MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9af5260cfd754e80c6ccefcce5f6bf2bb1d1e8853b0854d54c90858521884917. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 15

Intelligence 15 IOCs YARA 20 File information Comments

SHA256 hash:	9af5260cfd754e80c6ccefcce5f6bf2bb1d1e8853b0854d54c90858521884917
SHA3-384 hash:	da1c446c7feb0653ae7fe1463b6c2335d7cdf425c9b6b279f63957507a344ec8adda59beca5aa917a200be82808c0ade
SHA1 hash:	fa649339e7c05b9f5696b192f7f3a473d7c9324a
MD5 hash:	7b4eafd1b8a4a032dcdef6273bfd1b09
humanhash:	alaska-pennsylvania-salami-comet
File name:	7B4EAFD1B8A4A032DCDEF6273BFD1B09.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	846'048 bytes
First seen:	2023-07-11 23:35:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	773ef4dec25043142e4c0b01d6341cd7 (2 x ModiLoader, 1 x RemcosRAT, 1 x AveMariaRAT)
ssdeep	12288:hGR+Vd0ckynvLwdJgNsycuL573BhZWPNFWrsEL09pmHtJNNW/8kHPc15dHi:hGAVk4Mwom77WGrs9StJNSHPSm
Threatray	270 similar samples on MalwareBazaar
TLSH	T1E105AFE26EE056B6D1335A7D4D17A368682D7E30395C284B2BF9CD585F34BC2381A393
TrID	58.4% (.OCX) Windows ActiveX control (116521/4/18) 21.5% (.EXE) InstallShield setup (43053/19/16) 7.1% (.EXE) Win32 Executable Delphi generic (14182/79/4) 6.5% (.SCR) Windows screen saver (13097/50/3) 2.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	e3e1e3f1d9c9dbe2 (11 x AveMariaRAT, 9 x ModiLoader, 2 x Neurevt)
Reporter	abuse_ch
Tags:	AveMariaRAT exe RAT

abuse_ch

AveMariaRAT C2:
79.110.49.161:5656

Intelligence

File Origin

# of uploads :

# of downloads :

320

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

7B4EAFD1B8A4A032DCDEF6273BFD1B09.exe

Verdict:

Malicious activity

Analysis date:

2023-07-11 23:36:17 UTC

Tags:

installer

Link:

https://app.any.run/tasks/c8070ad3-cb7f-4c7b-a17b-8038313ddf28

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/416171/

Detection(s):

SecuriteInfo.com.Variant.Zusy.470739.3412.10375.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Creating a file

Using the Windows Management Instrumentation requests

Network activity

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/97183/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control keylogger lolbin overlay packed

Link:

https://www.filescan.io/uploads/64ade7622f8c5654cdd9e26b/reports/06dd8213-a850-414c-b266-ee804ca37fae/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/9af5260cfd754e80c6ccefcce5f6bf2bb1d1e8853b0854d54c90858521884917

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Dbatloader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8b4ae5d7-8ca1-49af-932c-c2e2e92caf0a

Result

Threat name:

AveMaria, DBatLoader, UACMe

Detection:

malicious

Classification:

phis.troj.spyw.expl

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1271308

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Contains functionality to hide user accounts

Found malware configuration

Increases the number of concurrent connection per server for Internet Explorer

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Uses dynamic DNS services

Yara detected AveMaria stealer

Yara detected DBatLoader

Yara detected UACMe UAC Bypass tool

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9af5260cfd754e80c6ccefcce5f6bf2bb1d1e8853b0854d54c90858521884917/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-07-06 15:20:38 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tl2smdh5ovhibrwm57gol5v7foy5d2efhmefjvkmsccykimijelq._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

280f496ca58dc38705871bce43803a623ae40ec1f47fd52d0eb50d49740a0725

AveMariaRAT

3477130c5c8155fefcb37b770c9ad361245c57360356770ba72b23821df5b5a3

AveMariaRAT

50b84d6a84b7bd56b635bc6816321470c7dc01308b9bffd51dade9b9d1f80132

AveMariaRAT

78b45024f4ce309e9091f88bfb65be3bfa6afd5699771d0d82b31aa085b1a111

AveMariaRAT

96237eb7f3c5304d26fb06feafab631b64a274eb1037f51b58af586040154572

AveMariaRAT

9d5bf672e7bbf92805e5c3ef96099e96634b8fdfba90a29cd73cb2c8c3e1d4bd

AveMariaRAT

c522c8ec25a1719e1063f29c749a69a75fdb7e576c9f0e9b25ee5609dc2ec46a

AveMariaRAT

c897c8d2450936785b92dae3655022d1c6f21c9a56c5117f823dec60eca96868

AveMariaRAT

e759e9073f2e56d15cdd2265d5a2540ae6fb56f7be1137ea43e95b1486b2503a

AveMariaRAT

+ 260 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:modiloader family:warzonerat collection infostealer persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/230711-3ljmbacb7y/

Behaviour

Script User-Agent

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Program crash

Accesses Microsoft Outlook profiles

Adds Run key to start application

Loads dropped DLL

Reads user/profile data of web browsers

ModiLoader Second Stage

Warzone RAT payload

ModiLoader, DBatLoader

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

ugoguy01.ddns.net:5656

Unpacked files

SH256 hash:

7cfa1816e8831017cef51eb1288be06b840de92df09e8a2d576b9576a96b7e40

MD5 hash:

501abfcdeea23d13a5864506b71b8cbb

SHA1 hash:

6f02550bbd4347be86bb5b0c1c58c6c70c3f8250

Detections:

win_dbatloader_g1

Link:

https://www.unpac.me/results/c3833001-c219-4bde-8938-35e50c57137b/

Parent samples :

4053220e58d30e514ab543a64e3854e7c411bfa084c000172cdfe6d3e8f65875
3bfaaf7436f93dff822a8c0f81f2e805f1c6855da29e1ee3ddd6d18c04744ae8
9e0e03b59e2a06a0c63e11e5c031aca3cda0119b77d90e256e45aab01830e827
9af5260cfd754e80c6ccefcce5f6bf2bb1d1e8853b0854d54c90858521884917

SH256 hash:

9af5260cfd754e80c6ccefcce5f6bf2bb1d1e8853b0854d54c90858521884917

MD5 hash:

7b4eafd1b8a4a032dcdef6273bfd1b09

SHA1 hash:

fa649339e7c05b9f5696b192f7f3a473d7c9324a

Detections:

DbatLoaderStage1

Link:

https://www.unpac.me/results/c3833001-c219-4bde-8938-35e50c57137b/

Malware family:

Warzone

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9af5260cfd75/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AveMaria Create hunting rule
Author:	@bartblaze
Description:	Identifies AveMaria aka WarZone RAT.

Rule name:	ave_maria_warzone_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	CMD_Ping_Localhost Create hunting rule

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_1_RID2C2D Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding command execution via IExecuteCommand COM object

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_EXEPWSH_DLAgent Create hunting rule
Author:	ditekSHen
Description:	Detects SystemBC

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Typical_Malware_String_Transforms_RID3473 Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Windows_Trojan_AveMaria_31d2bce9 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/416171/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample