MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b21d4971ea8d9efdea1ce27b50f8477b4d2227200da98df8842945426a90e7a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b21d4971ea8d9efdea1ce27b50f8477b4d2227200da98df8842945426a90e7a8
SHA3-384 hash: ef44239a57faa626cbea0e6790b48616ecd473e7414eec1705a0c2c3a3c215761bc4bf9d01b951c378492e6176ae5064
SHA1 hash: 2fbab4c62b657c74ccd0999e7165a2279027e017
MD5 hash: fa2edeb9b35903e7cc7b9a85e2af14dc
humanhash: moon-xray-river-carbon
File name:Zahtjev za ponudu_broj 22-0822-0397.xll
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:844'288 bytes
First seen:2022-08-22 14:57:43 UTC
Last seen:Never
File type:Excel file xll
MIME type:application/x-dosexec
imphash f20a8db3e4a8c03c1ab177b2660fdd78 (4 x Smoke Loader, 3 x AgentTesla, 2 x Gozi)
ssdeep 24576:yzLhltAdkjcX1/6xeuWDDeWeS6ZRu5DnQ:yBUjd6ZQ5z
Threatray 31 similar samples on MalwareBazaar
TLSH T18105D057F6D77A65E6AEC2BAC6F1C92C62B3349602B0C7CEB74059492913391483DB0F
TrID 58.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
34.3% (.OCX) Windows ActiveX control (116521/4/18)
3.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.3% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:AveMariaRAT xll

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Zahtjev za ponudu_broj 22-0822-0397.xll
Verdict:
No threats detected
Analysis date:
2022-08-22 15:10:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2d8fdef9-a524-4c67-91c5-aa92dea01ab4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.MSIL.TrojanDownloader.Agent.KOL.21355.14570.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Office Add-Ins - Suspicious
Link:
https://app.docguard.net/b21d4971ea8d9efdea1ce27b50f8477b4d2227200da98df8842945426a90e7a8/results/dashboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63039a34cdc72e865b8857b2/reports/3a2ed4c2-414b-48a4-960d-4224105975b1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1055734
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 688268 Sample: Zahtjev za ponudu_broj 22-0... Startdate: 22/08/2022 Architecture: WINDOWS Score: 48 15 Multi AV Scanner detection for submitted file 2->15 6 cmd.exe 7 2 2->6         started        process3 process4 8 EXCEL.EXE 24 21 6->8         started        11 conhost.exe 6->11         started        file5 13 Zahtjev za ponudu_...2-0822-0397.xll.LNK, MS 8->13 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b21d4971ea8d9efdea1ce27b50f8477b4d2227200da98df8842945426a90e7a8/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-08-22 10:19:57 UTC
File Type:
PE+ (Dll)
Extracted files:
2
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wious4pkrwpp32q44j5vb6chpngsejzabwuy36eeffcue2uq46ua._file
Verdict:
unknown
Similar samples:
00f2cb2064af344f06c562bd4f84899ea6db145e45bbf7fdb570749a54fbc084
AveMariaRAT
06062b94f5122b8e90cca9c672de8d16f9ea095d4f0888549583d280426b7940
AveMariaRAT
1a129b53070e067ddf5073440679c8b155d99d2c0ee1cb6326dd025dcc4c5cb3
AveMariaRAT
725ef7921a3bbdcdaab5c323e98a7117e98dc77ec8867d08be590645beffd0ae
AveMariaRAT
996cf8f61a636f8c09e5919fe6426a28b3d5b6e7865a0e46294cc0085a9e83aa
AveMariaRAT
99afafb9edf09d9430d229df428dd5532de770adbfdb5aa798574607cb6b15a2
AveMariaRAT
ca5b42fc1bbeea762b2170cc94b124ebb3731c68e445e78881fb2cc8fa6b1ccd
AveMariaRAT
f62a1c42d31a2665f1fe2ecec1895645750529f6eb9ce4a3421439bd1bff3171
AveMariaRAT
+ 21 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat collection infostealer persistence rat spyware stealer
Link:
https://tria.ge/reports/220822-sb53fshcfq/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Warzone RAT payload
WarzoneRat, AveMaria
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b21d4971ea8d9efdea1ce27b50f8477b4d2227200da98df8842945426a90e7a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:Find_Any_Xll_Files
Create hunting rule
Author:David Ledbetter @Ledtech3
Description:Find Any XLL File
Rule name:Hunt_Excel_DNA_Built_XLL_Files
Create hunting rule
Author:David Ledbetter @Ledtech3
Description:Hunt for Excel Addin dll files generated with Excel-DNA builder https://excel-dna.net/
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments