MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97d1f00a9c4853e05bdad965148774ee6d3c58bcb864c018909d04ae99b9ed2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97d1f00a9c4853e05bdad965148774ee6d3c58bcb864c018909d04ae99b9ed2e
SHA3-384 hash: 9b7b0ee39bbd88ac16558968254285fb89b8649e9dd8be1ec1c5ec588ed00e088ec7f9f53969cda0586b72890559afb7
SHA1 hash: 653679e14a1ad538f2ca62ca3b1f4a4110fb80f4
MD5 hash: d6fa3b0d0ff9a556ba17b38db4990841
humanhash: tennessee-don-pluto-fillet
File name:97d1f00a9c4853e05bdad965148774ee6d3c58bcb864c018909d04ae99b9ed2e
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:649'216 bytes
First seen:2021-08-04 10:00:19 UTC
Last seen:2021-08-04 11:10:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:sdGkFw+NaOgKJfcpeuWnSI3qbcbi6A8ibsUbUfv:sfx2LnI3Nbt0srX
Threatray 1'132 similar samples on MalwareBazaar
TLSH T114D48D27A2A96F68F07D9739D168040093F1BA1BE321E66F7CE592E9C4B0F458653733
dhash icon 82b2aca6a6ba8e9e (1 x AveMariaRAT)
Reporter madjack_red
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176280/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.43452.23695.14318.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/da868e34-1529-4b27-a472-d16508af67d8
Result
Threat name:
AveMaria UACMe
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/826760
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 459191 Sample: jCPxj1jVls Startdate: 04/08/2021 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 6 other signatures 2->51 8 jCPxj1jVls.exe 15 8 2->8         started        process3 dnsIp4 39 www.google.com 142.250.180.164, 443, 49716, 49741 GOOGLEUS United States 8->39 29 C:\Users\user\AppData\...\oouuyyyyyy.exe, PE32 8->29 dropped 31 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 8->31 dropped 33 C:\Users\...\oouuyyyyyy.exe:Zone.Identifier, ASCII 8->33 dropped 35 C:\Users\user\AppData\...\jCPxj1jVls.exe.log, ASCII 8->35 dropped 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->55 13 oouuyyyyyy.exe 14 5 8->13         started        file5 signatures6 process7 dnsIp8 41 192.168.2.1 unknown unknown 13->41 43 www.google.com 13->43 37 C:\Users\user\AppData\Local\Temp\uyyyt.exe, PE32 13->37 dropped 57 Multi AV Scanner detection for dropped file 13->57 59 Machine Learning detection for dropped file 13->59 61 Writes to foreign memory regions 13->61 63 3 other signatures 13->63 18 uyyyt.exe 2 13->18         started        21 AddInProcess32.exe 13->21         started        23 uyyyt.exe 13->23         started        file9 signatures10 process11 signatures12 53 Multi AV Scanner detection for dropped file 18->53 25 uyyyt.exe 18->25         started        27 WerFault.exe 23 7 21->27         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/97d1f00a9c4853e05bdad965148774ee6d3c58bcb864c018909d04ae99b9ed2e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-19 03:24:05 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s7i7acu4jbj6aw623fsrjb3u5zwtywf4xbsmageqtuck5gnz5uxa._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
09fde9ea165ae44ebc4956fc4cdbc72c9f51db639219b7bef1975e0d571f8080
AveMariaRAT
442e74649ae6be0b2f84e73917c8ef704ca9aaa15d7922d0807731a15f3ce019
AveMariaRAT
48fa514aefde6f61a5fbf181dbcc255f9a5027beeb53f683cc2615889365904c
AveMariaRAT
4cd1f14c1edad0029600ee41fe2e8cd09332a86b5e6b533f96632ce6192c4b6e
AveMariaRAT
8d98f6090c83a627a2922f45047ad42e91002e7a54abe5f5f55dd91a3d14476f
AveMariaRAT
9d43e942f513a32e1c0db58de3d63abb24a8a4bc7bef3da4a6106656b9a64a5f
AveMariaRAT
e82c6834c7a9fb7ffa1d5b5ccafe0b2a97a4ff30bfe5e770e26f6b1232e5b672
AveMariaRAT
+ 1'122 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat agilenet infostealer rat
Link:
https://tria.ge/reports/210804-cswqrkmfex/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Warzone RAT Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
warzonne.publicvm.com:22649
Unpacked files
SH256 hash:
97d1f00a9c4853e05bdad965148774ee6d3c58bcb864c018909d04ae99b9ed2e
MD5 hash:
d6fa3b0d0ff9a556ba17b38db4990841
SHA1 hash:
653679e14a1ad538f2ca62ca3b1f4a4110fb80f4
Link:
https://www.unpac.me/results/c4fdacaf-fae3-474f-89a6-748dd2743cfa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/97d1f00a9c4853e05bdad965148774ee6d3c58bcb864c018909d04ae99b9ed2e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/176280/

Comments