MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d71b356bc7e51729a4726433111be12297dd9403a82cff2e20902944c0af748. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d71b356bc7e51729a4726433111be12297dd9403a82cff2e20902944c0af748
SHA3-384 hash: bec9fd1ce4088185755990aeea320362c9d0cd8fdc407e0167575bc95b2b24e53be65943793276396704094fd4be5857
SHA1 hash: 5a8f50b7679e947f44db2943307f947e7e26da8c
MD5 hash: 113fa30db915f15d04bef29a5bf2b366
humanhash: uranus-don-fix-mars
File name:List of new Duty Rates with list of Affected Products.xls.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:717'312 bytes
First seen:2021-07-24 10:42:52 UTC
Last seen:2021-07-24 11:49:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 192063f66e56c4c7e60a16c37f03b9eb (1 x AveMariaRAT)
ssdeep 12288:Qnmur/blGbyqcvwNiUsK469hkEc/sQjlHNnsKRYc4V:Qm0cbyqc4Nj3kEjQjVNvYLV
Threatray 1'064 similar samples on MalwareBazaar
TLSH T10BE46C1BBB8BED32F0BD35399886625C9423BF101CE721AA76DC1D09DBBD24125FA543
dhash icon 7cf4e2ccccc2c4dc (1 x AveMariaRAT, 1 x CobaltStrike, 1 x Arechclient2)
Reporter Racco42
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
List of new Duty Rates with list of Affected Products.xls.exe
Verdict:
Malicious activity
Analysis date:
2021-07-24 10:44:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2f3c442e-be08-437d-94a7-fae419d21612

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173882/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d2b870b8-c22a-493e-a984-28a9113e83e5
Result
Threat name:
AveMaria UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/821209
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 453620 Sample: List of new Duty Rates with... Startdate: 24/07/2021 Architecture: WINDOWS Score: 100 44 pentester01.duckdns.org 2->44 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 7 other signatures 2->68 9 List of new Duty Rates with list of Affected Products.xls.exe 1 24 2->9         started        14 Owwglnw.exe 16 2->14         started        16 Owwglnw.exe 16 2->16         started        signatures3 process4 dnsIp5 48 onedrive.live.com 9->48 50 db-files.fe.1drv.com 9->50 52 5q9vpq.db.files.1drv.com 9->52 42 C:\Users\Public\Libraries\...\Owwglnw.exe, PE32 9->42 dropped 78 Writes to foreign memory regions 9->78 80 Allocates memory in foreign processes 9->80 82 Creates a thread in another existing process (thread injection) 9->82 18 secinit.exe 3 2 9->18         started        22 cmd.exe 1 9->22         started        24 cmd.exe 1 9->24         started        54 onedrive.live.com 14->54 58 2 other IPs or domains 14->58 84 Multi AV Scanner detection for dropped file 14->84 86 Machine Learning detection for dropped file 14->86 88 Injects a PE file into a foreign processes 14->88 26 secinit.exe 1 14->26         started        56 onedrive.live.com 16->56 60 2 other IPs or domains 16->60 28 ieinstal.exe 16->28         started        file6 signatures7 process8 dnsIp9 46 pentester01.duckdns.org 51.222.98.71, 23411 OVHFR France 18->46 70 Contains functionality to inject threads in other processes 18->70 72 Contains functionality to steal Chrome passwords or cookies 18->72 74 Contains functionality to steal e-mail passwords 18->74 76 2 other signatures 18->76 30 reg.exe 1 22->30         started        32 conhost.exe 22->32         started        34 cmd.exe 1 24->34         started        36 conhost.exe 24->36         started        signatures10 process11 process12 38 conhost.exe 30->38         started        40 conhost.exe 34->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d71b356bc7e51729a4726433111be12297dd9403a82cff2e20902944c0af748/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-07-12 00:49:21 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0629278e51106220eb8727f80f4c24cfb432e6344561e8518030b19b669bcc72
AveMariaRAT
0ff6edaf3533a3627afc5e2d74446e0c315087afe958b5fb2cc0a7ccb793d501
AveMariaRAT
1ec80487df001c0f6d41a90bbe2451242977a6f36a276d6eefa8aef0f593ab6b
AveMariaRAT
4d322ecc6fcc290df5cad72839e39862e84be629b7debc71474f5760e4430019
AveMariaRAT
501ac41bcfa5d205762496c20b2ffa52b4df885814b7ce6a453be09ad6a1abda
AveMariaRAT
af84cf642737e0b62537d9a78861cc129fbc0e68a34770cb70c6ccaa3f553687
AveMariaRAT
b5633b89bc09a7e0bfdb617572df279f2a08518ffe186ad3c372f2b53c210996
AveMariaRAT
d5dc65df9d699ffab0563963fa22ed0a1d833d451dfbd1d724f2a5b988494538
AveMariaRAT
da31c02c004f7e04408dea6429c362b4870c87a99fb2ae8ace1dac200a7fce5d
AveMariaRAT
f6878003c470e531787cd70fc0785bb01a5c64d6a39f0efec5aabc5ac3f5f889
AveMariaRAT
+ 1'054 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/210724-3mf9wxf7ex/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Warzone RAT Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
pentester01.duckdns.org:23411
Unpacked files
SH256 hash:
1fd7371f99d6d6c22279f208d56c7030cc4a7807c44eca52aceb56d7f67ce794
MD5 hash:
135e22fb2a688966b3e75e16441f9d18
SHA1 hash:
5364d1af468956d5b0341c5f43aaf674679f7a32
Link:
https://www.unpac.me/results/562bc89b-5119-4acb-ac66-1c6aa2fcada2/
SH256 hash:
9d71b356bc7e51729a4726433111be12297dd9403a82cff2e20902944c0af748
MD5 hash:
113fa30db915f15d04bef29a5bf2b366
SHA1 hash:
5a8f50b7679e947f44db2943307f947e7e26da8c
Link:
https://www.unpac.me/results/562bc89b-5119-4acb-ac66-1c6aa2fcada2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9d71b356bc7e51729a4726433111be12297dd9403a82cff2e20902944c0af748

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 9d71b356bc7e51729a4726433111be12297dd9403a82cff2e20902944c0af748

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/173882/

Comments