MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b64dbd49ac4a47a4bad1a56e586edbdb222dead69226e97c94cbb7d2152b63df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b64dbd49ac4a47a4bad1a56e586edbdb222dead69226e97c94cbb7d2152b63df
SHA3-384 hash: 66991e5496da0b33ca635ed0f431660d72eb2df107cd7cac89ae28f915c7c43dfbf6b26eb3464568629dd53c30e31795
SHA1 hash: 0dbcdb87669bab9946b0bc07fae86a85f516190b
MD5 hash: b067a11b0706ebc42aeba738c012bd50
humanhash: artist-music-batman-red
File name:bincnew1.hta
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'414 bytes
First seen:2025-08-22 16:57:42 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 24:RMNmMvC4/ptEt5fNZI8Vt1c9osXRXQstuEdxKIuCMlbs8j35SktKz:4mM5pOt68sh7usxKFhfno
TLSH T10021866D9064D5DC9AB18A5323FFF51AEF2382430140920477802477FF7125ED9EB2CA
Magika txt
Reporter abuse_ch
Tags:AveMariaRAT hta

Intelligence

File Origin
# of uploads :
1
# of downloads :
387
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a8a1c96eed937d746d1efa
Tags:
dropper overt blic
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/b64dbd49ac4a47a4bad1a56e586edbdb222dead69226e97c94cbb7d2152b63df/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/b64dbd49ac4a47a4bad1a56e586edbdb222dead69226e97c94cbb7d2152b63df
Verdict:
Clean
File Type:
html
Link:
https://opentip.kaspersky.com/b64dbd49ac4a47a4bad1a56e586edbdb222dead69226e97c94cbb7d2152b63df/results?tab=lookup
Result
Threat name:
Cobalt Strike, AveMaria, UACMe
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1763146
Signature
AI detected malicious Powershell script
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Detected Cobalt Strike Beacon
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Set autostart key via New-ItemProperty Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Yara detected AveMaria stealer
Yara detected Powershell download and execute
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1763146 Sample: bincnew1.hta Startdate: 22/08/2025 Architecture: WINDOWS Score: 100 42 www.bitsavers.org 2->42 44 ustaxes.net 2->44 46 bitsavers.org 2->46 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for dropped file 2->58 60 12 other signatures 2->60 10 mshta.exe 13 2->10         started        signatures3 process4 signatures5 62 Detected Cobalt Strike Beacon 10->62 64 Suspicious powershell command line found 10->64 66 Obfuscated command line found 10->66 68 2 other signatures 10->68 13 powershell.exe 18 28 10->13         started        process6 dnsIp7 48 bitsavers.org 208.77.18.144, 49686, 80 TZULOUS United States 13->48 50 ustaxes.net 65.21.85.206, 443, 49687 CP-ASDE United States 13->50 36 C:\Users\user\AppData\...\wtvgwn3o.cmdline, Unicode 13->36 dropped 38 C:\Users\Public\ww.pdf, PDF 13->38 dropped 40 C:\Users\Public\fire2.ps1, ASCII 13->40 dropped 70 Contains functionality to hide user accounts 13->70 18 csc.exe 3 13->18         started        21 Acrobat.exe 20 63 13->21         started        23 WerFault.exe 20 16 13->23         started        25 conhost.exe 13->25         started        file8 signatures9 process10 file11 34 C:\Users\user\AppData\Local\...\wtvgwn3o.dll, PE32 18->34 dropped 27 cvtres.exe 1 18->27         started        29 AcroCEF.exe 88 21->29         started        process12 process13 31 AcroCEF.exe 3 29->31         started        dnsIp14 52 23.203.104.175, 443, 49693 AKAMAI-ASUS United States 31->52
Score:
22%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/b64dbd49ac4a47a4bad1a56e586edbdb222dead69226e97c94cbb7d2152b63df
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Html PowerShell
Link:
https://app.malva.re/file/b067a11b0706ebc42aeba738c012bd50
Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b64dbd49ac4a47a4bad1a56e586edbdb222dead69226e97c94cbb7d2152b63df/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/b64dbd49ac4a47a4bad1a56e586edbdb222dead69226e97c94cbb7d2152b63df
Threat name:
Script-WScript.Trojan.Boxter
Create hunting rule
Status:
Malicious
First seen:
2025-08-16 19:37:10 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
6 of 38 (15.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wzg32snmjjd2jowruvxfq3w33mrc32wwsitos7euzo35efjlmppq._file
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat adware defense_evasion discovery execution infostealer rat spyware
Link:
https://tria.ge/reports/250822-vg2ckawwcx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Modifies trusted root certificate store through registry
Warzone RAT payload
WarzoneRat, AveMaria
Warzonerat family
Malware Config
C2 Extraction:
75.56.172.215:5200
Dropper Extraction:
http://www.bitsavers.org/pdf/tti/10136X07-B_QT_UT_Owners_Mar94.pdf
https://ustaxes.net/fire2.xx
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b64dbd49ac4a47a4bad1a56e586edbdb222dead69226e97c94cbb7d2152b63df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

HTML Application (hta) hta b64dbd49ac4a47a4bad1a56e586edbdb222dead69226e97c94cbb7d2152b63df

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3609336/
  
Delivery method
Distributed via web download

Comments