MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 adbaaaedf5553fca319364ec9f2685b546fdc135352e96654c692b12e7cd40ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: adbaaaedf5553fca319364ec9f2685b546fdc135352e96654c692b12e7cd40ed
SHA3-384 hash: 935dda9d6b15c6dc671b1fc618a87f1b13c5f18b64627a54b4f7420c8499e32048d656f25999bc6d4521c18286527e36
SHA1 hash: b8c3e97deebce1cfaa821e8ef822754b7c0fdec0
MD5 hash: e48a6f316e081f116c1b9c812f35694d
humanhash: angel-oklahoma-oregon-nine
File name:Doc_DELIVERY_89099388889904038838727.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:999'936 bytes
First seen:2022-03-31 17:19:05 UTC
Last seen:2022-04-01 09:36:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:O3e++FDx40edo8h45AT22Z32EPbje9pDO/Q02:O39+Fu0eKqdTtRnK3DIR
TLSH T13C25232332E98B15C6BD47B6582251852737BE2F3422EF2C1BDC748E45B378562A23D7
Reporter GovCERT_CH
Tags:AveMariaRAT exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
3
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Malware.AI.1947234724.6972.15027.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed
Link:
https://www.filescan.io/uploads/6245e2c8a19c649412b42031/reports/118733e0-6f94-427e-bdc2-83b6c99ed32f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ec41c3b2-33a6-46d8-bb40-3b21e445a6c0
Result
Threat name:
AveMaria Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/968540
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/adbaaaedf5553fca319364ec9f2685b546fdc135352e96654c692b12e7cd40ed/
Threat name:
Win32.Backdoor.WarzoneRAT
Create hunting rule
Status:
Malicious
First seen:
2022-03-31 17:20:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vw5kv3pvku74ummtmtwj6jufwvdp3qjvguxjmzkmnevrfz6nidwq._file
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger family:warzonerat collection infostealer keylogger persistence rat spyware stealer
Link:
https://tria.ge/reports/220331-vwegcabdck/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Modifies WinLogon
Checks computer location settings
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Sets DLL path for service in the registry
Snake Keylogger
Snake Keylogger Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
76.8.53.133:1198
Unpacked files
SH256 hash:
c77f7210ca5d7f8e443b63bea970f205f7eb6d15691bb0dc0a7357646b9e6605
MD5 hash:
b49a860fc6420089bccece455b29ba42
SHA1 hash:
fc3798b9ce92761b9c1fcdcd807c62218a1e45eb
Link:
https://www.unpac.me/results/0b27dd01-a953-4b33-9aa7-b62e9947c9bf/
SH256 hash:
d185986cb9b369a5f5d641c80d09adc878771b33ab020879629fb570c2cd7cec
MD5 hash:
755b1262aa6b3a6b267b41580c7e8972
SHA1 hash:
b2f0f7293cf7162895df2976eecfc1084eeba2fc
Link:
https://www.unpac.me/results/0b27dd01-a953-4b33-9aa7-b62e9947c9bf/
SH256 hash:
66bc208eda7ef776a590007ac8f029424ca4a634f40b934f5620c54fb867e111
MD5 hash:
b736c41b68d5794d6954fc9000261f7e
SHA1 hash:
f49716f5c3d564717f65a0848dc0a5a297346935
Link:
https://www.unpac.me/results/0b27dd01-a953-4b33-9aa7-b62e9947c9bf/
SH256 hash:
d7e084e420760073eb578f69a2f6b9e9fc6af8efd17b248c50868d8f5b4b7d77
MD5 hash:
686a384930a3db51a64db9ca47ce4d81
SHA1 hash:
9c0bbb51dbec36036249a7aac7196827d04e0ac9
Link:
https://www.unpac.me/results/0b27dd01-a953-4b33-9aa7-b62e9947c9bf/
SH256 hash:
415ecd46e6d029761f3d509587fdd148a11ccfb9a65e0f9f2777315c1cfeadcf
MD5 hash:
72f7c84cd6d6188d4d8fa01b544427fc
SHA1 hash:
8e2d7ef2523b40cea3cfb5f1fab16eb4750164a3
Link:
https://www.unpac.me/results/0b27dd01-a953-4b33-9aa7-b62e9947c9bf/
SH256 hash:
613b2819d35360cbfe6c94b2b998d1a4998c89f5bdef505e0e158e1288ab684c
MD5 hash:
3096cbaf4b5d40f9c61bf7ce13fde62f
SHA1 hash:
6b3c580e51fd306bfdc2e727ca3bc7805aba4b53
Link:
https://www.unpac.me/results/0b27dd01-a953-4b33-9aa7-b62e9947c9bf/
SH256 hash:
4ed3c116cd9e875131f14d9dfef6dc345192d0b245615536da1cfabc893e3275
MD5 hash:
37551bca5a31bf04580585fb78bb460a
SHA1 hash:
d6020915fb1061775a6e36c5d5f22e1e974af70e
Detections:
win_ave_maria_g0
Create hunting rule
win_ave_maria_auto
Create hunting rule
Link:
https://www.unpac.me/results/0b27dd01-a953-4b33-9aa7-b62e9947c9bf/
Parent samples :
adbaaaedf5553fca319364ec9f2685b546fdc135352e96654c692b12e7cd40ed
3c5a74d08899cdb6dfd22c6cbe02972d57bba3642baa8bf00ce87f884fb97086
e9ac72abe09539d39453d6370227fb6b584ded9ea8dc79fe889d206d2f661acd
48a3b4c4a19c3edc85071280654e61f9396a2e7d486ac784a020769d0adc1ff9
SH256 hash:
477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52
MD5 hash:
16a9ddc4b32981114fe4f069a4353105
SHA1 hash:
bf73849f57c150f9e2199c61427f631be2dfa595
Link:
https://www.unpac.me/results/0b27dd01-a953-4b33-9aa7-b62e9947c9bf/
SH256 hash:
f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36
MD5 hash:
6c72218c48cd68cbcb654675053a0abb
SHA1 hash:
12207fa32070f99683648d87b44410e5d3cdf2de
Link:
https://www.unpac.me/results/0b27dd01-a953-4b33-9aa7-b62e9947c9bf/
SH256 hash:
adbaaaedf5553fca319364ec9f2685b546fdc135352e96654c692b12e7cd40ed
MD5 hash:
e48a6f316e081f116c1b9c812f35694d
SHA1 hash:
b8c3e97deebce1cfaa821e8ef822754b7c0fdec0
Link:
https://www.unpac.me/results/0b27dd01-a953-4b33-9aa7-b62e9947c9bf/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/adbaaaedf555/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/adbaaaedf5553fca319364ec9f2685b546fdc135352e96654c692b12e7cd40ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe adbaaaedf5553fca319364ec9f2685b546fdc135352e96654c692b12e7cd40ed

(this sample)

  
Dropped by
snakekeylogger
  
Delivery method
Distributed via e-mail attachment

Comments