MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c
SHA3-384 hash: e5c119169ea927736edf363fbde8f1a1ff8250024e2b01aa7ddf7ff16c8662f6f1e47c5f49851e4a8dd84ef13667f757
SHA1 hash: 1f5b19d4781f3e2e108e6b24b8578a39205d1812
MD5 hash: 4244160422a6e2f2e2ccae5437de4466
humanhash: eight-march-eleven-march
File name:4244160422a6e2f2e2ccae5437de4466.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:974'848 bytes
First seen:2022-09-27 17:20:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e30ed541c68a06f687211f823e9f1f7a (2 x ModiLoader, 2 x Formbook, 1 x AveMariaRAT)
ssdeep 24576:CyQCv11PbnjANYPAj81OUo6w7tNTa9W8AoqiVNW:CIP6sOUzM
Threatray 2'504 similar samples on MalwareBazaar
TLSH T13A258C23A290C736C12E12747CDF62AA7F99EDC028155CA57BD4FE7CAB3AD5027D1242
TrID 31.1% (.EXE) InstallShield setup (43053/19/16)
30.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
10.2% (.EXE) Win32 Executable Delphi generic (14182/79/4)
9.4% (.SCR) Windows screen saver (13101/52/3)
7.6% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 33f098d2d6d8f033 (12 x RemcosRAT, 7 x DBatLoader, 6 x Formbook)
Reporter abuse_ch
Tags:AveMariaRAT exe RAT


Avatar
abuse_ch
AveMariaRAT C2:
198.167.200.94:10140

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
198.167.200.94:10140 https://threatfox.abuse.ch/ioc/852023/

Intelligence

File Origin
# of uploads :
1
# of downloads :
339
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/314072/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.41399.10682.20218.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Setting a keyboard event handler
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending a TCP request to an infection source
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/39531/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger
Link:
https://www.filescan.io/uploads/633330fe665fcdb8807a396a/reports/63bab4b3-581c-4e75-8c1e-709b531100cf/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6ec8729d-66bb-4684-bc20-f96c1bbd3bfd
Result
Threat name:
AveMaria, DBatLoader, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1078489
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AveMaria stealer
Yara detected DBatLoader
Yara detected UAC Bypass using ComputerDefaults
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 711034 Sample: HjK7PocMz5.exe Startdate: 27/09/2022 Architecture: WINDOWS Score: 100 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 6 other signatures 2->57 6 HjK7PocMz5.exe 1 18 2->6         started        11 Kpgqpzjx.exe 14 2->11         started        13 Kpgqpzjx.exe 14 2->13         started        process3 dnsIp4 29 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49702, 49704 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 6->29 31 onedrive.live.com 6->31 37 2 other IPs or domains 6->37 23 C:\Users\Public\Libraries\Kpgqpzjx.exe, PE32 6->23 dropped 25 C:\Users\...\Kpgqpzjx.exe:Zone.Identifier, ASCII 6->25 dropped 27 C:\Users\Public\Libraries\Kpgqpzjx, data 6->27 dropped 59 Contains functionality to inject threads in other processes 6->59 61 Injects a PE file into a foreign processes 6->61 15 HjK7PocMz5.exe 3 4 6->15         started        33 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49708, 49710 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->33 35 onedrive.live.com 11->35 39 2 other IPs or domains 11->39 63 Antivirus detection for dropped file 11->63 65 Multi AV Scanner detection for dropped file 11->65 19 Kpgqpzjx.exe 1 11->19         started        41 3 other IPs or domains 13->41 21 Kpgqpzjx.exe 1 13->21         started        file5 signatures6 process7 dnsIp8 43 stub.ignorelist.com 198.167.200.94, 10140, 49706 CYBERDYNELR Saint Kitts and Nevis 15->43 45 Increases the number of concurrent connection per server for Internet Explorer 15->45 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->47 49 Installs a global keyboard hook 15->49 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-09-24 15:42:55 UTC
File Type:
PE (Exe)
Extracted files:
50
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tei7tsjzon73nytkjhxqr26lquubz5vykc4f74al6spydihenjga._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
21d09c77de01cc95209727752e866221ad3b66d5233ab52cfe5249a3867ef8d8
AveMariaRAT
36d30556cf1353f94fd919ba6f24ab1acc2087e30f1f7436af5041dd227f0592
AveMariaRAT
449d68f816f777220922b061ddd7b58a5ad931b7fed71a7e8aa0e31ffa8c004a
AveMariaRAT
5723d03dae1f13c788dfa0bf00af0b054b886dc1bd9f319dd5fe7c60d2586560
AveMariaRAT
87576351067ea79fe0acb467ddb9c29ddce87f1179c0de4519df93bfad53dfe0
AveMariaRAT
d9db59d346e230c873e73efb39d891b61e8026f3307772948974011989108be5
AveMariaRAT
+ 2'494 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat infostealer persistence rat trojan
Link:
https://tria.ge/reports/220927-vwy6rafbam/
Behaviour
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader Second Stage
Warzone RAT payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
stub.ignorelist.com:10140
Unpacked files
SH256 hash:
8d2de4d1505b3ac10de40c9a9237dbe985c3cd794825fca56bec74b57166a368
MD5 hash:
fd94d6f9d9be6fe267551909a4816dd0
SHA1 hash:
7bb89bc65e68f0a301ab610b07915e66646e09fc
Detections:
DbatLoaderStage1
Create hunting rule
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/0ee0d04d-fa2a-464b-99e1-ba176244ec1d/
SH256 hash:
9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c
MD5 hash:
4244160422a6e2f2e2ccae5437de4466
SHA1 hash:
1f5b19d4781f3e2e108e6b24b8578a39205d1812
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/0ee0d04d-fa2a-464b-99e1-ba176244ec1d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9911f9c939737fb6e26a49ef08ebcb85281cf6b850b85ff00bf49f81a0e46a4c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AveMaria
Create hunting rule
Author:@bartblaze
Description:Identifies AveMaria aka WarZone RAT.
Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_1_RID2C2D
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding command execution via IExecuteCommand COM object
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_EXEPWSH_DLAgent
Create hunting rule
Author:ditekSHen
Description:Detects SystemBC
Rule name:MALWARE_Win_WarzoneRAT
Create hunting rule
Author:ditekSHen
Description:Detects AveMaria/WarzoneRAT
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:RansomwareTest2
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest3
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest6
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest7
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/314072/

Comments