MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8832f0c3e356fc56f6c8e3da8c93923b34548f40a2ade85d466ff2aca01f1289. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	8832f0c3e356fc56f6c8e3da8c93923b34548f40a2ade85d466ff2aca01f1289
SHA3-384 hash:	1f13aa7768e6880ba840ccb5c7622b4e87411c2f84a0756b941fd68d7e4f0e646fa9776dee0c3d5e81c5194acc8f294e
SHA1 hash:	771afd89165125768b48f634d36a6d3d1bf90419
MD5 hash:	839e0e7254b66381ba8a558f903fb09b
humanhash:	music-pluto-beryllium-georgia
File name:	globalquotation.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	367'657 bytes
First seen:	2021-06-01 13:15:38 UTC
Last seen:	2021-06-01 13:59:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	6144:eQqYLMuq4fRD0es4gwvg9AZZi+klubKJCzCp:LjbqFtGij4+p
Threatray	848 similar samples on MalwareBazaar
TLSH	D374E1C17240D449E0370B70447BD63896BA7E09A96441AB3BA9BF2F36F51939473BCB
Reporter	abuse_ch
Tags:	AveMariaRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

213

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

globalquotation.exe

Verdict:

Malicious activity

Analysis date:

2021-06-01 13:47:31 UTC

Tags:

installer trojan stealer rat avemaria

Link:

https://app.any.run/tasks/6fbb5cfa-b2ab-472f-838c-500e81aa57b7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/163832/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.6215.2298.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %temp% directory

Creating a file

Creating a file in the %AppData% subdirectories

Modifying a system executable file

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Creating a file in the %AppData% directory

Deleting a recently created file

Reading critical registry keys

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AveMaria UACMe

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/795304

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to hide user accounts

Contains functionality to inject threads in other processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal e-mail passwords

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AveMaria stealer

Yara detected UACMe UAC Bypass tool

Behaviour

Behavior Graph:

Download SVG

Detection:

avemaria

Link:

https://mwdb.cert.pl/sample/8832f0c3e356fc56f6c8e3da8c93923b34548f40a2ade85d466ff2aca01f1289/

Threat name:

Win32.Trojan.Tnega

Status:

Malicious

First seen:

2021-06-01 13:16:12 UTC

AV detection:

11 of 29 (37.93%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=razpbq7dk36fn5wi4pnize4shm2fjd2aukw6qxkgn7zkzia7ckeq._file

Verdict:

unknown

AveMariaRAT

3139ed0df84c327db60fb109ac29aee322c9340327a24382270c321fa645a2e5

AveMariaRAT

688db922ed6771475dc6c379990567dc7e07ecaa848ada113472d1021eb02926

AveMariaRAT

6d33f52ccba4dfd0f6ae6559d49f85bfbdb94560dc321cd09defa7d1278773cf

AveMariaRAT

872ac5743d339a60af70e0b933a15c4c68f5e40b168c3b5ef444cf280673ee42

AveMariaRAT

a67866e26c35be123728faf13ab166a05eb79ad7e8c6c79768ea059326d5cb60

AveMariaRAT

ada7301339123e87473a4a5970ca4df1b0bf6031812bdb58e8e8dde26f89671a

AveMariaRAT

b63510ef1f908a56031aa259b42890edd4fea137cbfcc32cd3855b6f77e4a31f

AveMariaRAT

cd0948866c760383fa48516292b3682d7560d89554e23a8b026c5867836c77fe

AveMariaRAT

dbb9d26d8d9eb357f53db3913bbcacb0153a23aa1b23c2b3290e4ade823dc5c1

AveMariaRAT

+ 838 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat infostealer persistence rat spyware stealer

Link:

https://tria.ge/reports/210601-knn3s4rmh6/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Reads user/profile data of web browsers

Warzone RAT Payload

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

195.62.33.174:7777

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8832f0c3e356fc56f6c8e3da8c93923b34548f40a2ade85d466ff2aca01f1289

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/163832/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample