MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e4f9c50d684e420c808b44d32287262f57cdbb5780dca6488556a41107d3491. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 16

Intelligence 16 IOCs 1 YARA 14 File information Comments 1

SHA256 hash:	8e4f9c50d684e420c808b44d32287262f57cdbb5780dca6488556a41107d3491
SHA3-384 hash:	fe0f81700bf53ea73ef04b3360de443d0a02d99fc53ac3417137b766cea44bf11a3c7f7dc611f5f4d5d60a29414acde9
SHA1 hash:	027ac2613387cd54463d0170889b849201f16e85
MD5 hash:	92dcfe5ccfa95ab24ed7ed2933181a8b
humanhash:	nine-diet-eighteen-emma
File name:	92dcfe5ccfa95ab24ed7ed2933181a8b
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	100'352 bytes
First seen:	2022-08-22 12:41:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b76aafdc988ade2ab3db3b02fa4c6d00 (26 x AveMariaRAT, 1 x njrat, 1 x NanoCore)
ssdeep	1536:5Csejmb+6BQyusX1UjtA0uWRf/eloc/9T1jVEyp:AtD6jSm0uWRfCogTjVEG
TLSH	T1ECA38D2377E1483DF67501B02ABCBE7A97FEBD740321895FA36811836E72548E926343
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	zbetcheckin
Tags:	32 AveMariaRAT exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
37.139.129.100:2323	https://threatfox.abuse.ch/ioc/844702/

Intelligence

File Origin

# of uploads :

# of downloads :

248

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

avemaria

ID:

File name:

92dcfe5ccfa95ab24ed7ed2933181a8b

Verdict:

Malicious activity

Analysis date:

2022-08-22 12:43:36 UTC

Tags:

trojan stealer rat avemaria warzone arkei

Link:

https://app.any.run/tasks/55e29ee6-0a45-4750-b00f-34d9c7db60e1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/300211/

Detection(s):

Win.Malware.Sllg-9774396-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Creating a file in the %AppData% directory

Reading critical registry keys

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/29656/overview

Behaviour

MalwareBazaar

CheckCmdLine

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AVE_MARIA

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/638c1e39-2776-4c4c-834d-a0c4535b9141

Result

Threat name:

AveMaria, UACMe

Detection:

malicious

Classification:

phis.troj.spyw.expl

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1055501

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to hide user accounts

Increases the number of concurrent connection per server for Internet Explorer

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses dynamic DNS services

Yara detected AveMaria stealer

Yara detected UACMe UAC Bypass tool

Behaviour

Behavior Graph:

Download SVG

Detection:

warzone

Link:

https://mwdb.cert.pl/sample/8e4f9c50d684e420c808b44d32287262f57cdbb5780dca6488556a41107d3491/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2022-08-22 12:42:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rzhzyugwqtscbsaiwrgtekdsml2xzw5vpag4uzeikvveced5gsiq._file

Verdict:

malicious

Label(s):

avemaria

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat collection infostealer rat spyware stealer

Link:

https://tria.ge/reports/220822-pwrh1sfgeq/

Behaviour

outlook_office_path

outlook_win_path

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

spicydojo.duckdns.org:2323

Unpacked files

SH256 hash:

8e4f9c50d684e420c808b44d32287262f57cdbb5780dca6488556a41107d3491

MD5 hash:

92dcfe5ccfa95ab24ed7ed2933181a8b

SHA1 hash:

027ac2613387cd54463d0170889b849201f16e85

Detections:

win_ave_maria_g0

win_ave_maria_auto

Link:

https://www.unpac.me/results/37891773-83db-491a-a613-b3513710554b/

Malware family:

Warzone

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8e4f9c50d684/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8e4f9c50d684e420c808b44d32287262f57cdbb5780dca6488556a41107d3491

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AveMaria Create hunting rule
Author:	@bartblaze
Description:	Identifies AveMaria aka WarZone RAT.

Rule name:	AveMaria_WarZone Create hunting rule

Rule name:	ave_maria_warzone_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_1_RID2C2D Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2_RID2C2E Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_WarzoneRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AveMaria/WarzoneRAT

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	RDPWrap Create hunting rule
Author:	@bartblaze
Description:	Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:	https://github.com/stascorp/rdpwrap

Rule name:	troj_win_warzonerat Create hunting rule
Author:	Jeff White (karttoon@gmail.com) @noottrak
Description:	Detects WarzoneRAT.
Reference:	https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/