MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a8f07c548f5ee402b359c3c874d56151164b0ca147b2187371b7770a11acfc2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a8f07c548f5ee402b359c3c874d56151164b0ca147b2187371b7770a11acfc2
SHA3-384 hash: 40da602fb8c2b5602002dfe00e50186ff6baf14951656dafd5ba95ecbb6593737f85e4c52b0b8c8681f692ea81889087
SHA1 hash: 777b9a853cd71d7655843ee0e6e10d16a82c5761
MD5 hash: 03db8c848cf3fc80ee9a475df0ca169a
humanhash: steak-earth-single-nitrogen
File name:RFQ_Quote 07 13 2023 -99994302.xz
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:7'415 bytes
First seen:2023-07-13 06:35:30 UTC
Last seen:Never
File type: xz
MIME type:application/x-rar
ssdeep 192:xjMRmBJ59lw9+hFHV2fu3+CVgzAm6rHcpItwtyj7:umBJ59XFD33VaN7E
TLSH T164E1B05FDC315B6BCD9E9D3929FE4A5C6485FDD19AE6B0C008CAD000A31A5B737D09C0
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:AveMariaRAT RFQ xz


Avatar
cocaman
Malicious email (T1566.001)
From: "Andreea Maftei <account@motionskonsult.com>" (likely spoofed)
Received: "from smtp.motionskonsult.com (smtp.motionskonsult.com [193.27.90.125]) "
Date: "13 Jul 2023 08:24:43 +0300"
Subject: "Re: RFQ "
Attachment: "RFQ_Quote 07 13 2023 -99994302.xz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:RFQ_Quote 07 13 2023 -99994302.exe
File size:21'504 bytes
SHA256 hash: 10aa2cc0619a0897cd733a107f57251340c23f6ff623dba71fc809202337c80b
MD5 hash: 9773377884d3b259110a613e45ce6e96
MIME type:application/x-dosexec
Signature AveMariaRAT
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64af9b5658d62e49a2fd4d92/reports/b31db074-09ee-4c02-8f68-88f242e0effc/overview
Verdict:
Malicious
Labled as:
Mal/DrodRar
Link:
https://www.hybrid-analysis.com/sample/8a8f07c548f5ee402b359c3c874d56151164b0ca147b2187371b7770a11acfc2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a8f07c548f5ee402b359c3c874d56151164b0ca147b2187371b7770a11acfc2/
Threat name:
Binary.Trojan.Zmutzy
Create hunting rule
Status:
Malicious
First seen:
2023-07-13 06:35:32 UTC
File Type:
Binary (Archive)
Extracted files:
1
AV detection:
6 of 38 (15.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rkhqprki6xxeakzvtq6iotkwcuiwjmgkcr5sdbzxdn3xbii2z7ba._file
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat collection infostealer rat spyware stealer
Link:
https://tria.ge/reports/230713-hcxglage7y/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Warzone RAT payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
84.38.130.205:58146
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

xz 8a8f07c548f5ee402b359c3c874d56151164b0ca147b2187371b7770a11acfc2

(this sample)

AveMariaRAT

Executable exe 10aa2cc0619a0897cd733a107f57251340c23f6ff623dba71fc809202337c80b

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 10aa2cc0619a0897cd733a107f57251340c23f6ff623dba71fc809202337c80b
  
Dropping
MD5 9773377884d3b259110a613e45ce6e96

Comments