MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9670a8cd3233ee7447636ae933537455ccfa56634b15141ed9beec4583c86e45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9670a8cd3233ee7447636ae933537455ccfa56634b15141ed9beec4583c86e45
SHA3-384 hash: 37f9f00aeaf177b73db510754df99707596c86e9a1372fe8f4b2eee67b0b79438dcd6aa3752a1c6dc0b3929b586bc05a
SHA1 hash: 61404e9e43e5338e40d27646fa70292de6da9e92
MD5 hash: ebfc94231e9a58e7e6a6fa94394c39a9
humanhash: blue-undress-grey-pennsylvania
File name:New-Order.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:753'664 bytes
First seen:2024-02-05 17:23:13 UTC
Last seen:2024-02-05 19:25:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:wl5H2QEI8j8qshDcfwI1s292OF7VS9X/qMT9JajrHCAcP6AkfYtZd1tnJuFaLr/Z:wlYy8bshIfwQJ2I5S9/qMWibsfm3oUP
Threatray 1'628 similar samples on MalwareBazaar
TLSH T12EF49DAC365075DFC957CD72CAA82C64EA60747B930BD203A02315ADAE0DA9BDF141F7
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter lowmal3
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
347
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9670a8cd3233ee7447636ae933537455ccfa56634b15141ed9beec4583c86e45.exe
Verdict:
Malicious activity
Analysis date:
2024-02-06 09:05:03 UTC
Tags:
bazaloader loader warzone
Link:
https://app.any.run/tasks/741f6577-77e2-4708-a10f-0feab4e5e207

