MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85d3efd2f3f636a47f987c4277db089f475fa38997604ed82b01ad340987bb4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85d3efd2f3f636a47f987c4277db089f475fa38997604ed82b01ad340987bb4e
SHA3-384 hash: e03162a4fe47e1781b16b86238e191ee607cdeea5694c6145c2db5b5b02a542d15ebee26a2ebc1c091d90ba434a63e1f
SHA1 hash: 38a25cf4ee2f7a805fedd74d05b09188841f157d
MD5 hash: 9a5454c1b13bda7d2ba9fa3fcfee9f30
humanhash: yankee-twelve-georgia-six
File name:SPEC Quotation-78787767.rar
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:929'261 bytes
First seen:2021-12-08 16:46:57 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 24576:nT4T89wqjyOrEdWM8Dzxve/QiY5dNZ4aU+Ub87Ew:nC8xj4WMoeLQNZ4cUbSEw
TLSH T1A0153389BF8F3327B51117F469DA5FF9A6E33A2E25951B86381061E509C8A03DCF3065
Reporter cocaman
Tags:AveMariaRAT rar


Avatar
cocaman
Malicious email (T1566.001)
From: "sales@ge-industry.com" (likely spoofed)
Received: "from ge-industry.com (unknown [104.223.42.165]) "
Date: "08 Dec 2021 07:52:09 -0800"
Subject: "RE:RE:RE_Reply:_RE_:_RFQ_No.Order 8200004038_DAIDO-2021-QPE-Q63440093-0001_//SPEC._A-5555-1239_&_A-5004-0808"
Attachment: "SPEC Quotation-78787767.rar"

Intelligence

File Origin
# of uploads :
1
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61b0e1894d8e6f3a5e19cbd6/reports/90647af4-c166-463f-98b7-3c4dce6fe941/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85d3efd2f3f636a47f987c4277db089f475fa38997604ed82b01ad340987bb4e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-08 10:23:17 UTC
File Type:
Binary (Archive)
Extracted files:
17
AV detection:
27 of 45 (60.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qxj67uxt6y3ki74yprbhpwyit5dv7i4js5qe5wblagwticmhxnha._file
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat collection infostealer rat spyware stealer
Link:
https://tria.ge/reports/211208-vah8eahfhq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads user/profile data of web browsers
Warzone RAT Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
grekris.freeddns.org:3345
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85d3efd2f3f636a47f987c4277db089f475fa38997604ed82b01ad340987bb4e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

rar 85d3efd2f3f636a47f987c4277db089f475fa38997604ed82b01ad340987bb4e

(this sample)

AveMariaRAT

Executable exe bb26cdf6df949385a31997790e09797814a567fb824135b5a8b24ff92dddc036

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 bb26cdf6df949385a31997790e09797814a567fb824135b5a8b24ff92dddc036

Comments