MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97b221ffa636705b21793d9d4c95f08c5f8fb21ef228dcb8b96fdc9705c91bc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 15

Intelligence 15 IOCs YARA 13 File information Comments 1

SHA256 hash:	97b221ffa636705b21793d9d4c95f08c5f8fb21ef228dcb8b96fdc9705c91bc0
SHA3-384 hash:	73e4f0c1362a2eb887e8a8d0ee0b05b54785b907d7558eb7fc6a988fc70be154f51dadeb738429081076ec2935e3cdfb
SHA1 hash:	d6628212454f87838b1ee971aed0b1e1c8a27477
MD5 hash:	1e3acddc7186ceb7497df73db60539a3
humanhash:	equal-high-seven-mike
File name:	1e3acddc7186ceb7497df73db60539a3
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	100'352 bytes
First seen:	2022-09-13 18:46:30 UTC
Last seen:	2025-09-27 23:34:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b76aafdc988ade2ab3db3b02fa4c6d00 (26 x AveMariaRAT, 1 x njrat, 1 x NanoCore)
ssdeep	1536:5Csejmb+6BQyusX1UjtA0uWRf/eloc/9T1jVEyp:AtD6jSm0uWRfCogTjVEG
Threatray	2'547 similar samples on MalwareBazaar
TLSH	T16FA39D2377E1443DF67502B02ABCBE7A97FEF9750321895FA36811836E72548E926343
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	zbetcheckin
Tags:	32 AveMariaRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

372

Origin country :

Vendor Threat Intelligence

Detection:

WarzoneRAT

Link:

https://www.capesandbox.com/analysis/309845/

Detection(s):

Win.Malware.Sllg-9774396-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/37591/overview

Behaviour

MalwareBazaar

CheckCmdLine

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AVE_MARIA

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/37103cf7-dd4f-4c5a-980c-93526fc557cf

Result

Threat name:

AveMaria, UACMe

Detection:

malicious

Classification:

phis.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1069770

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to hide user accounts

Contains functionality to inject threads in other processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal e-mail passwords

Increases the number of concurrent connection per server for Internet Explorer

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Uses dynamic DNS services

Yara detected AveMaria stealer

Yara detected UACMe UAC Bypass tool

Behaviour

Behavior Graph:

Download SVG

Detection:

warzone

Link:

https://mwdb.cert.pl/sample/97b221ffa636705b21793d9d4c95f08c5f8fb21ef228dcb8b96fdc9705c91bc0/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2022-09-12 12:46:23 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=s6zcd75ggzyfwilzhwouzfpqrrpy7mq66iunzofzn7ojobojdpaa._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

2d863ab15315230edc7f71c74ba3be0e747ec5804668ab3918c233d0a9e77e59

AveMariaRAT

49fefdfc050c39970be4d41c9e193384f00305940ed6f93d114324533e1b7336

AveMariaRAT

66fe35bea283335f4fc67950ca3f4a73f5a937bf1b7144435ca68078aef1da75

AveMariaRAT

694af635c6eaa54b9ffca0c862845d1ef3fd5f90e5c088d2f45e553e9b51f790

AveMariaRAT

8e4f9c50d684e420c808b44d32287262f57cdbb5780dca6488556a41107d3491

AveMariaRAT

a7dbd8ed5c0555566904672e5e5e2d340c0368b3163c4e60752b842d0e0fffe0

AveMariaRAT

+ 2'537 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat infostealer rat

Link:

https://tria.ge/reports/220913-xe8pzagdc5/

Behaviour

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

blackbenz.duckdns.org:2424

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c4f13eb9-d434-493c-af85-02b246bfe2ad

Unpacked files

SH256 hash:

97b221ffa636705b21793d9d4c95f08c5f8fb21ef228dcb8b96fdc9705c91bc0

MD5 hash:

1e3acddc7186ceb7497df73db60539a3

SHA1 hash:

d6628212454f87838b1ee971aed0b1e1c8a27477

Detections:

Warzone

win_ave_maria_auto

win_ave_maria_g0

Link:

https://www.unpac.me/results/87f490c4-1a3c-4f90-8946-aad88f58864f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/97b221ffa636705b21793d9d4c95f08c5f8fb21ef228dcb8b96fdc9705c91bc0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AveMaria Create hunting rule
Author:	@bartblaze
Description:	Identifies AveMaria aka WarZone RAT.

Rule name:	AveMaria_WarZone Create hunting rule

Rule name:	ave_maria_warzone_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_1_RID2C2D Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2_RID2C2E Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_WarzoneRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AveMaria/WarzoneRAT

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	RDPWrap Create hunting rule
Author:	@bartblaze
Description:	Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:	https://github.com/stascorp/rdpwrap

Rule name:	troj_win_warzonerat Create hunting rule
Author:	Jeff White (karttoon@gmail.com) @noottrak
Description:	Detects WarzoneRAT.
Reference:	https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/