MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90b0e81cae870478e28e0902f8011e63315394fab478fb790827d95d1c34ba6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90b0e81cae870478e28e0902f8011e63315394fab478fb790827d95d1c34ba6f
SHA3-384 hash: 37f479b6b605c495e099c631b12b003221945f514ed848981b70ad71771cf9594de0be7fbc4dfafb1e27a5a8cd918452
SHA1 hash: d8cc3d7f79e8a09a15759b3de91406eff847eb46
MD5 hash: e91ffadc5a9582e57acbd29aa9b2b97f
humanhash: maine-twenty-fanta-green
File name:ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:961'024 bytes
First seen:2024-02-04 10:35:04 UTC
Last seen:2024-02-04 10:35:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'660 x Formbook, 12'250 x SnakeKeylogger)
ssdeep 24576:V8IH/5Tc2NLJlVSDiCb+Q8iAqaQddq9rDy08o:XHhA2N97SmCb+Q8HEADD8o
TLSH T10D159DC8798171DFE4A78E3E84A09C5197717C6F1246E94F6007B7D8BA3D5838E223A7
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon f0f8faf2e87c7c04 (1 x AveMariaRAT)
Reporter e24111111111111
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
334
Origin country :
GR GR
Vendor Threat Intelligence
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/474485/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Win32.Malware-gen.27206.7077.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65bf6893b012cce0edbbc6dc/reports/1b489ad2-4e21-4619-94ae-5ed95735d0c0/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/90b0e81cae870478e28e0902f8011e63315394fab478fb790827d95d1c34ba6f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/823319e2-e469-492e-91cb-9c47c1b77ccf
Result
Threat name:
AveMaria, PrivateLoader, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1386307
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected PrivateLoader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1386307 Sample: ITEMS_SPECIFICATIONS_-_UNIT... Startdate: 04/02/2024 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 15 other signatures 2->58 7 ITEMS_SPECIFICATIONS_-_UNITED_ARABIAN_COMPANY_UAE.exe 7 2->7         started        11 LBvJnfZ.exe 5 2->11         started        process3 file4 38 C:\Users\user\AppData\Roaming\LBvJnfZ.exe, PE32 7->38 dropped 40 C:\Users\user\AppData\Local\...\tmp68AB.tmp, XML 7->40 dropped 60 Detected unpacking (changes PE section rights) 7->60 62 Detected unpacking (overwrites its own PE header) 7->62 64 Contains functionality to hide user accounts 7->64 72 3 other signatures 7->72 13 RegSvcs.exe 3 12 7->13         started        18 powershell.exe 23 7->18         started        20 powershell.exe 23 7->20         started        22 schtasks.exe 1 7->22         started        66 Antivirus detection for dropped file 11->66 68 Multi AV Scanner detection for dropped file 11->68 70 Machine Learning detection for dropped file 11->70 24 RegSvcs.exe 11->24         started        26 schtasks.exe 11->26         started        signatures5 process6 dnsIp7 50 45.137.22.105, 4821, 49732 ROOTLAYERNETNL Netherlands 13->50 42 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 13->42 dropped 44 C:\Users\user\AppData\Local\Temp\nss3.dll, PE32 13->44 dropped 46 C:\Users\user\AppData\Local\...\mozglue.dll, PE32 13->46 dropped 48 3 other files (1 malicious) 13->48 dropped 74 Found evasive API chain (may stop execution after checking mutex) 13->74 76 Tries to steal Mail credentials (via file / registry access) 13->76 78 Contains functionality to inject threads in other processes 13->78 82 5 other signatures 13->82 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        80 Contains functionality to hide user accounts 24->80 36 conhost.exe 26->36         started        file8 signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/90b0e81cae870478e28e0902f8011e63315394fab478fb790827d95d1c34ba6f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90b0e81cae870478e28e0902f8011e63315394fab478fb790827d95d1c34ba6f/
Threat name:
ByteCode-MSIL.Backdoor.Warzone
Create hunting rule
Status:
Malicious
First seen:
2024-02-02 08:52:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=scyoqhfoq4chryuobebpqai6mmyvhfh2wr4pw6iie7mv2hbuxjxq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat collection infostealer rat
Link:
https://tria.ge/reports/240204-mm8ptsfda8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Loads dropped DLL
Warzone RAT payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
45.137.22.105:4821
Unpacked files
SH256 hash:
51b69b375f651f1cd80c3daa7d475a662b43ce98fdaf10430dd60a4e8c07418b
MD5 hash:
9118994149c6fc4de1ca9860c6a2a711
SHA1 hash:
e59f524d6956586ecfe86b7d8b120df4ca6e0750
Detections:
Warzone
Create hunting rule
win_ave_maria_auto
Create hunting rule
win_ave_maria_g0
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
MALWARE_Win_AveMaria
Create hunting rule
MALWARE_Win_WarzoneRAT
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Link:
https://www.unpac.me/results/a849efcf-1403-4e87-b646-0f509fefefd9/
SH256 hash:
18724e69e0e494140d2f7bfe92dd1eb41fea0778043e56c095a9654fdf8113fc
MD5 hash:
cefca60ebe99952bdaa33e248226e0fd
SHA1 hash:
c50b64ce1758379c360ffec213f89d45beb05a96
Link:
https://www.unpac.me/results/a849efcf-1403-4e87-b646-0f509fefefd9/
SH256 hash:
477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52
MD5 hash:
16a9ddc4b32981114fe4f069a4353105
SHA1 hash:
bf73849f57c150f9e2199c61427f631be2dfa595
Link:
https://www.unpac.me/results/a849efcf-1403-4e87-b646-0f509fefefd9/
SH256 hash:
a91462e9c8e5d78d4047a80eb89a38c6e76e5d4cf6ac8ff7142e19bb7ecfbb82
MD5 hash:
b3200a8295f2098fa0078754ab6728ce
SHA1 hash:
b84d3cbebfd2eb9822664ca47fe56e6ee95e0ddc
Link:
https://www.unpac.me/results/a849efcf-1403-4e87-b646-0f509fefefd9/
SH256 hash:
c3f7a9a1f22057747d62ac0436211ed72fd7c1656294e300a5f09c929de0d2a5
MD5 hash:
29a61619de04761d8fb86bb3815557db
SHA1 hash:
695994a8743250926a0f65ccf9eb342fedd8783b
Link:
https://www.unpac.me/results/a849efcf-1403-4e87-b646-0f509fefefd9/
SH256 hash:
518c5755b6d44a4e6dc2dfe808c2aeec2f7d4a7a076802b4cb2f5f79b4730181
MD5 hash:
9465383c0c2e2826017f5aa38e929225
SHA1 hash:
27ef0d9cb467db93040705d8e64789ee7c027610
Link:
https://www.unpac.me/results/a849efcf-1403-4e87-b646-0f509fefefd9/
SH256 hash:
f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36
MD5 hash:
6c72218c48cd68cbcb654675053a0abb
SHA1 hash:
12207fa32070f99683648d87b44410e5d3cdf2de
Link:
https://www.unpac.me/results/a849efcf-1403-4e87-b646-0f509fefefd9/
SH256 hash:
06d73b35cc732c48308c14a0f72a430d6837591a49d7781a4d735ef79fe27a41
MD5 hash:
6033d3fe215e208626904dffbb9f27fc
SHA1 hash:
736a139470dd7166af2418b7d11f5dd66e13ce7f
Link:
https://www.unpac.me/results/a849efcf-1403-4e87-b646-0f509fefefd9/
SH256 hash:
90b0e81cae870478e28e0902f8011e63315394fab478fb790827d95d1c34ba6f
MD5 hash:
e91ffadc5a9582e57acbd29aa9b2b97f
SHA1 hash:
d8cc3d7f79e8a09a15759b3de91406eff847eb46
Link:
https://www.unpac.me/results/a849efcf-1403-4e87-b646-0f509fefefd9/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/90b0e81cae87/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90b0e81cae870478e28e0902f8011e63315394fab478fb790827d95d1c34ba6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/474485/

Comments