MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4d40fb0a869c29c9b2445f332cc287d1c040b3f87d2c345e19b0b0c9b273338. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4d40fb0a869c29c9b2445f332cc287d1c040b3f87d2c345e19b0b0c9b273338
SHA3-384 hash: d99b36293a4cd77c415f398510e9c4739bc07e80ae367c3b5143f55b5847ba8dbb2bca21cf678e1860f57d8191acee5b
SHA1 hash: 6e55809637feff35797054a40f284cfe4c6155e7
MD5 hash: 31f6b61e8a19499e84a0e6407dca00ba
humanhash: equal-ohio-zulu-skylark
File name:PAYMENT-Swift copy $16924.89.gz
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:630'923 bytes
First seen:2023-01-16 14:48:20 UTC
Last seen:Never
File type: gz
MIME type:application/gzip
ssdeep 12288:FLT9mcO/cTsekKNxo++gUQz/J0cAg4C77jeU8qbJGC/tF5t:RlkKTlxUQzddPjL8qZ9
TLSH T1DBD423303E3273047CC92FC1DF94F6175634812E6C7528FAC499E29307A6DAD439A9E9
Reporter cocaman
Tags:AveMariaRAT gz payment RAT SWIFT


Avatar
cocaman
Malicious email (T1566.001)
From: ""Rachel Chow" <EXPRESS_ADG@ismarine.com.tr>" (likely spoofed)
Received: "from ismarine.com.tr (unknown [45.88.67.122]) "
Date: "16 Jan 2023 04:12:09 -0800"
Subject: "PAYMENT-Swift copy $16924.89"
Attachment: "PAYMENT-Swift copy $16924.89.gz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Inject.19196.16947.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63c563e08352dc7065e3036a/reports/201f9d0d-510c-4dab-bc47-14f001e10496/overview
Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b4d40fb0a869c29c9b2445f332cc287d1c040b3f87d2c345e19b0b0c9b273338/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-01-16 10:35:01 UTC
File Type:
Binary (Archive)
Extracted files:
2
AV detection:
18 of 37 (48.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wtka7mfinhbjzgzeixztftbipuoaicz7q7jmgrpbtmfqzgzhgm4a._file
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/230116-svrzyadb2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
WarzoneRat, AveMaria
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/b4d40fb0a869c29c9b2445f332cc287d1c040b3f87d2c345e19b0b0c9b273338

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

gz b4d40fb0a869c29c9b2445f332cc287d1c040b3f87d2c345e19b0b0c9b273338

(this sample)

AveMariaRAT

Executable exe 4106bc925a8d9a87eb8cb905de3fd10e7b7d0851aa82c3a26de23c552775812d

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 4106bc925a8d9a87eb8cb905de3fd10e7b7d0851aa82c3a26de23c552775812d
  
Dropping
AveMariaRAT

Comments