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474772/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/65c119b975224709405bb780/reports/368b3eba-f658-43c0-8aa5-b50492e3ab8c/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/9670a8cd3233ee7447636ae933537455ccfa56634b15141ed9beec4583c86e45
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2e9ac54f-ef42-4b93-bb13-a69e31ddd671
Result
Threat name:
AveMaria, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1387026
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1387026 Sample: New-Order.exe Startdate: 05/02/2024 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Sigma detected: Scheduled temp file as task from temp location 2->43 45 13 other signatures 2->45 7 New-Order.exe 7 2->7         started        11 zrbqhdr.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\Roaming\zrbqhdr.exe, PE32 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmpE51D.tmp, XML 7->35 dropped 47 Detected unpacking (changes PE section rights) 7->47 49 Detected unpacking (overwrites its own PE header) 7->49 51 Contains functionality to hide user accounts 7->51 59 4 other signatures 7->59 13 New-Order.exe 3 2 7->13         started        17 powershell.exe 23 7->17         started        19 schtasks.exe 1 7->19         started        53 Multi AV Scanner detection for dropped file 11->53 55 Found evasive API chain (may stop execution after checking mutex) 11->55 57 Machine Learning detection for dropped file 11->57 61 3 other signatures 11->61 21 zrbqhdr.exe 1 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 37 185.29.9.45, 49173, 49709, 49710 DATACLUB-SE European Union 13->37 63 Increases the number of concurrent connection per server for Internet Explorer 13->63 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->65 25 WmiPrvSE.exe 17->25         started        27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        67 Contains functionality to hide user accounts 21->67 31 conhost.exe 23->31         started        signatures8 process9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9670a8cd3233ee7447636ae933537455ccfa56634b15141ed9beec4583c86e45
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9670a8cd3233ee7447636ae933537455ccfa56634b15141ed9beec4583c86e45/
Threat name:
ByteCode-MSIL.Trojan.AveMariaRAT
Create hunting rule
Status:
Malicious
First seen:
2024-01-31 08:27:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=szykrtjsgpxhir3dnlutgu3ukxgpuvtdjmkrihwzx3wela6inzcq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
82024edb19dae637e9af2940bbbf5e10fc8ad04deece28d610474e993ee3450e
AveMariaRAT
90b0e81cae870478e28e0902f8011e63315394fab478fb790827d95d1c34ba6f
AveMariaRAT
9fb885a66da2ed08983a46519b97dc55e002913f859dfa1e54917f63e4d7f8f4
AveMariaRAT
dd1fa6cb67aa97468e62afeec6bfa9c1cb52f5acf029ab77a0fdd2e34cd50a21
AveMariaRAT
decfb2acfa48419eb5c32541e8b99aa142ed856a2969012374c2a30f8bd7db70
AveMariaRAT
+ 1'618 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer rat
Link:
https://tria.ge/reports/240205-vypebsehcm/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Warzone RAT payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
185.29.9.45:49173
Unpacked files
SH256 hash:
19309d532b09d4afc9a68c548dc0b7f083d0cd904c8e18fae23fd0014fe43e33
MD5 hash:
50d44a10aaa4d4f35a4a2022664b46b4
SHA1 hash:
d0719c261544c6df0868e9d0549482d45557cf63
Detections:
Warzone
Create hunting rule
win_ave_maria_auto
Create hunting rule
win_ave_maria_g0
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
MALWARE_Win_AveMaria
Create hunting rule
MALWARE_Win_WarzoneRAT
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Link:
https://www.unpac.me/results/74892173-a51b-4c03-ba75-bd9fce51b1dc/
SH256 hash:
477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52
MD5 hash:
16a9ddc4b32981114fe4f069a4353105
SHA1 hash:
bf73849f57c150f9e2199c61427f631be2dfa595
Link:
https://www.unpac.me/results/74892173-a51b-4c03-ba75-bd9fce51b1dc/
SH256 hash:
d2cf3273461ffa1b29715828f358368312ae4f08a731f4e449a44f6dc50e26c5
MD5 hash:
df7936d5ea0c80f3003b445c7f8deb44
SHA1 hash:
b995b22e77a11cda256e84a01ccadb85451460ed
Link:
https://www.unpac.me/results/74892173-a51b-4c03-ba75-bd9fce51b1dc/
SH256 hash:
a7097659d0b8886c761709d7309bf378a7fbc7a325e2d1f4e7a1113698344f4f
MD5 hash:
d5c69b521525fc9e0ad51e65154c63aa
SHA1 hash:
9f9b885250ce857678b0941217f213d9f103f7e0
Link:
https://www.unpac.me/results/74892173-a51b-4c03-ba75-bd9fce51b1dc/
SH256 hash:
3014b859be7cafca84f61ab3398e0832d80175d76dc6ff4a45df7b2fef39dcaf
MD5 hash:
17cbde8bc5d57e164c1daa95d1b37d0b
SHA1 hash:
4856da540fd30d018fa511c9ce705871e1e2affa
Link:
https://www.unpac.me/results/74892173-a51b-4c03-ba75-bd9fce51b1dc/
SH256 hash:
a84d5b1b189170a2543ea10eef01a9b1a3d71ad364cd96ee06fc56bca540a375
MD5 hash:
3933414e1c7f62b4ad02dcfae48d504b
SHA1 hash:
1ca7ec36a42cacb7b9a1545c72341d125205a815
Link:
https://www.unpac.me/results/74892173-a51b-4c03-ba75-bd9fce51b1dc/
SH256 hash:
f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36
MD5 hash:
6c72218c48cd68cbcb654675053a0abb
SHA1 hash:
12207fa32070f99683648d87b44410e5d3cdf2de
Link:
https://www.unpac.me/results/74892173-a51b-4c03-ba75-bd9fce51b1dc/
SH256 hash:
06d73b35cc732c48308c14a0f72a430d6837591a49d7781a4d735ef79fe27a41
MD5 hash:
6033d3fe215e208626904dffbb9f27fc
SHA1 hash:
736a139470dd7166af2418b7d11f5dd66e13ce7f
Link:
https://www.unpac.me/results/74892173-a51b-4c03-ba75-bd9fce51b1dc/
SH256 hash:
9670a8cd3233ee7447636ae933537455ccfa56634b15141ed9beec4583c86e45
MD5 hash:
ebfc94231e9a58e7e6a6fa94394c39a9
SHA1 hash:
61404e9e43e5338e40d27646fa70292de6da9e92
Link:
https://www.unpac.me/results/74892173-a51b-4c03-ba75-bd9fce51b1dc/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9670a8cd3233/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9670a8cd3233ee7447636ae933537455ccfa56634b15141ed9beec4583c86e45

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 9670a8cd3233ee7447636ae933537455ccfa56634b15141ed9beec4583c86e45

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/474772/

Comments