MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad424f679f2f0140d5d3297afa4dd1d3e1b82357b68128ab6bc8015495165a66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 10 File information Comments

SHA256 hash:	ad424f679f2f0140d5d3297afa4dd1d3e1b82357b68128ab6bc8015495165a66
SHA3-384 hash:	6fd0661eac11b974d79ce705b7c36c5657ee3ebd878482bd1e81c3c4b70f0ddbe67ff25a3261e1a3b7a4b4cb8f4aeb5b
SHA1 hash:	47699e33248c01d4248e266650d27fcdedf84172
MD5 hash:	de5077d4fcea4154f65b9ce308783855
humanhash:	early-timing-network-floor
File name:	RFQ Material Standard BS 4360 GR. 40A43A.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	694'272 bytes
First seen:	2021-10-15 13:46:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	12666343f95da9cc22c238274d75b6c6 (3 x RemcosRAT, 1 x Formbook, 1 x AveMariaRAT)
ssdeep	12288:0SvSsA2JxPaLrNgLGKXhfLeoZ10VicVpJ+SnqyUz:0AdLzPCrNgLfXhaoZuVT1pqyA
Threatray	1'393 similar samples on MalwareBazaar
TLSH	T19AE48D73A7DF4E37C3239A38C41685756C9B38329E7A44D6AFE42B4C8AF9144386C167
File icon (PE):
dhash icon	fedcbf4d750f4c4c (5 x RemcosRAT, 2 x Formbook, 1 x AveMariaRAT)
Reporter	James_inthe_box
Tags:	AveMariaRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

353

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

RFQ Material Standard BS 4360 GR. 40A43A.exe

Verdict:

Malicious activity

Analysis date:

2021-10-15 13:48:24 UTC

Tags:

trojan stealer rat avemaria

Link:

https://app.any.run/tasks/75e79506-f0b2-49d4-ba2e-0ed217fd1ca0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/197779/

Detection(s):

SecuriteInfo.com.Trojan.Siggen15.24582.27606.26390.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Unauthorized injection to a recently created process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug anti-vm evasive greyware keylogger

Link:

https://www.filescan.io/uploads/616986589a5a1e91c5c0a541/reports/39cddae2-c3d8-457f-ba15-d829282767cc/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4aa020e2-0ece-4bcf-a186-937fc9672966

Result

Threat name:

AveMaria DBatLoader UACMe

Detection:

malicious

Classification:

phis.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/871170

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to hide user accounts

Contains functionality to steal Chrome passwords or cookies

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Increases the number of concurrent connection per server for Internet Explorer

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses dynamic DNS services

Yara detected AveMaria stealer

Yara detected DBatLoader

Yara detected UACMe UAC Bypass tool

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ad424f679f2f0140d5d3297afa4dd1d3e1b82357b68128ab6bc8015495165a66/

Threat name:

Win32.Trojan.Woreflint

Status:

Malicious

First seen:

2021-10-15 13:45:36 UTC

AV detection:

12 of 42 (28.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vvbe6z47f4aubvotff5putor2pq3qi2xw2asrk3lzaavjfiwljta._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

4ae3522e80d4dbf4e6e50053d3104e327309ed478bf50040ba14a615b1da3d56

AveMariaRAT

58a5be83221386f1bae87b2a785b08c758591bcbc235b21132240feece1972bc

AveMariaRAT

5a36b6f9fe8852daabca8093de029904ab5e024426cfe3ffaeca6c14fb093501

AveMariaRAT

82572bb673e848ff6622ce079dd07a8434290e44499846952ddda1819d315db3

AveMariaRAT

9958131d419bbaf7b385485777f83c03f2757f2aa263fbb1280b1e64f961a164

AveMariaRAT

a219440a18c85fe668a060a26192f359b7b881bae02e6871baadd89b7019da9c

AveMariaRAT

b2df0162081db60f8a9ee6ee0b31611c0ef96d5c272789f995e0c4d887e568cf

AveMariaRAT

+ 1'383 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat collection infostealer rat spyware stealer

Link:

https://tria.ge/reports/211015-q3kjqabac2/

Behaviour

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Loads dropped DLL

Reads user/profile data of web browsers

Warzone RAT Payload

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

bestsuccess.ddns.net:2442

Unpacked files

SH256 hash:

b442c8ee81830c52fea734d23e06e69c20c2b9bfe1e40d63ccb914f87057fcdc

MD5 hash:

df88ffb63d0248e61042c6cae3f3af44

SHA1 hash:

291abeefb0563cf93bb73697ff4e5db3916e0b78

Detections:

win_temple_loader_w0

Link:

https://www.unpac.me/results/496c2721-8d7a-4b89-b842-8576635005e8/

Parent samples :

2df667c2a61c1cc161df7e8e1d7dcf1407a0bc30eb7eaf881c835fecfde5f086
e36594f316d20c3f0fb948a9c12a0190b872265c7ba49ebb4ffab701f38bbdd9
ec8a52d55cce244ac7d599b9a54b6aae59b73224f6b379c9ab999ab2a567709e
636abbcfa39fd806176a81b1b72a3d55b6d2c04e32863eb33d1324382c3d79cd
ad424f679f2f0140d5d3297afa4dd1d3e1b82357b68128ab6bc8015495165a66

SH256 hash:

ad424f679f2f0140d5d3297afa4dd1d3e1b82357b68128ab6bc8015495165a66

MD5 hash:

de5077d4fcea4154f65b9ce308783855

SHA1 hash:

47699e33248c01d4248e266650d27fcdedf84172

Link:

https://www.unpac.me/results/496c2721-8d7a-4b89-b842-8576635005e8/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/ad424f679f2f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ad424f679f2f0140d5d3297afa4dd1d3e1b82357b68128ab6bc8015495165a66

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AveMaria Create hunting rule
Author:	@bartblaze
Description:	Identifies AveMaria aka WarZone RAT.

Rule name:	ave_maria_warzone_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_1_RID2C2D Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding command execution via IExecuteCommand COM object

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_WarzoneRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AveMaria/WarzoneRAT

Rule name:	RDPWrap Create hunting rule
Author:	@bartblaze
Description:	Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:	https://github.com/stascorp/rdpwrap

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/197779/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample