MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c95992bf35e5bc0d46244bf2330bec5711f409cb7fba2a2d52c28ed54ca4e80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c95992bf35e5bc0d46244bf2330bec5711f409cb7fba2a2d52c28ed54ca4e80
SHA3-384 hash: 4a3bf1b3dfc22fe10e9849ab80576490d234975bdb8ca7710d362fb3e04abc150f42eb1d04b75007ee73f0c3f51b8026
SHA1 hash: ca5612a8739476297c7b8535f7a34f020bacf8a8
MD5 hash: 0bbf771c23e77d0f67ac68e739f8bd5b
humanhash: nitrogen-charlie-zebra-juliet
File name:file.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:413'200 bytes
First seen:2023-06-01 10:36:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:hP1IAsudOs2633urCApOlOpT/leT78bJFdIY/xDDDzjltY7QMq/TfL9Y2bd:bisH3eCApOUpT/ccWUZlCCjLeE
Threatray 1'489 similar samples on MalwareBazaar
TLSH T1E894C07C3B64BD9EC6AE817864AD1E027372905797DBC33366D791F81E2D642EE004A3
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2023-06-01 10:36:38 UTC
Tags:
warzone
Link:
https://app.any.run/tasks/a10ac99d-942e-4ad1-911d-08d70e2f35a7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/394340/
Detection(s):
Win.Packed.Formbook-9980347-1
Create hunting rule

