MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab032688523c2d7c7d0c7e829a3761fe59797d0d9b24789c94b7d0a6e5e30c29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab032688523c2d7c7d0c7e829a3761fe59797d0d9b24789c94b7d0a6e5e30c29
SHA3-384 hash: d18e8b7d601d118735a92329081653b7aca02733276bfb370e6da20b8960bf6ccb0c7e52f32c252f26127f0924d54904
SHA1 hash: 6bd85f0c94574fa0f4d27e791c03871dc07776d6
MD5 hash: 9e19382494ab766b05c90cad05588c9b
humanhash: echo-salami-asparagus-lamp
File name:Quotation Request Reference Details.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:780'288 bytes
First seen:2023-03-24 14:40:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a4caac61fb9aca2a88980f4a05120259 (1 x AveMariaRAT)
ssdeep 12288:JEkDmC7ekQVonF1Wp5j6cG7yXqMiHEVXhsdnfvkGUUmyyi8jXRy2Y36j:aUz4VoF1Wp8c8tMikVXhknfvSUmy4436
Threatray 748 similar samples on MalwareBazaar
TLSH T193F48E16F7F08C37D0675A789C0767AC6829BF602928E897B6E41B1C5F7D2C03829E57
TrID 28.5% (.SCR) Windows screen saver (13097/50/3)
22.9% (.EXE) Win64 Executable (generic) (10523/12/4)
14.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win32 Executable (generic) (4505/5/1)
6.5% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon e4eaa28a849c8ca4 (2 x AveMariaRAT, 1 x ModiLoader)
Reporter abuse_ch
Tags:AveMariaRAT exe RAT


Avatar
abuse_ch
AveMariaRAT C2:
45.88.67.103:3072

Intelligence

File Origin
# of uploads :
1
# of downloads :
308
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Quotation Request Reference Details.exe
Verdict:
Malicious activity
Analysis date:
2023-03-24 14:42:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d0cd9087-85ac-41ae-a2ce-ac84dd7377ae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/377133/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
DNS request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Searching for the window
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/74609/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook keylogger remcos zusy
Link:
https://www.filescan.io/uploads/641db67f009023b71dc2aa21/reports/170224f7-c669-4133-a0f5-b2a01b0fa393/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/ab032688523c2d7c7d0c7e829a3761fe59797d0d9b24789c94b7d0a6e5e30c29
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/eb5d2517-5224-44a5-973f-a25b2fbcdda4
Result
Threat name:
AveMaria, DBatLoader, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1201334
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected DBatLoader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 834239 Sample: Quotation_Request_Reference... Startdate: 24/03/2023 Architecture: WINDOWS Score: 100 83 Snort IDS alert for network traffic 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 Multi AV Scanner detection for dropped file 2->87 89 8 other signatures 2->89 10 Quotation_Request_Reference_Details.exe 1 22 2->10         started        15 Axvgkjlf.exe 14 2->15         started        process3 dnsIp4 59 ylh2xw.am.files.1drv.com 10->59 61 web.fe.1drv.com 10->61 67 2 other IPs or domains 10->67 45 C:\Users\Public\Libraries\netutils.dll, PE32+ 10->45 dropped 47 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 10->47 dropped 49 C:\Users\Public\Libraries\Axvgkjlf.exe, PE32 10->49 dropped 51 C:\Users\...\Axvgkjlf.exe:Zone.Identifier, ASCII 10->51 dropped 97 Writes to foreign memory regions 10->97 99 Allocates memory in foreign processes 10->99 101 Creates a thread in another existing process (thread injection) 10->101 17 cmd.exe 3 10->17         started        20 iexpress.exe 10->20         started        63 ylh2xw.am.files.1drv.com 15->63 65 web.fe.1drv.com 15->65 69 2 other IPs or domains 15->69 103 Multi AV Scanner detection for dropped file 15->103 105 Injects a PE file into a foreign processes 15->105 22 iexpress.exe 15->22         started        file5 signatures6 process7 dnsIp8 73 Uses ping.exe to sleep 17->73 75 Drops executables to the windows directory (C:\Windows) and starts them 17->75 77 Uses ping.exe to check the status of other devices and networks 17->77 25 easinvoker.exe 17->25         started        27 PING.EXE 1 17->27         started        30 xcopy.exe 2 17->30         started        33 6 other processes 17->33 57 delta212.ddns.net 45.88.67.103, 3072, 49699 LVLT-10753US Bulgaria 22->57 79 Increases the number of concurrent connection per server for Internet Explorer 22->79 81 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->81 signatures9 process10 dnsIp11 35 cmd.exe 1 25->35         started        71 127.0.0.1 unknown unknown 27->71 53 C:\Windows \System32\easinvoker.exe, PE32+ 30->53 dropped 55 C:\Windows \System32\netutils.dll, PE32+ 33->55 dropped file12 process13 signatures14 91 Suspicious powershell command line found 35->91 93 Adds a directory exclusion to Windows Defender 35->93 38 powershell.exe 22 35->38         started        41 conhost.exe 35->41         started        process15 signatures16 95 DLL side loading technique detected 38->95 43 conhost.exe 38->43         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab032688523c2d7c7d0c7e829a3761fe59797d0d9b24789c94b7d0a6e5e30c29/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-03-24 14:41:07 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
9 of 37 (24.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vmbsnccshqwxy7imp2bjun3b7zmxs7intmshrheuw7iknzpdbquq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
01eec7722840af58f30e5f24fa5820a75cb3d5eb4691b0e163b3a9d3e057ec52
AveMariaRAT
430af6efaf235407de033571f6b459e9f3af6d9ea67a0febe1829c86af5dceb0
AveMariaRAT
4cf4313d499e9400a60a0961344e6df29acc85e6d62e18c118bef1493f801e53
AveMariaRAT
5fa9c09761fb1b3dc555e9004d2999b63956735e3b92310929413d62d6ab24d4
AveMariaRAT
6458542795cc0a40d4ab238e2be5fb15546d5ca38e52d1f9c7d4157dca27679a
AveMariaRAT
8234459bca875caecf379ae0c4a84e76e0ef172de612dba3a060b406a922010c
AveMariaRAT
cc584053d88f795417a45c3f1eec2ccd26d42187ee6363f765a9af5e3f8ab8f8
AveMariaRAT
d0b6c6204cb45f3c128d5c44a6be4fccd053be3a32eed746358e3cc50391879e
AveMariaRAT
ecca8cea29c3f162039c81f80c0460742014a4c6a41e65b531b6cb2ad01b6c7c
AveMariaRAT
+ 738 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat collection infostealer persistence rat trojan
Link:
https://tria.ge/reports/230324-r2eshsfb35/
Behaviour
Enumerates system info in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
Warzone RAT payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
delta212.ddns.net:3072
Unpacked files
SH256 hash:
0fdc24568d69400ccf449973f922d1a9c37658d8fd03fddc86a4681f62ba5e6c
MD5 hash:
1b30b8a39c46ee317f392f8992ff19bc
SHA1 hash:
12d59f4aef837d6ff8cf46efe2cb4b0cf14eec23
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/57ef8e8c-d48a-4a20-ba41-f9119ec8e525/
Parent samples :
1980f4cf17585ba77a0ca7596b1be2e928ead3e98f5cd80b1c005968275ef74d
4fd695117a6e08fa904e7bc528640c25ac5cf17055bc75b39748dbb4bf9c3af9
ab032688523c2d7c7d0c7e829a3761fe59797d0d9b24789c94b7d0a6e5e30c29
c2ea82e013d071b92727a34296c5f5aac06c125a1f2c56917af8ebc06ac6183e
aee5d1b7326545ff692b98743e04d035e01415300fea8a5bf445d3490d6776cc
d061bccf32fbb8184f85439a17e4fcece7f816ea93681a80c7506e159f043cbf
SH256 hash:
ab032688523c2d7c7d0c7e829a3761fe59797d0d9b24789c94b7d0a6e5e30c29
MD5 hash:
9e19382494ab766b05c90cad05588c9b
SHA1 hash:
6bd85f0c94574fa0f4d27e791c03871dc07776d6
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/57ef8e8c-d48a-4a20-ba41-f9119ec8e525/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ab032688523c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Ave Maria
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ab032688523c2d7c7d0c7e829a3761fe59797d0d9b24789c94b7d0a6e5e30c29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AveMaria
Create hunting rule
Author:@bartblaze
Description:Identifies AveMaria aka WarZone RAT.
Rule name:avemaria_rat_yhub
Create hunting rule
Author:Billy Austin
Description:Detects AveMaria RAT a.k.a. WarZone
Rule name:AveMaria_WarZone
Create hunting rule
Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_1_RID2C2D
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2_RID2C2E
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding command execution via IExecuteCommand COM object
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_WarzoneRAT
Create hunting rule
Author:ditekSHen
Description:Detects AveMaria/WarzoneRAT
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_AveMaria_31d2bce9
Create hunting rule
Author:Elastic Security
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.ave_maria.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/377133/

Comments