MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9f8a72e66d7208d3dda09ed8a4d654466b46013251cb868d36c56cd521905a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	b9f8a72e66d7208d3dda09ed8a4d654466b46013251cb868d36c56cd521905a1
SHA3-384 hash:	b02469985f05780577686d1c2d36edc86da193166f1e8dc8f495f0a2b40af1eecbf60501101f253cb0c88265b5d8ec9e
SHA1 hash:	cc3eb3653793ba1c061a239c2df8f4d4e57b2d9a
MD5 hash:	45913505bcb703cafd5ed8724626425c
humanhash:	steak-uncle-fix-snake
File name:	PA#2326-BID.vbs
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	2'499 bytes
First seen:	2022-01-13 13:29:49 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	48:HfGD+DLmIItU5S5yd7YFhJWQ0r07jaUQmYSAdkO50q3ru0rZgJ1Pq:HfW+DLmIItUMoghJh0r07GU/YSAmb6ye
Threatray	1'624 similar samples on MalwareBazaar
TLSH	T18151961E3657B424A8360CE7FE1F885E66B9639F20749580720C88E41F3891CDBC9D6F
Reporter	abuse_ch
Tags:	AveMariaRAT vbs

Intelligence

File Origin

# of uploads :

1

# of downloads :

171

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/219041/

Detection(s):

SecuriteInfo.com.Script.SNH-genTrj.15585.216.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/61e02963f2e8ec86fef8113a/reports/0ded9f17-9853-4425-a652-595e9807a3f0/overview

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/920120

Signature

Command shell drops VBS files

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Writes or reads registry keys via WMI

Writes registry values via WMI

Wscript starts Powershell (via cmd or directly)

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b9f8a72e66d7208d3dda09ed8a4d654466b46013251cb868d36c56cd521905a1/

Threat name:

Script-WScript.Trojan.Heuristic

Status:

Malicious

First seen:

2022-01-13 13:30:10 UTC

File Type:

Text (VBS)

AV detection:

8 of 27 (29.63%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xh4koltg24qi2po2bhwyutlfirtliyateuolq2gtnrlm2uqzawqq._file

Verdict:

malicious

Label(s):

avemaria

Similar samples:

2e4256a1d7bc9f40528cded530aaf91410b3b55eff762908d7bd61cb5962e51e

5a36b6f9fe8852daabca8093de029904ab5e024426cfe3ffaeca6c14fb093501

6da8c3fd977ddc6a8edfabfcae5f98b9b8eedeb26a42399b03fe38f206564d33

721c03c3cc73dddfcf27e473fc9d1962dd59b3cc7f7b70cdc17d2d6a049aed8e

a219440a18c85fe668a060a26192f359b7b881bae02e6871baadd89b7019da9c

b2df0162081db60f8a9ee6ee0b31611c0ef96d5c272789f995e0c4d887e568cf

e2b3b0be2d05701b0fcd3970c610e9854ba41eee6282003267d8a2d41ccaffba

+ 1'614 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat collection infostealer rat

Link:

https://tria.ge/reports/220113-qrty1safar/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Loads dropped DLL

Blocklisted process makes network request

Warzone RAT Payload

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

group.loseyourip.com:3928

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/b9f8a72e66d7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b9f8a72e66d7208d3dda09ed8a4d654466b46013251cb868d36c56cd521905a1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/219041/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample