MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a26a4ac06ea2329c61b5ea6f235ff63d1cf45961598471b4440af2374ceae7de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 11 File information Comments

SHA256 hash:	a26a4ac06ea2329c61b5ea6f235ff63d1cf45961598471b4440af2374ceae7de
SHA3-384 hash:	a08586ba1ab028a6e3c90533525ec4b407d633a542187cb1051ac629dc188fb35d384474590bb2a4e1a84339b3ac21c9
SHA1 hash:	05866f89bf74f9b4d9c8f60f73ceed077291473e
MD5 hash:	96c02620ca07f36a14318e9be1d11f08
humanhash:	cardinal-undress-six-berlin
File name:	SecuriteInfo.com.W32.AIDetectNet.01.9356.18333
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	1'466'040 bytes
First seen:	2022-08-12 08:38:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	24576:5slGJ6643+yvXZWuSPIo0NrjOmMcdCQ0PP6M:SEg9JLSPIo0Jj5McEN6M
TLSH	T1C2657B6264262A4EE9293171D156F36D86058FFC4D77DA4CFC4AB21ED232B831CBD683
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	b270e4b2d861b0e0 (11 x AveMariaRAT, 10 x AgentTesla, 2 x XFilesStealer)
Reporter	SecuriteInfoCom
Tags:	AveMariaRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

325

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

avemaria

ID:

File name:

SecuriteInfo.com.W32.AIDetectNet.01.9356.18333

Verdict:

Malicious activity

Analysis date:

2022-08-12 08:44:10 UTC

Tags:

trojan stealer rat avemaria arkei warzone

Link:

https://app.any.run/tasks/d4b09e16-de38-4822-8e5e-417315508a79

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

WarzoneRAT

Link:

https://www.capesandbox.com/analysis/298202/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.9356.18333.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/62f61229810e2831b73cdd7d/reports/4a413027-5d25-4943-b373-8f35d8d7d15b/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/392d5e57-a173-4d1b-8527-947576d5e921

Result

Threat name:

AveMaria

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1050474

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to hide user accounts

Encrypted powershell cmdline option found

Hides that the sample has been downloaded from the Internet (zone.identifier)

Increases the number of concurrent connection per server for Internet Explorer

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AveMaria stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a26a4ac06ea2329c61b5ea6f235ff63d1cf45961598471b4440af2374ceae7de/

Threat name:

ByteCode-MSIL.Downloader.Seraph

Status:

Malicious

First seen:

2022-08-12 08:39:19 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ujvevqdouizjyynv5jxsgx7whuopiwlblgchdnceblzdothk47pa._file

Verdict:

malicious

Label(s):

avemaria

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat collection infostealer persistence rat

Link:

https://tria.ge/reports/220812-kkac5sdec3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Checks computer location settings

Loads dropped DLL

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

103.231.91.59:56128

Unpacked files

SH256 hash:

ff9bfab9d0b2804497e857897d24aa39afb20adf18818b726aeb7a7320c2d35b

MD5 hash:

442c4c35c482cdd5274329bc7f4dea00

SHA1 hash:

9c44fd18e88e27693442a9cf220339cd7227a2ad

Detections:

win_ave_maria_g0

win_ave_maria_auto

Link:

https://www.unpac.me/results/617b4e21-cd50-4dc0-810a-b6de3b77b074/

Parent samples :

a26a4ac06ea2329c61b5ea6f235ff63d1cf45961598471b4440af2374ceae7de
9934a76dac67d2b65192f477720b42237dac4cd5cfe9c52d9d23ed1e57b6b39b

SH256 hash:

2e40383b18fd6de52f240a696c1373f1cb4e480f2a146763fd6088b677b40a6b

MD5 hash:

ab7f4d0d1d1766e3cdbee37371e80177

SHA1 hash:

bf83c04391547fa4b59f48b204590bf167347ddc

Link:

https://www.unpac.me/results/617b4e21-cd50-4dc0-810a-b6de3b77b074/

SH256 hash:

a6acfe617040a5005be0d1675756dc9f09596d3bb2bb3ebc8a2c6881b8c4cfd7

MD5 hash:

db843358b89f4074346cab346720ab06

SHA1 hash:

94d77a5f2d66f20baf557ad30c3ab284665980d9

Link:

https://www.unpac.me/results/617b4e21-cd50-4dc0-810a-b6de3b77b074/

SH256 hash:

477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52

MD5 hash:

16a9ddc4b32981114fe4f069a4353105

SHA1 hash:

bf73849f57c150f9e2199c61427f631be2dfa595

Link:

https://www.unpac.me/results/617b4e21-cd50-4dc0-810a-b6de3b77b074/

SH256 hash:

f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36

MD5 hash:

6c72218c48cd68cbcb654675053a0abb

SHA1 hash:

12207fa32070f99683648d87b44410e5d3cdf2de

Link:

https://www.unpac.me/results/617b4e21-cd50-4dc0-810a-b6de3b77b074/

SH256 hash:

a26a4ac06ea2329c61b5ea6f235ff63d1cf45961598471b4440af2374ceae7de

MD5 hash:

96c02620ca07f36a14318e9be1d11f08

SHA1 hash:

05866f89bf74f9b4d9c8f60f73ceed077291473e

Link:

https://www.unpac.me/results/617b4e21-cd50-4dc0-810a-b6de3b77b074/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a26a4ac06ea2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/a26a4ac06ea2329c61b5ea6f235ff63d1cf45961598471b4440af2374ceae7de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding command execution via IExecuteCommand COM object

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_WarzoneRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AveMaria/WarzoneRAT

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	pe_imphash Create hunting rule

Rule name:	RDPWrap Create hunting rule
Author:	@bartblaze
Description:	Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:	https://github.com/stascorp/rdpwrap

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/298202/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample