MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c2b23e3c13f11aaee671de5584d3e88e43ecbd45ca7dd609572b502825b6bb0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 16 File information Comments

SHA256 hash:	9c2b23e3c13f11aaee671de5584d3e88e43ecbd45ca7dd609572b502825b6bb0
SHA3-384 hash:	2c8afb0277252a3883ebb91208d42e5d91069f3ec65865bb0c10b8324ae46a32d48a11c596dc7406a0d5a0bf8bb222fe
SHA1 hash:	c2c73444efc38edca93db38f055a3b976ea3877f
MD5 hash:	aef16932e25e35569816dc2377dad130
humanhash:	delta-spring-march-gee
File name:	Quotation List.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	28'480 bytes
First seen:	2022-10-12 07:59:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	768:g/B4dM+wksa5W60Sva+awtpT6Hquc8L6TMiRPPRMNB:EgxvT74aTMixPCNB
Threatray	681 similar samples on MalwareBazaar
TLSH	T193D25D5277E4C950CA936B32C8EB450407B0F7466D52972A3A7DB13C1B933DF2E0D99A
TrID	69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.9% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	AveMariaRAT exe RAT

abuse_ch

AveMariaRAT C2:
91.192.100.17:9723

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
91.192.100.17:9723	https://threatfox.abuse.ch/ioc/880342/

Intelligence

File Origin

# of uploads :

# of downloads :

262

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/319263/

Detection(s):

SecuriteInfo.com.UntrustedCertificate.Aichost.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% directory

Reading critical registry keys

Creating a file in the %temp% directory

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed packed

Link:

https://www.filescan.io/uploads/634674045cada2cbc6ebb4bb/reports/3c55e0da-985d-4947-ac14-4a6e29e66e59/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9fbc17de-717b-4d78-b9ce-cef2dd177326

Result

Threat name:

AveMaria, UACMe

Detection:

malicious

Classification:

phis.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1088641

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to hide user accounts

Hides that the sample has been downloaded from the Internet (zone.identifier)

Increases the number of concurrent connection per server for Internet Explorer

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AveMaria stealer

Yara detected UACMe UAC Bypass tool

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9c2b23e3c13f11aaee671de5584d3e88e43ecbd45ca7dd609572b502825b6bb0/

Threat name:

ByteCode-MSIL.Backdoor.Andromeda

Status:

Malicious

First seen:

2022-10-12 08:00:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tqvshy6bh4i2v3thdxsvqtj6rdsd5s6ulst52yevok2qfas3noya._file

Verdict:

malicious

AveMariaRAT

1f6e1758b123080556a5ee96779d9ef63f54f9af1d07d8a3cc8cff39c636b12b

AveMariaRAT

229fb8fb9b2eaa6eace0bb84be382040031a0d6c3c17e9ab647bd6953b80cf81

AveMariaRAT

347b2260600d99e1b3007aeaf18c01e4c5bb1d9f2b97eb371c6d2d69c8ee1169

AveMariaRAT

35cd0956415cdbaece5b2791b1e8f5d1502aff0f6d36745a675e95c834d82fee

AveMariaRAT

b17806277d6aed75d13cd5cfb1512ade3d418384185c180a3d2d6685aaac751b

AveMariaRAT

b2eb87d2187c2db1b5ad4cd5b65099d47db2cc2ddbe891144b20cf7c6784bb90

AveMariaRAT

da525a55a256c2d253320895dc61c3667adc0c35ebba91a60cdc6809270cb74f

AveMariaRAT

+ 671 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat collection infostealer rat

Link:

https://tria.ge/reports/221012-jvzv4schgq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Loads dropped DLL

Warzone RAT payload

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

91.192.100.17:9723

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/3acfad02-3b19-47c8-b848-ad76bd1b8309

Unpacked files

SH256 hash:

9c2b23e3c13f11aaee671de5584d3e88e43ecbd45ca7dd609572b502825b6bb0

MD5 hash:

aef16932e25e35569816dc2377dad130

SHA1 hash:

c2c73444efc38edca93db38f055a3b976ea3877f

Link:

https://www.unpac.me/results/cc9e240d-bdef-44d0-9611-13561f0dafa9/

Malware family:

Warzone

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9c2b23e3c13f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/9c2b23e3c13f11aaee671de5584d3e88e43ecbd45ca7dd609572b502825b6bb0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AveMaria Create hunting rule
Author:	@bartblaze
Description:	Identifies AveMaria aka WarZone RAT.

Rule name:	ave_maria_warzone_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_1_RID2C2D Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding command execution via IExecuteCommand COM object

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_WarzoneRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AveMaria/WarzoneRAT

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	pe_imphash Create hunting rule

Rule name:	RDPWrap Create hunting rule
Author:	@bartblaze
Description:	Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:	https://github.com/stascorp/rdpwrap

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/319263/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample