MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94ca0af32ea93d62fa355e450747ae9755c5dcd09e7b4186cd5bd04d7fc56565. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94ca0af32ea93d62fa355e450747ae9755c5dcd09e7b4186cd5bd04d7fc56565
SHA3-384 hash: 89c8e34de282eb56cfa8e06bdb8c45595d0f191c96a557755db223ece9f7bf25b3e5058710718040296c2ee998ffb6f1
SHA1 hash: 733335b4b4e736f6678333d8ee1e39bded2feb56
MD5 hash: c06dc33bdf9cddadadd16e5299a51670
humanhash: magazine-pasta-sad-pluto
File name:c06dc33bdf9cddadadd16e5299a51670
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:697'856 bytes
First seen:2022-01-26 21:15:55 UTC
Last seen:2022-01-27 13:44:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ac5a75384b7b2ec2021c6624ee6ad17a (1 x AveMariaRAT, 1 x Formbook)
ssdeep 12288:VlhJNv6z4FWoqK7GD2dogNf+Pk5QpCCkBW7T3bnvwBg:VnJx5FWx+GD2XNf+M+CtKT7vF
Threatray 1'159 similar samples on MalwareBazaar
TLSH T10CE49E1EF2E14433E1772B785C7F4399A919BA412D59B8866BE81DCC0F3E241B836E53
File icon (PE):PE icon
dhash icon 41869abaa6c7659a (1 x AveMariaRAT, 1 x Formbook)
Reporter zbetcheckin
Tags:32 AveMariaRAT exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c06dc33bdf9cddadadd16e5299a51670
Verdict:
Malicious activity
Analysis date:
2022-01-26 21:20:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8a9d11b7-adbe-4d12-ac40-c3d5077ccfa8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/223778/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38748027.24124.23675.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5268/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe keylogger remote.exe
Link:
https://www.filescan.io/uploads/61f1ba1bd73ca9d4648f7148/reports/893419b6-83b5-4b07-8076-d42cb740df10/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/09ba78e4-5a2e-4074-9f66-de06d78416d2
Result
Threat name:
AveMaria UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/928349
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94ca0af32ea93d62fa355e450747ae9755c5dcd09e7b4186cd5bd04d7fc56565/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-01-26 16:21:20 UTC
File Type:
PE (Exe)
Extracted files:
74
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
02bcb080116ab55475edbcd1293246a0e5d8894793ee9e699db805bff2935408
AveMariaRAT
1b9995b4d1ef90b4b1db62b8db973db8e7a88be66df0c77a66d5a1198dfe1487
AveMariaRAT
4db2cf21ed080aa6d30503a18bccf3180ea748ae648c0b1c1e776de9b04c7156
AveMariaRAT
50575798954fd5dff1f376d1597a3d0ff52f51789c5ae98b48957590b540bcce
AveMariaRAT
6a0d05477e23fc1152067fc51d50a044bccf0e0a0654dbae1864df792400e935
AveMariaRAT
714a30085b93988295ea7b732d24384db7bb3be843e20acd447ae8dd258db7a8
AveMariaRAT
888497ac8f3cb030dc34d198ef8e307fab6b129f31f4fc9c41ea78f94d831529
AveMariaRAT
a3acdf009a9db20af30be0c6fcdcdc27ad9db3ee9a84bc52d9e6f7d30ec42af2
AveMariaRAT
a43aeebdf142d982d97157178d0b190e386b39d532c8782a7767f84f2a88e97b
AveMariaRAT
d81e62102d9b748aaabf4f06bf0c09a66dfaaac7836374016a5f076b6f7ed418
AveMariaRAT
+ 1'149 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/220126-z4gnwsaecj/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Warzone RAT Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
152.67.253.163:5300
Unpacked files
SH256 hash:
9cebbcef1bd6016dfebf4c69f4c49501d914d5a8607777eba952d7ad40346f9a
MD5 hash:
322f2da5c29542aaecc9ee17e1fe7f00
SHA1 hash:
734c432e2595d53c82ee28604f909d3390018dd8
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/e2641ae7-d3e3-4734-816b-7bd0b91b0f9a/
Parent samples :
a7d0cff6a05994c0ae576fa842e44a101879317f62466923f1d96adee2c4a898
770c04c7c3a53d584af17e38e8e3fe5767d431e26ca59b4dc20de71045354295
c1bd90e8816e506f387b5552b7487423da84b9818cf4e94f175ed7206cffe4f5
b93811479bf82f08e97be19c596166482cdb2b31b8762c8c310307dfd6dab61e
bed2b6abf700b607d4f856c63832bae23f4120a8786b5af4cbdaa0d8525a47bc
0d9facf6b7073de4e3db19eb64e80589d98cfe35b66942191390a891bb8b241c
3add41c98717984fa6f6d1bff7b1506024e2d91932b60a43810498c44daaef86
ddfc4415217ec461350071b0965a1132ad43472bdc15980da23c46d8f1da188e
b5cea089bb899e75deef98dc1569dc3af17a070f6fa594377b49299d63bbbd8f
7b2232160ba59858c112d6dcb2252701cdb5c1e38b216fb046bd13718c2716ce
b83152fc7fc7aa9950add1de9c3d12e107e3b6eb481c1a368018ed26d3792cdc
0ba0cd39397ce42a5a678b0ef803f99267dc16de6383f61107e298633e23e436
f69c67cbf4e8f7e6d0f9157de994b80e6eb0f7b251dcc461940d51659055640f
5508d3fe5c41c4dec4a7570f0d60af3b6ba8cb9251ee1eae91e8fc061c3f58ef
cab0b398ecbf051d2fefcd25624c8f2b8119d52304c4e9836ede3b5391119fe6
4e837a08dd24b1f710c6fce10f974a49141decf103d6aeb290c0d36bba75121b
7a5846b1a7c0bbada0892d8b315bef3b4682192268da9ea779e98449681dd7ed
94ca0af32ea93d62fa355e450747ae9755c5dcd09e7b4186cd5bd04d7fc56565
0183d2fd44e215d6dc408bec45db9767a765767737b737032ff97e75adca46cd
5a04697834016e869389ef0d6a08656669cf5597fe0a6378a993250d311482e3
01e537ab28cea013b9a08939057369aa9369e8ff009231cb95101dc24348bb2e
76389098be8a410aaf6b21297912f6ef745db6e8a2f2aaaddda8685bd91091c3
662c7dc1c6b6fbc7cb4622876c0b0b2a42dba7081adede8a65182aef085f7082
7793e93512bcef7b9d90de59ef17b8771ecc9da854da2f4c8b3be8ba3c5a2c20
SH256 hash:
94ca0af32ea93d62fa355e450747ae9755c5dcd09e7b4186cd5bd04d7fc56565
MD5 hash:
c06dc33bdf9cddadadd16e5299a51670
SHA1 hash:
733335b4b4e736f6678333d8ee1e39bded2feb56
Link:
https://www.unpac.me/results/e2641ae7-d3e3-4734-816b-7bd0b91b0f9a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/94ca0af32ea9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94ca0af32ea93d62fa355e450747ae9755c5dcd09e7b4186cd5bd04d7fc56565

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe 94ca0af32ea93d62fa355e450747ae9755c5dcd09e7b4186cd5bd04d7fc56565

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2007820/
Cape
Cape
https://www.capesandbox.com/analysis/223778/

Comments


Avatar
zbet commented on 2022-01-26 21:16:00 UTC

url : hxxp://20.51.217.113/ris/ume.exe