MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d4020bea8924365724ff2c7eaffa0541f0ac4712c6b0a4723c5f68858fa306c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AveMariaRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 11 File information Comments

SHA256 hash: 8d4020bea8924365724ff2c7eaffa0541f0ac4712c6b0a4723c5f68858fa306c
SHA3-384 hash: ed44aff1c76bfac960066f3b2fdc501d771c739d97980ca41614e3eceea25a75f3ade377154ce78e1d500422b8eff13d
SHA1 hash: 6a5e219fd96905b154295697ac6f72a13725f6a1
MD5 hash: 35ed3fe203fabde1b0d353815f9a273b
humanhash: freddie-utah-oxygen-iowa
File name:SecuriteInfo.com.Variant.Jaik.73085.20962.11149
Download: download sample
Signature AveMariaRAT
File size:2'054'656 bytes
First seen:2022-05-15 19:35:29 UTC
Last seen:2022-05-23 11:56:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f40b392a15f243aae9f6b24f04047e6e (2 x AveMariaRAT)
ssdeep 12288:ed05fRBi1vvXHdJUNoyiiguuJ2glmnGeNCrRcQc/PJcEj2uGn9bunQ7JiD4pa7+o:q1vfHUorlm9NCFcR/PJc4gbunQ
Threatray 3'604 similar samples on MalwareBazaar
TLSH T147951910B3A15124F5F767FA66B54694887E3C811F2CE2CF4A850ADECA292F47C347A7
TrID 85.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter @SecuriteInfoCom
Tags:AveMariaRAT exe

Intelligence


File Origin
# of uploads :
3
# of downloads :
247
Origin country :
DE DE
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
avemaria
ID:
1
File name:
8d4020bea8924365724ff2c7eaffa0541f0ac4712c6b0a4723c5f68858fa306c.exe.malware
Verdict:
Malicious activity
Analysis date:
2022-05-15 22:05:05 UTC
Tags:
trojan rat stealer avemaria warzone

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
–°reating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file
Creating a process from a recently created file
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Setting a keyboard event handler
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe greyware shell32.dll
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria, UACMe
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to create processes via WMI
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Creates files in alternative data streams (ADS)
Creates processes via WMI
Detected unpacking (creates a PE file in dynamic memory)
Drops script or batch files to the startup folder
Found malware configuration
Increases the number of concurrent connection per server for Internet Explorer
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 626897 Sample: SecuriteInfo.com.Variant.Ja... Startdate: 15/05/2022 Architecture: WINDOWS Score: 100 56 Snort IDS alert for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 8 other signatures 2->62 8 SecuriteInfo.com.Variant.Jaik.73085.20962.exe 4 8 2->8         started        12 cmd.exe 1 2->12         started        14 WmiPrvSE.exe 2->14         started        process3 file4 36 C:\ProgramData\windowupdate.exe, PE32 8->36 dropped 38 C:\ProgramData:ApplicationData, PE32 8->38 dropped 40 C:\Users\user\AppData\...\programs.bat:start, ASCII 8->40 dropped 42 2 other malicious files 8->42 dropped 64 Creates files in alternative data streams (ADS) 8->64 66 Drops script or batch files to the startup folder 8->66 68 Adds a directory exclusion to Windows Defender 8->68 70 Increases the number of concurrent connection per server for Internet Explorer 8->70 16 windowupdate.exe 4 8->16         started        20 powershell.exe 25 8->20         started        22 WMIC.exe 1 12->22         started        24 conhost.exe 12->24         started        signatures5 process6 dnsIp7 44 104.128.191.44, 49694, 8080 EPBTELECOMUS Reserved 16->44 46 Multi AV Scanner detection for dropped file 16->46 48 Detected unpacking (creates a PE file in dynamic memory) 16->48 50 Writes to foreign memory regions 16->50 54 4 other signatures 16->54 26 cmd.exe 1 16->26         started        28 powershell.exe 16->28         started        30 conhost.exe 20->30         started        52 Creates processes via WMI 22->52 signatures8 process9 process10 32 conhost.exe 26->32         started        34 conhost.exe 28->34         started       
Threat name:
Win32.Trojan.Lazy
Status:
Malicious
First seen:
2022-05-15 18:06:43 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 40 (50.00%)
Threat level:
  5/5
Result
Malware family:
warzonerat
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Warzone RAT Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
104.128.191.44:8080
Unpacked files
SH256 hash:
2d27be73895d0e2d77f591e747b5ef0f08ce06fd8d4abebf27f0e5c9733db0bb
MD5 hash:
0c8e1fc30e350e1ad80f13fe709966e4
SHA1 hash:
d8b541592d355626bccbdfed659a8c8ef52a0d70
SH256 hash:
34ef7f41c287042ac04c8c3bf6b278135833143e9d7b7ca964c6cd21150303a3
MD5 hash:
6d8a8ac0c5a60c873bc970bb968e19a8
SHA1 hash:
639f2a5f8310b4e1436e3ab75967820b078f10ea
Detections:
win_ave_maria_g0 win_ave_maria_auto
SH256 hash:
fc0c90044b94b080f307c16494369a0796ac1d4e74e7912ba79c15cca241801c
MD5 hash:
6b906764a35508a7fd266cdd512e46b1
SHA1 hash:
2a943b5868de4facf52d4f4c1b63f83eacd882a2
SH256 hash:
021d01fe3793879f57a2942664fc7c096710e94e87ad13dc21467c12edf61546
MD5 hash:
ad9fd1564dd1c6be54747e84444b8f55
SHA1 hash:
001495af4af443265200340a08b5e07dc2a32553
SH256 hash:
8d4020bea8924365724ff2c7eaffa0541f0ac4712c6b0a4723c5f68858fa306c
MD5 hash:
35ed3fe203fabde1b0d353815f9a273b
SHA1 hash:
6a5e219fd96905b154295697ac6f72a13725f6a1

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:AveMaria
Author:@bartblaze
Description:Identifies AveMaria aka WarZone RAT.
Rule name:ave_maria_warzone_rat
Author:jeFF0Falltrades
Rule name:BitcoinAddress
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Codoso_Gh0st_1
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_1_RID2C2D
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Author:ditekSHen
Description:Detects executables embedding command execution via IExecuteCommand COM object
Rule name:MALWARE_Win_AveMaria
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_WarzoneRAT
Author:ditekSHen
Description:Detects AveMaria/WarzoneRAT
Rule name:MAL_Lokibot_Stealer
Description:Detects Lokibot Stealer Variants
Rule name:RDPWrap
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments