:
7edfa955033153759fc3f3f8e198e3a675e5376cc2a25031ae4f0df1b66cfd07
MD5 hash:
74382612d6ee3a1bbd696f3f12fb98eb
SHA1 hash:
159cb64a0e1f5424163ed371d33cf5b76f37cae2
Link:
https://www.unpac.me/results/316cea76-ab3c-470b-9905-4a2b8aa30a4f/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7edfa9550331/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7edfa955033153759fc3f3f8e198e3a675e5376cc2a25031ae4f0df1b66cfd07

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe 7edfa955033153759fc3f3f8e198e3a675e5376cc2a25031ae4f0df1b66cfd07

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2310046/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/312379/

Comments