MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 841fc466a01841b07d66a4e99f2695592f9fc02c7bd24e5f3d74259a345d5110. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 841fc466a01841b07d66a4e99f2695592f9fc02c7bd24e5f3d74259a345d5110
SHA3-384 hash: 8debc6195b531c3433810384737071d3d36e1751ab15dd551893dbb8c451b30a9564f110784f4295c85806bcee125def
SHA1 hash: 98b76fd8b13e66e73215fc6f1f3b1d510d0d504d
MD5 hash: f97dd898670874b524df23d89dc6a12f
humanhash: kentucky-cat-two-thirteen
File name:f97dd898670874b524df23d89dc6a12f.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:26'960 bytes
First seen:2023-06-13 09:35:17 UTC
Last seen:2023-06-13 10:45:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 769adc189c80de1183a16ee3ab5f134a (2 x AveMariaRAT)
ssdeep 384:/T1sZrG2iPQWRErIYib+W42KKxPxh8E9VF0Ny5dF:/BsZa2mf+UYib+WnxPxWEj
Threatray 130 similar samples on MalwareBazaar
TLSH T1EAC22B62DBA85C21F95A8F7038E1C7749A357D604D90CACB321DBA1C0F703827AE477A
TrID 78.0% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.ICL) Windows Icons Library (generic) (2059/9)
1.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter abuse_ch
Tags:AveMariaRAT exe RAT


Avatar
abuse_ch
AveMariaRAT C2:
103.179.142.121:5200

Intelligence

File Origin
# of uploads :
2
# of downloads :
315
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
avemaria
Create hunting rule
ID:
1
File name:
f97dd898670874b524df23d89dc6a12f.exe
Verdict:
Malicious activity
Analysis date:
2023-06-13 09:38:14 UTC
Tags:
opendir stealer rat avemaria loader warzone
Link:
https://app.any.run/tasks/706af004-dd23-44e1-a51a-f2b5186508ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/398189/
Detection(s):
SecuriteInfo.com.Variant.Tedy.380556.23556.23506.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive overlay packed
Link:
https://www.filescan.io/uploads/64883884c6414862d206d6da/reports/e66d3fa1-2708-4873-8aef-0a94516586eb/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/841fc466a01841b07d66a4e99f2695592f9fc02c7bd24e5f3d74259a345d5110
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4020a6e3-9131-4e48-9863-5f03b7e30581
Result
Threat name:
AveMaria, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1253483
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if Internet connection is working
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Found evasive API chain checking for user administrative privileges
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected Generic Dropper
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 886503 Sample: 0JGu18wj46.exe Startdate: 13/06/2023 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic 2->37 39 Multi AV Scanner detection for domain / URL 2->39 41 Found malware configuration 2->41 43 12 other signatures 2->43 7 0JGu18wj46.exe 16 2->7         started        process3 dnsIp4 35 51.79.49.73, 49718, 80 OVHFR Canada 7->35 25 C:\Users\user\AppData\Local\...\Play[1].exe, PE32 7->25 dropped 27 C:\Users\Public\Videos\Play.exe, PE32 7->27 dropped 53 Adds a directory exclusion to Windows Defender 7->53 12 Play.exe 7->12         started        15 powershell.exe 21 7->15         started        file5 signatures6 process7 signatures8 55 Antivirus detection for dropped file 12->55 57 Multi AV Scanner detection for dropped file 12->57 59 Machine Learning detection for dropped file 12->59 61 3 other signatures 12->61 17 vbc.exe 3 2 12->17         started        21 WerFault.exe 23 9 12->21         started        23 conhost.exe 15->23         started        process9 dnsIp10 29 testing1212.ddns.net 103.179.142.121, 49720, 49724, 5200 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 17->29 31 backup1212.ddns.net 17->31 33 192.168.2.1 unknown unknown 17->33 45 Contains functionality to check if Internet connection is working 17->45 47 Contains functionality to inject threads in other processes 17->47 49 Contains functionality to steal Chrome passwords or cookies 17->49 51 4 other signatures 17->51 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/841fc466a01841b07d66a4e99f2695592f9fc02c7bd24e5f3d74259a345d5110/
Threat name:
Win32.Downloader.AveMariaRAT
Create hunting rule
Status:
Malicious
First seen:
2023-06-12 16:21:23 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
21 of 24 (87.50%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qqp4izvadba3a7lgutuz6juvlexz7qbmppje4xz5oqszunc5keia._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
438536b11aafa429cb30bcbcea58cdd24ec138c0e9986991d2869f259618d863
AveMariaRAT
5c60ec93028885f6319a52ad6ae0d4eaa08cec6a82cf8c7c62d7a060341a77a8
AveMariaRAT
6e294639b9e9dec345a4b9bdeb29bd5695ea2d84e0fa88633ece9e7e88ad2bb4
AveMariaRAT
918f09129def9a8720ce512b77e77161e01d76849f0c9b21ee127be1e6202ec4
AveMariaRAT
98a6a9d928a7950b00e180fb0a9aa8aaabd5a614125206d1cc2ccf4d2c0dc03e
AveMariaRAT
b20ad6c8dd8844751924260b1fdf4527d6ca6629d8df09140733e88a7eae9db7
AveMariaRAT
c18ffd59ba4e78061980e650dc6a2b6062f2829781ff7c061ba27f96cad60b5a
AveMariaRAT
db8e74fd99fe46308fc569bd02b4269d5392e3a991090c8de0d4d21cb9300e06
AveMariaRAT
+ 120 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer rat
Link:
https://tria.ge/reports/230613-lkw3ksff53/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Downloads MZ/PE file
Warzone RAT payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
testing1212.ddns.net:5201
Unpacked files
SH256 hash:
841fc466a01841b07d66a4e99f2695592f9fc02c7bd24e5f3d74259a345d5110
MD5 hash:
f97dd898670874b524df23d89dc6a12f
SHA1 hash:
98b76fd8b13e66e73215fc6f1f3b1d510d0d504d
Link:
https://www.unpac.me/results/596a9e96-ff58-45d5-966f-abac17ffa55a/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/841fc466a018/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/841fc466a01841b07d66a4e99f2695592f9fc02c7bd24e5f3d74259a345d5110

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AveMaria
Create hunting rule
Author:@bartblaze
Description:Identifies AveMaria aka WarZone RAT.
Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_1_RID2C2D
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding command execution via IExecuteCommand COM object
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_EXEPWSH_DLAgent
Create hunting rule
Author:ditekSHen
Description:Detects SystemBC
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Windows_Trojan_AveMaria_31d2bce9
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe 841fc466a01841b07d66a4e99f2695592f9fc02c7bd24e5f3d74259a345d5110

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2658968/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/398189/

Comments