Win.Packed.Cerbu-9993871-0
Create hunting rule

Win.Dropper.Formbook-9993903-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/647874cf47ccd95d485ba7dd/reports/54bdcb98-b472-4be2-9a6a-1165e47ec1d1/overview
Verdict:
Malicious
Labled as:
Trojan.E1CAE469
Link:
https://www.hybrid-analysis.com/sample/8c95992bf35e5bc0d46244bf2330bec5711f409cb7fba2a2d52c28ed54ca4e80
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
dotRunpeX
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/080e6d27-71e7-4714-a601-a9947d01118f
Result
Threat name:
AveMaria, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1246709
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Disables UAC (registry)
Drops PE files with benign system names
Found malware configuration
Found stalling execution ending in API Sleep call
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected UAC Bypass using CMSTP
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 879729 Sample: file.exe Startdate: 01/06/2023 Architecture: WINDOWS Score: 100 84 accountsales03.ddns.net 2->84 90 Multi AV Scanner detection for domain / URL 2->90 92 Found malware configuration 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 12 other signatures 2->96 10 file.exe 1 5 2->10         started        14 svchost.exe 3 2->14         started        16 svchost.exe 4 2->16         started        18 2 other processes 2->18 signatures3 process4 file5 76 C:\Users\user\AppData\Roaming\svchost.exe, PE32+ 10->76 dropped 78 C:\Users\user\AppData\Local\...\file.exe.log, CSV 10->78 dropped 112 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->112 114 Drops PE files with benign system names 10->114 20 cmd.exe 1 10->20         started        22 cmd.exe 1 10->22         started        116 Multi AV Scanner detection for dropped file 14->116 118 Machine Learning detection for dropped file 14->118 120 Uses cmd line tools excessively to alter registry or file data 14->120 25 consent.exe 14->25         started        27 powershell.exe 14->27         started        34 11 other processes 14->34 80 C:\Windows\Temp\b3qlb2va.inf, Windows 16->80 dropped 122 Writes to foreign memory regions 16->122 124 Adds a directory exclusion to Windows Defender 16->124 126 Injects a PE file into a foreign processes 16->126 29 jsc.exe 16->29         started        32 powershell.exe 16->32         started        36 4 other processes 16->36 82 C:\Windows\Temp\zyfb4ms4.inf, Windows 18->82 dropped 38 4 other processes 18->38 signatures6 process7 dnsIp8 40 svchost.exe 5 5 20->40         started        44 conhost.exe 20->44         started        46 timeout.exe 1 20->46         started        98 Uses schtasks.exe or at.exe to add and modify task schedules 22->98 48 conhost.exe 22->48         started        50 schtasks.exe 1 22->50         started        100 Writes to foreign memory regions 25->100 52 svchost.exe 25->52 injected 54 conhost.exe 27->54         started        88 accountsales03.ddns.net 29->88 56 conhost.exe 32->56         started        58 conhost.exe 38->58         started        signatures9 process10 file11 74 C:\Users\user\AppData\Local\Temp\?????.sys, PE32+ 40->74 dropped 102 Writes to foreign memory regions 40->102 104 Adds a directory exclusion to Windows Defender 40->104 106 Disables UAC (registry) 40->106 110 2 other signatures 40->110 60 jsc.exe 40->60         started        64 powershell.exe 17 40->64         started        66 WsatConfig.exe 40->66         started        70 4 other processes 40->70 108 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 48->108 68 consent.exe 52->68         started        signatures12 process13 dnsIp14 86 accountsales03.ddns.net 91.193.75.154, 4449, 49694, 49695 DAVID_CRAIGGG Serbia 60->86 128 Found stalling execution ending in API Sleep call 60->128 130 Increases the number of concurrent connection per server for Internet Explorer 60->130 132 Hides that the sample has been downloaded from the Internet (zone.identifier) 60->132 72 conhost.exe 64->72         started        signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c95992bf35e5bc0d46244bf2330bec5711f409cb7fba2a2d52c28ed54ca4e80/
Threat name:
ByteCode-MSIL.Trojan.Dotrunpex
Create hunting rule
Status:
Malicious
First seen:
2023-06-01 10:37:06 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rskzsk7tlzn4bvdcis7sgmf6yvyr6qe4w752fiwvfquo2vgkj2aa._file
Verdict:
malicious
Similar samples:
357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51
AveMariaRAT
3bafde54ba687060ac7b17a4d377f368d27cf7c21fb369915065ee4995d2c01e
AveMariaRAT
57a58ba29a3ed07f244f57276d1d265c9ab1aee6d9ac6f1d84b24c6561fef589
AveMariaRAT
59494a51618f234021c0dae2d87667ce9e431b8a75a1b4952d3e48bf71492fbb
AveMariaRAT
87fb4ae70afbd870d62906d6401694f52a4658a037fd793065905b8882e38323
AveMariaRAT
914e09b5e1bee2e3bbb2d77f8fae1a8069f67b887f6abf9c5785e9fc5e39dd1c
AveMariaRAT
a0bf8575052b720932ab96605b4622a07453b1ace7cd73a8f262ca3e7fa7317a
AveMariaRAT
ac02c4ea63c245d101b1aab06ff98f44aafab1e43c0194d1deab13fcf2a69279
AveMariaRAT
c0e2de257b40366c2e97a6c4a074d18a49a8ade3037632cd754489d26198dbd3
AveMariaRAT
e5b432be651f1c2e2d10923fa2e07f21d3ccbb98a1238d04a8b8a6f801b19fae
AveMariaRAT
+ 1'479 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat evasion infostealer persistence rat trojan
Link:
https://tria.ge/reports/230601-mntbjadg79/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Maps connected drives based on registry
Windows security modification
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Looks for VMWare Tools registry key
Sets service image path in registry
Looks for VirtualBox Guest Additions in registry
Warzone RAT payload
UAC bypass
WarzoneRat, AveMaria
Windows security bypass
Malware Config
C2 Extraction:
91.193.75.154:4449
Unpacked files
SH256 hash:
8c95992bf35e5bc0d46244bf2330bec5711f409cb7fba2a2d52c28ed54ca4e80
MD5 hash:
0bbf771c23e77d0f67ac68e739f8bd5b
SHA1 hash:
ca5612a8739476297c7b8535f7a34f020bacf8a8
Link:
https://www.unpac.me/results/63f3fb0e-419b-47d8-b8ae-1db1f6f35406/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8c95992bf35e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c95992bf35e5bc0d46244bf2330bec5711f409cb7fba2a2d52c28ed54ca4e80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/394340/

Comments