MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86c94e5f96b047700f26f29d0f0ecf7bc76c78883c859e4d26fe4f3e3e00e7ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 86c94e5f96b047700f26f29d0f0ecf7bc76c78883c859e4d26fe4f3e3e00e7ad
SHA3-384 hash: 453ca1162d81e05e2401d5af163abe3f89a39403c12211d3d5b8c0624eaec9187d34d1f094ea92ff90e432fdc1ba23b3
SHA1 hash: 41fa10ea9c1c009551b87fa56f6aace05b5b87d0
MD5 hash: 19faca8998fc47a4ed790b4c8cbc4e6b
humanhash: freddie-whiskey-delaware-texas
File name:19faca8998fc47a4ed790b4c8cbc4e6b.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'040'216 bytes
First seen:2023-10-02 16:00:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'012 x AgentTesla, 19'917 x Formbook, 12'332 x SnakeKeylogger)
ssdeep 24576:fAudMnwt4KDDionKDapO5z8oWec2J9bHDLlx:IuJt4Ie4xp6Iac8lx
TLSH T14D250250F6F8211DE067B1F64FD4C8988736B5B4862F8A9F68C0D10B66B4D82AFC1B75
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:AveMariaRAT exe RAT signed

Code Signing Certificate

Organisation:htfuh
Issuer:htfuh
Algorithm:sha256WithRSAEncryption
Valid from:2023-09-30T16:54:32Z
Valid to:2024-09-30T16:54:32Z
Serial number: 2ae62659b91b184b14056f57405e05fa
Thumbprint Algorithm:SHA256
Thumbprint: e50b8239c8fdaec033378bead971abfb39a20fb2422e2cf32b752152899d5960
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
AveMariaRAT C2:
185.225.74.106:5200

Intelligence

File Origin
# of uploads :
1
# of downloads :
306
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
avemaria
Create hunting rule
ID:
1
File name:
payload.vbs
Verdict:
Malicious activity
Analysis date:
2023-09-30 18:10:47 UTC
Tags:
loader warzone rat remote avemaria
Link:
https://app.any.run/tasks/68c5297b-cad9-480a-9979-52ad78b3cbaa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/452668/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a process from a recently created file
DNS request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a window
Network activity
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Blocking the User Account Control
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/651ae93f1edabd9982a33236/reports/d79bb0af-d1e4-4edf-9afe-af61133427aa/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/86c94e5f96b047700f26f29d0f0ecf7bc76c78883c859e4d26fe4f3e3e00e7ad
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e407b94-558d-4904-bb9a-941be46ea914
Result
Threat name:
AveMaria, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1318071
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to check if Internet connection is working
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Disables UAC (registry)
Drops PE files with benign system names
Found evasive API chain checking for user administrative privileges
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1318071 Sample: 6xmbSr1dbh.exe Startdate: 02/10/2023 Architecture: WINDOWS Score: 100 67 tse1.mm.bing.net 2->67 73 Snort IDS alert for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 11 other signatures 2->79 10 svchost.exe 2->10         started        13 svchost.exe 2 4 2->13         started        15 6xmbSr1dbh.exe 1 7 2->15         started        18 2 other processes 2->18 signatures3 process4 file5 97 Contains functionality to hide user accounts 10->97 99 Writes to foreign memory regions 10->99 101 Allocates memory in foreign processes 10->101 20 aspnet_regiis.exe 10->20         started        38 4 other processes 10->38 103 Antivirus detection for dropped file 13->103 105 Multi AV Scanner detection for dropped file 13->105 107 Machine Learning detection for dropped file 13->107 109 Disables UAC (registry) 13->109 24 RegSvcs.exe 3 8 13->24         started        26 powershell.exe 21 13->26         started        28 EdmGen.exe 13->28         started        65 C:\Users\user\AppData\Roaming\svchost.exe, PE32 15->65 dropped 111 Drops PE files with benign system names 15->111 30 cmd.exe 1 15->30         started        32 cmd.exe 1 15->32         started        113 Adds a directory exclusion to Windows Defender 18->113 115 Injects a PE file into a foreign processes 18->115 34 MSBuild.exe 18->34         started        36 powershell.exe 18->36         started        signatures6 process7 dnsIp8 81 Contains functionality to hide user accounts 20->81 83 Contains functionality to check if Internet connection is working 20->83 85 Contains functionality to inject threads in other processes 20->85 95 4 other signatures 20->95 69 Superherocan.mywire.org 185.225.74.106, 49785, 49786, 49789 MAYAKBG Germany 24->69 87 Tries to steal Mail credentials (via file / registry access) 24->87 89 Increases the number of concurrent connection per server for Internet Explorer 24->89 91 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->91 40 conhost.exe 26->40         started        42 svchost.exe 3 30->42         started        45 conhost.exe 30->45         started        47 timeout.exe 1 30->47         started        93 Uses schtasks.exe or at.exe to add and modify task schedules 32->93 49 conhost.exe 32->49         started        51 schtasks.exe 1 32->51         started        53 conhost.exe 36->53         started        55 conhost.exe 38->55         started        signatures9 process10 signatures11 117 Contains functionality to hide user accounts 42->117 119 Writes to foreign memory regions 42->119 121 Allocates memory in foreign processes 42->121 123 2 other signatures 42->123 57 AppLaunch.exe 42->57         started        61 powershell.exe 42->61         started        process12 dnsIp13 71 Superherocan.mywire.org 57->71 125 Contains functionality to hide user accounts 57->125 127 Tries to steal Mail credentials (via file / registry access) 57->127 63 conhost.exe 61->63         started        signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/86c94e5f96b047700f26f29d0f0ecf7bc76c78883c859e4d26fe4f3e3e00e7ad/
Threat name:
Win32.Backdoor.Warzone
Create hunting rule
Status:
Malicious
First seen:
2023-09-30 19:46:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q3eu4x4wwbdxadzg6koq6dwpppdwy6eihscz4tjg7zht4pqa46wq._file
Verdict:
malicious
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat collection evasion infostealer persistence rat trojan
Link:
https://tria.ge/reports/231002-tf7yaaeb42/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Windows security modification
Warzone RAT payload
UAC bypass
WarzoneRat, AveMaria
Windows security bypass
Malware Config
C2 Extraction:
Superherocan.mywire.org:5200
Unpacked files
SH256 hash:
b0d6b6a338d97d29e43cd48571dc1568c77602d18a87140f93f4dea83b9d1dd0
MD5 hash:
cabc4c843756bea34d595bb80569b6d9
SHA1 hash:
8582873d0f1dffb8650884c3ef64b5025f185459
Link:
https://www.unpac.me/results/434d9776-a886-48e9-9df5-09e35990d243/
SH256 hash:
86c94e5f96b047700f26f29d0f0ecf7bc76c78883c859e4d26fe4f3e3e00e7ad
MD5 hash:
19faca8998fc47a4ed790b4c8cbc4e6b
SHA1 hash:
41fa10ea9c1c009551b87fa56f6aace05b5b87d0
Link:
https://www.unpac.me/results/434d9776-a886-48e9-9df5-09e35990d243/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/86c94e5f96b0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Ave Maria
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/86c94e5f96b047700f26f29d0f0ecf7bc76c78883c859e4d26fe4f3e3e00e7ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AveMaria
Create hunting rule
Author:@bartblaze
Description:Identifies AveMaria aka WarZone RAT.
Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_1_RID2C2D
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding command execution via IExecuteCommand COM object
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_EXEPWSH_DLAgent
Create hunting rule
Author:ditekSHen
Description:Detects SystemBC
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_AveMaria_31d2bce9
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/452668/

Comments