MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88feac36d272543567fa2c4a9a055bc5d875c0bd3e6e2245f6c06fdb42c4cf59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88feac36d272543567fa2c4a9a055bc5d875c0bd3e6e2245f6c06fdb42c4cf59
SHA3-384 hash: 0981c02b2223fe83e88b4b84dc58f2810bb3ce9489dca04898efe0255aca397c68162d538e2bc05806e94fa7a5a7aa42
SHA1 hash: a66db66c7eb34acbd228f62b45f5d6ba7eab70f2
MD5 hash: 6f2bff637bc69d5a8fd1c290a41476a5
humanhash: crazy-wyoming-uniform-montana
File name:New order requirements.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:641'024 bytes
First seen:2022-08-04 06:40:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 286be9e4f8d73c89ffb2aff3a4427b53 (9 x DBatLoader, 1 x AveMariaRAT)
ssdeep 12288:F+xn0/znwyVdboAk2SE+BOx7o1sf6hm7fWzHyW+K:w07nxdb7k2SnB2o1A6hsaSPK
TLSH T11BD46C29E6D084B6E9632A784C1BA694D42BBD152C3C544B6BDC3FC85B3B791303B397
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13101/52/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 73b0d4d6c6d430b3 (9 x DBatLoader, 1 x AveMariaRAT)
Reporter abuse_ch
Tags:AveMariaRAT exe RAT


Avatar
abuse_ch
AveMariaRAT C2:
172.93.165.201:5200

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
172.93.165.201:5200 https://threatfox.abuse.ch/ioc/841351/

Intelligence

File Origin
# of uploads :
1
# of downloads :
341
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New order requirements.exe
Verdict:
Suspicious activity
Analysis date:
2022-08-04 06:41:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d71a389d-8f6e-450b-807b-cf89c961e4a9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/296380/
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Setting a keyboard event handler
Creating a file in the %AppData% directory
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger
Link:
https://www.filescan.io/uploads/62eb6a3b9ca9b9bfcbe8bdca/reports/204ec566-b0e2-4317-964b-5a02e8a904a4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d1587f5a-c870-4846-a10d-0b255efccc4e
Result
Threat name:
AveMaria, DBatLoader, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1046093
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AveMaria stealer
Yara detected DBatLoader
Yara detected UAC Bypass using ComputerDefaults
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 678587 Sample: New order requirements.exe Startdate: 04/08/2022 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Yara detected UAC Bypass using ComputerDefaults 2->49 51 6 other signatures 2->51 6 New order requirements.exe 1 17 2->6         started        11 Ltgickpbj.exe 13 2->11         started        13 Ltgickpbj.exe 13 2->13         started        process3 dnsIp4 27 www.mivas-catering.ro 6->27 29 mivas-catering.ro 89.39.83.184, 443, 49722, 49724 ROMARGRO Romania 6->29 23 C:\Users\Public\Libraries\Ltgickpbj.exe, PE32 6->23 dropped 25 C:\Users\...\Ltgickpbj.exe:Zone.Identifier, ASCII 6->25 dropped 53 Injects a PE file into a foreign processes 6->53 15 New order requirements.exe 3 6 6->15         started        31 www.mivas-catering.ro 11->31 19 Ltgickpbj.exe 1 11->19         started        33 www.mivas-catering.ro 13->33 21 Ltgickpbj.exe 1 13->21         started        file5 signatures6 process7 dnsIp8 35 172.93.165.201, 49739, 5200 GIGABIT-MYGigabitHostingSdnBhdMY United States 15->35 37 Tries to steal Mail credentials (via file / registry access) 15->37 39 Tries to harvest and steal browser information (history, passwords, etc) 15->39 41 Increases the number of concurrent connection per server for Internet Explorer 15->41 43 2 other signatures 15->43 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88feac36d272543567fa2c4a9a055bc5d875c0bd3e6e2245f6c06fdb42c4cf59/
Threat name:
Win32.Trojan.AveMariaRAT
Create hunting rule
Status:
Malicious
First seen:
2022-08-04 06:41:07 UTC
File Type:
PE (Exe)
Extracted files:
23
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rd7kynwsojkdkz72frfjubk3yxmhlqf5hzxcerpwybx5wqwez5mq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat collection infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220804-hfrqhsdack/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Warzone RAT payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
172.93.165.201:5200
Unpacked files
SH256 hash:
c38566216fd0a6e1efd869eae4eede8705f29048d813fc591390a77a0f50d065
MD5 hash:
87a5ef8b80ae947628fc01ede27d0555
SHA1 hash:
9c212887aaa619e1ca7177c1ad20b7cb301cafd9
Link:
https://www.unpac.me/results/82f5be33-2eae-414b-b82d-99d309e3c296/
SH256 hash:
88feac36d272543567fa2c4a9a055bc5d875c0bd3e6e2245f6c06fdb42c4cf59
MD5 hash:
6f2bff637bc69d5a8fd1c290a41476a5
SHA1 hash:
a66db66c7eb34acbd228f62b45f5d6ba7eab70f2
Link:
https://www.unpac.me/results/82f5be33-2eae-414b-b82d-99d309e3c296/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/88feac36d272/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88feac36d272543567fa2c4a9a055bc5d875c0bd3e6e2245f6c06fdb42c4cf59

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AveMaria
Create hunting rule
Author:@bartblaze
Description:Identifies AveMaria aka WarZone RAT.
Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_1_RID2C2D
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding command execution via IExecuteCommand COM object
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_WarzoneRAT
Create hunting rule
Author:ditekSHen
Description:Detects AveMaria/WarzoneRAT
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/296380/

Comments