MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0773d0dcca492d5ac179ef976c7e8dbd2f8c251edd30ab02d89c7850b85d858. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 13 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0773d0dcca492d5ac179ef976c7e8dbd2f8c251edd30ab02d89c7850b85d858
SHA3-384 hash: c89654a18d10aa183c518664cabad618de804c6267ca62c0d32968b1fd56d97ddadade91cfe5390e116bd831fbdfa315
SHA1 hash: eb800e251c67c1539ea1ff527c4f2aaccb7f9bde
MD5 hash: d3d04b9a91899184dd243d0c9339928a
humanhash: table-hot-eleven-uranus
File name:d3d04b9a91899184dd243d0c9339928a
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:9'728 bytes
First seen:2022-05-25 15:47:41 UTC
Last seen:2022-05-25 16:48:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 96:RVaOQ3E7A4xbIuFWMfTiZ+/U2JpUiH2oJh7vjSGBBvLbSsq/KzNt:RUj07/bCMfT6OU2XUiWoJljSsvfSNU
Threatray 4'679 similar samples on MalwareBazaar
TLSH T15912E813F7888736DE3A0B329C3356604B78EB514512CB6E39D0694FBC327541A92F75
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon c1dcdccda6a8cec6 (2 x DarkVisionRAT, 1 x Formbook, 1 x AveMariaRAT)
Reporter zbetcheckin
Tags:32 AveMariaRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
621
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
avemaria
Create hunting rule
ID:
1
File name:
d3d04b9a91899184dd243d0c9339928a
Verdict:
Malicious activity
Analysis date:
2022-05-25 16:02:58 UTC
Tags:
trojan stealer rat avemaria
Link:
https://app.any.run/tasks/481bafcb-e0eb-4bb7-875a-3ace55e723d5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274584/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Creating a file
DNS request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Launching a service
Loading a system driver
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Enabling autorun for a service
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/628e4fcf6eb3ff32632c5598/reports/54333d7f-fab8-42a9-ac68-90e1af66a2e3/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ddfd46b2-6d69-415f-a704-4005bb007d69
Result
Threat name:
AveMaria, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1001705
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain checking for user administrative privileges
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides user accounts
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected Generic Downloader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 634208 Sample: MZvvoqAUnu Startdate: 25/05/2022 Architecture: WINDOWS Score: 100 59 Snort IDS alert for network traffic 2->59 61 Multi AV Scanner detection for domain / URL 2->61 63 Found malware configuration 2->63 65 12 other signatures 2->65 7 MZvvoqAUnu.exe 16 7 2->7         started        12 Mdtibtx.exe 14 4 2->12         started        14 Mdtibtx.exe 3 2->14         started        16 3 other processes 2->16 process3 dnsIp4 57 2.58.149.2, 49727, 49770, 49771 GBTCLOUDUS Netherlands 7->57 49 C:\Users\user\AppData\Roaming\...\Mdtibtx.exe, PE32 7->49 dropped 51 C:\Users\user\...\Mdtibtx.exe:Zone.Identifier, ASCII 7->51 dropped 53 C:\Users\user\AppData\...\MZvvoqAUnu.exe.log, ASCII 7->53 dropped 83 Writes to foreign memory regions 7->83 85 Allocates memory in foreign processes 7->85 87 Injects a PE file into a foreign processes 7->87 18 InstallUtil.exe 8 7 7->18         started        23 InstallUtil.exe 7->23         started        25 cmd.exe 1 7->25         started        89 Multi AV Scanner detection for dropped file 12->89 27 cmd.exe 1 12->27         started        29 InstallUtil.exe 12->29         started        31 cmd.exe 1 14->31         started        33 InstallUtil.exe 14->33         started        file5 signatures6 process7 dnsIp8 55 lovemebygift.ddns.net 45.137.22.35, 49769, 5200 ROOTLAYERNETNL Netherlands 18->55 47 C:\Program Files\Microsoft DN1\sqlmap.dll, PE32+ 18->47 dropped 67 Hides user accounts 18->67 69 Increases the number of concurrent connection per server for Internet Explorer 18->69 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->71 73 Installs a global keyboard hook 18->73 75 Found evasive API chain (may stop execution after checking mutex) 23->75 77 Contains functionality to inject threads in other processes 23->77 79 Contains functionality to steal Chrome passwords or cookies 23->79 81 2 other signatures 23->81 35 conhost.exe 25->35         started        37 timeout.exe 1 25->37         started        39 conhost.exe 27->39         started        41 timeout.exe 1 27->41         started        43 conhost.exe 31->43         started        45 timeout.exe 31->45         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0773d0dcca492d5ac179ef976c7e8dbd2f8c251edd30ab02d89c7850b85d858/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-05-25 15:48:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wb3t2domusjnllaxt34xnr7i3pjprqsr5xjqvmbnrhdykc4f3bma._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
032b470bea30ebbb1171b302b3fbcea932ef7602c475f14abd05ac789d9f0188
AveMariaRAT
3f61959fb38b9a780c40aa60b964ce782e82634663a9676afeb117eff328dcd1
AveMariaRAT
549d8f67e615fb4a17084e884f285947b9a4cd6c46bdd32d18bf44e71993fac4
AveMariaRAT
9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf
AveMariaRAT
9fcaf1a573e825956bfcb9eb8dbbf4cc744c73083b65f5cf807fe0f0bf1047de
AveMariaRAT
abc5f306aae4ed8a42216e5b16b14b312eac674877724fe3b9beb56b8e6cfb47
AveMariaRAT
e03cca36904d67849b070b88fc3452398de8e7efd91bf2db362eb2bb8cfa82aa
AveMariaRAT
f3c1c5cfc3e095b3ae94a810e13d707bc0e7b07ab3c6ecc9f165729a48c1cb4b
AveMariaRAT
+ 4'669 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat collection infostealer persistence rat
Link:
https://tria.ge/reports/220525-s8rlbsbfg9/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Sets DLL path for service in the registry
Warzone RAT Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
lovemebygift.ddns.net:5200
Unpacked files
SH256 hash:
b0773d0dcca492d5ac179ef976c7e8dbd2f8c251edd30ab02d89c7850b85d858
MD5 hash:
d3d04b9a91899184dd243d0c9339928a
SHA1 hash:
eb800e251c67c1539ea1ff527c4f2aaccb7f9bde
Link:
https://www.unpac.me/results/7096ddf6-026b-4eae-95ee-5dff9501467b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/b0773d0dcca492d5ac179ef976c7e8dbd2f8c251edd30ab02d89c7850b85d858

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AveMaria
Create hunting rule
Author:@bartblaze
Description:Identifies AveMaria aka WarZone RAT.
Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_1_RID2C2D
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding command execution via IExecuteCommand COM object
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_WarzoneRAT
Create hunting rule
Author:ditekSHen
Description:Detects AveMaria/WarzoneRAT
Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:pe_imphash
Create hunting rule
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe b0773d0dcca492d5ac179ef976c7e8dbd2f8c251edd30ab02d89c7850b85d858

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2210910/
Cape
Cape
https://www.capesandbox.com/analysis/274584/

Comments


Avatar
zbet commented on 2022-05-25 15:47:48 UTC

url : hxxp://2.58.149.2/mony.exe