MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 957d4dbe710ceb16702d6febb67cb2f55cca53a58891edb7f8a8d5b1d8122dc7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 15

Intelligence 15 IOCs YARA 24 File information Comments

SHA256 hash:	957d4dbe710ceb16702d6febb67cb2f55cca53a58891edb7f8a8d5b1d8122dc7
SHA3-384 hash:	5d3cfb8033de9ea01c4fd0016f9f9424e56319174af37539edaa765b996f4df26b8764c18fbc52227c3f4c5c780e0a7f
SHA1 hash:	32d169ac258166dc019a71e624582f965d44427e
MD5 hash:	28e6ab0ec670648302843af54abf05bb
humanhash:	nine-glucose-cat-berlin
File name:	Invoice 322515.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	1'067'520 bytes
First seen:	2023-05-25 16:35:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b3b7f3046623191c43621fd310d374b1 (2 x AveMariaRAT, 2 x ModiLoader, 1 x Formbook)
ssdeep	24576:SSWrMz8C3kJ+VnkaJ56TxIN84Mm/33fb5GJ:SS0o8YXMFIN84X33fb5W
Threatray	2'628 similar samples on MalwareBazaar
TLSH	T12035AE12B3F05473E42A2C39AC5BD7A5590D7E102939344DBFE63D48DB3B28279A42E7
TrID	86.8% (.EXE) Win32 Executable Borland Delphi 6 (262638/61) 4.6% (.EXE) Win32 Executable Delphi generic (14182/79/4) 4.3% (.SCR) Windows screen saver (13097/50/3) 1.4% (.EXE) Win32 Executable (generic) (4505/5/1) 0.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	dcf4f4c2a4c4c2d0 (2 x ModiLoader, 1 x AveMariaRAT, 1 x Formbook)
Reporter	abuse_ch
Tags:	AveMariaRAT exe RAT

abuse_ch

AveMariaRAT C2:
89.117.76.67:5200

Intelligence

File Origin

# of uploads :

# of downloads :

321

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Invoice 322515.exe

Verdict:

Malicious activity

Analysis date:

2023-05-25 16:35:38 UTC

Tags:

dbatloader

Link:

https://app.any.run/tasks/2a0ba1f2-71df-41db-bd3e-d925e7eea95e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/391790/

Detection(s):

SecuriteInfo.com.HEUR.22243.17368.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Creating a file

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/87909/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware keylogger lolbin packed

Link:

https://www.filescan.io/uploads/646f8e72080367129a46797e/reports/fa22def6-0940-466c-86d7-d4e0a5cd1eb7/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/957d4dbe710ceb16702d6febb67cb2f55cca53a58891edb7f8a8d5b1d8122dc7

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Dbatloader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/be8489eb-60a3-4aa7-9363-15ed646d7fff

Result

Threat name:

AveMaria, UACMe

Detection:

malicious

Classification:

phis.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1242624

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to check if Internet connection is working

Contains functionality to hide user accounts

Contains functionality to inject threads in other processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal e-mail passwords

Creates a thread in another existing process (thread injection)

Detected unpacking (creates a PE file in dynamic memory)

Drops PE files with a suspicious file extension

Found evasive API chain checking for user administrative privileges

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Increases the number of concurrent connection per server for Internet Explorer

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Writes to foreign memory regions

Yara detected AveMaria stealer

Yara detected UACMe UAC Bypass tool

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/957d4dbe710ceb16702d6febb67cb2f55cca53a58891edb7f8a8d5b1d8122dc7/

Threat name:

Win32.Trojan.Delf

Status:

Malicious

First seen:

2023-05-25 16:36:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 23 (69.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=sv6u3ptrbtvrm4bnn7v3m7fs6vomuu5frci63n7yvdk3dwasfxdq._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

18cbae6a7144c17ab29082abdcd3ab6dd7f0c474429bba848f023069fdf9f0d0

AveMariaRAT

313cabf464e7edf69744f94c3ea234fbb5d7b99daf2aff5492131a4ca9d08e00

AveMariaRAT

449d68f816f777220922b061ddd7b58a5ad931b7fed71a7e8aa0e31ffa8c004a

AveMariaRAT

5723d03dae1f13c788dfa0bf00af0b054b886dc1bd9f319dd5fe7c60d2586560

AveMariaRAT

87576351067ea79fe0acb467ddb9c29ddce87f1179c0de4519df93bfad53dfe0

AveMariaRAT

d2dbcfd25b245609cf459f3c646b25e0fdb39da72b3224fd764a054c0d73ce14

AveMariaRAT

+ 2'618 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:modiloader family:warzonerat infostealer persistence rat trojan

Link:

https://tria.ge/reports/230525-t38s4abh8w/

Behaviour

Script User-Agent

Suspicious use of WriteProcessMemory

Program crash

Adds Run key to start application

Executes dropped EXE

ModiLoader Second Stage

Warzone RAT payload

ModiLoader, DBatLoader

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

MYWARSWARW.ddnsfree.com:5200

Unpacked files

SH256 hash:

957d4dbe710ceb16702d6febb67cb2f55cca53a58891edb7f8a8d5b1d8122dc7

MD5 hash:

28e6ab0ec670648302843af54abf05bb

SHA1 hash:

32d169ac258166dc019a71e624582f965d44427e

Detections:

DbatLoaderStage1

win_dbatloader_g1

Link:

https://www.unpac.me/results/f88de036-283d-432f-99dc-06b4f8ea82c5/

Malware family:

Warzone

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/957d4dbe710c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Ave Maria

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/957d4dbe710ceb16702d6febb67cb2f55cca53a58891edb7f8a8d5b1d8122dc7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AveMaria Create hunting rule
Author:	@bartblaze
Description:	Identifies AveMaria aka WarZone RAT.

Rule name:	avemaria_rat_yhub Create hunting rule
Author:	Billy Austin
Description:	Detects AveMaria RAT a.k.a. WarZone

Rule name:	ave_maria_warzone_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	CMD_Ping_Localhost Create hunting rule

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_1_RID2C2D Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding command execution via IExecuteCommand COM object

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_EXEPWSH_DLAgent Create hunting rule
Author:	ditekSHen
Description:	Detects SystemBC

Rule name:	MALWARE_Win_WarzoneRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AveMaria/WarzoneRAT

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	RAT_win_warzone Create hunting rule
Author:	KrknSec
Description:	Detects AveMaria/Warzone RAT binaries.
Reference:	https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Typical_Malware_String_Transforms_RID3473 Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Windows_Trojan_AveMaria_31d2bce9 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/391790/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample