MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbaa3341664b5cad875b8510d3382594a4027345c520e998e41c3fdf78309d91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bbaa3341664b5cad875b8510d3382594a4027345c520e998e41c3fdf78309d91
SHA3-384 hash: f6970ac0aa8e38c8cc6ff870de77282f6a3f7571c229fdffa21143a0b16d4db04345c403fb87eed11b25068c2f8e1b3f
SHA1 hash: b2a7c31c874fe43e3d90d8e123b498bd51df4d0b
MD5 hash: db58fedb013186658c28fa421164e79b
humanhash: salami-beer-alpha-helium
File name:bbaa3341664b5cad875b8510d3382594a4027345c520e998e41c3fdf78309d91
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'388'728 bytes
First seen:2021-09-24 06:07:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:Ku6J33O0c+JY5UZ+XC0kGso6Fa720W4njUprvVcC1f2o5RRfgUWYz:8u0c++OCvkGs9Fa+rd1f26RaYz
Threatray 1'333 similar samples on MalwareBazaar
TLSH T10155BF52E39EC2F0DE165172BA7DF71A2F3F3C254530B956AFC52D3AAD21021112DAA3
File icon (PE):PE icon
dhash icon c4c0ccc8ccf4d4fc (23 x NetWire, 14 x AveMariaRAT, 11 x Formbook)
Reporter JAMESWT_WT
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bbaa3341664b5cad875b8510d3382594a4027345c520e998e41c3fdf78309d91
Verdict:
Malicious activity
Analysis date:
2021-09-24 06:29:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2d04abca-506d-4785-9a89-6ebad43832b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RDPWrap
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190980/
Detection(s):
Win.Trojan.Ulise-7135679-1
Create hunting rule

Win.Malware.Razy-6703914-0
Create hunting rule

SecuriteInfo.com.BehavesLike.Win32.Generic.vh.UNOFFICIAL
Create hunting rule

Malware family:
NetWire RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/98896c8f-a981-4eed-8371-b2982a9f4d13
Result
Threat name:
AveMaria Netwire UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/857273
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Contains functionality to hide user accounts
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected Netwire RAT
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 489711 Sample: LkZiCbLQkk Startdate: 24/09/2021 Architecture: WINDOWS Score: 100 68 wealthyme.ddns.net 2->68 70 wealth.warzonedns.com 2->70 72 Wealthy2019.com.strangled.net 2->72 92 Multi AV Scanner detection for domain / URL 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 Antivirus / Scanner detection for submitted sample 2->96 98 8 other signatures 2->98 9 LkZiCbLQkk.exe 4 2->9         started        13 RtDCpl64.exe 1 2->13         started        15 RtDCpl64.exe 2->15         started        17 RtDCpl64.exe 2->17         started        signatures3 process4 file5 64 C:\Users\user\AppData\...\RtDCpl64.exe, PE32 9->64 dropped 122 Binary is likely a compiled AutoIt script file 9->122 124 Contains functionality to inject threads in other processes 9->124 126 Contains functionality to steal Chrome passwords or cookies 9->126 132 3 other signatures 9->132 19 Blasthost.exe 2 9->19         started        23 LkZiCbLQkk.exe 3 2 9->23         started        26 schtasks.exe 1 9->26         started        66 C:\Users\user\AppData\Roaming\Blasthost.exe, PE32 13->66 dropped 128 Injects a PE file into a foreign processes 13->128 28 RtDCpl64.exe 2 13->28         started        30 Blasthost.exe 13->30         started        32 schtasks.exe 1 13->32         started        34 RtDCpl64.exe 15->34         started        36 Blasthost.exe 15->36         started        38 schtasks.exe 15->38         started        130 Antivirus detection for dropped file 17->130 signatures6 process7 dnsIp8 62 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 19->62 dropped 100 Antivirus detection for dropped file 19->100 102 Multi AV Scanner detection for dropped file 19->102 104 Contains functionality to log keystrokes 19->104 106 Machine Learning detection for dropped file 19->106 40 Host.exe 19->40         started        44 conhost.exe 19->44         started        74 192.168.2.1 unknown unknown 23->74 76 wealth.warzonedns.com 23->76 108 Writes to foreign memory regions 23->108 110 Allocates memory in foreign processes 23->110 112 Increases the number of concurrent connection per server for Internet Explorer 23->112 46 cmd.exe 1 23->46         started        48 conhost.exe 26->48         started        78 wealth.warzonedns.com 28->78 80 wealthyme.ddns.net 30->80 82 Wealthy2019.com.strangled.net 30->82 50 conhost.exe 32->50         started        84 wealth.warzonedns.com 34->84 114 Creates a thread in another existing process (thread injection) 34->114 52 cmd.exe 34->52         started        86 2 other IPs or domains 36->86 54 conhost.exe 38->54         started        file9 signatures10 process11 dnsIp12 88 wealthyme.ddns.net 40->88 90 Wealthy2019.com.strangled.net 40->90 116 Antivirus detection for dropped file 40->116 118 Multi AV Scanner detection for dropped file 40->118 120 Machine Learning detection for dropped file 40->120 56 conhost.exe 46->56         started        58 cmd.exe 1 48->58         started        60 conhost.exe 52->60         started        signatures13 process14
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bbaa3341664b5cad875b8510d3382594a4027345c520e998e41c3fdf78309d91/
Threat name:
Win32.Trojan.NetWired
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 09:30:00 UTC
AV detection:
38 of 45 (84.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xovdgqlgjnok3b23quingobfsssae42fyuqotghedq7566bqtwiq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
avemaria
Create hunting rule
Similar samples:
2a2c98c65ef497baf7ebfa7ecca3b177869eaa2f73a9dc9b438990fa9e42250e
AveMariaRAT
2a455044d359da315b10c63718085e396cfd0535817c9cea8012c85526b6061c
AveMariaRAT
33796c5495a2eaf1fb3bd918cbf6d599c7cbd74462b693a802f834a91fa7ab40
AveMariaRAT
56439f2c3a02075273e7ec8cad208e231d9576bf4f9dce25905d18a888b3b92e
AveMariaRAT
623ae88bce9d510aafbbeb7a65d3eb39510b563231e0e22108fe04c77be90a29
AveMariaRAT
a665187e18e7f9666da6e401c3c09093db2a404912f3e69984fc39bd6ee1cd90
AveMariaRAT
d1b19d456e97bede86d5bbe8c09b027b00c330e568c0474abb3e60ad154bc62d
AveMariaRAT
eee4d211bbffe896f0de21854cb5adac6e10c85016986efd260b45c7022d7521
AveMariaRAT
+ 1'323 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:netwire family:warzonerat botnet infostealer rat stealer
Link:
https://tria.ge/reports/210924-gvxpmsgaaq/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
autoit_exe
Loads dropped DLL
Executes dropped EXE
Warzone RAT Payload
NetWire RAT payload
Netwire
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
wealth.warzonedns.com:5202
Unpacked files
SH256 hash:
a434d913e9e6a252ee1d613f8e5c51d5a5f48fdb0f4d0b90632902cc4bed5365
MD5 hash:
43365642ef4476ee818936a44b99cd7b
SHA1 hash:
9c91415e5e34715be257fc53a741a762c7f41206
Link:
https://www.unpac.me/results/1fb33670-d3b7-4a80-950d-cf61ec3c4604/
SH256 hash:
a02fee8261a3d7e1f0d3186e3af8df911e1d87daf3676ed6738c3cdd95d2f384
MD5 hash:
fea5b8b55bb0139b97a006bfa3af2ca9
SHA1 hash:
64b5afa3a6499eec756eed84c4c5e86c03fa80ae
Link:
https://www.unpac.me/results/1fb33670-d3b7-4a80-950d-cf61ec3c4604/
SH256 hash:
fc0c90044b94b080f307c16494369a0796ac1d4e74e7912ba79c15cca241801c
MD5 hash:
6b906764a35508a7fd266cdd512e46b1
SHA1 hash:
2a943b5868de4facf52d4f4c1b63f83eacd882a2
Link:
https://www.unpac.me/results/1fb33670-d3b7-4a80-950d-cf61ec3c4604/
SH256 hash:
4157d266ee4d606c42ca19d42a363744db82f056cc20721642240cc91fa6870e
MD5 hash:
e6359328349527d84d8a02bf1f937d80
SHA1 hash:
f02c501584647d65f12371bcd086722642664f5b
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/1fb33670-d3b7-4a80-950d-cf61ec3c4604/
Parent samples :
2a2c98c65ef497baf7ebfa7ecca3b177869eaa2f73a9dc9b438990fa9e42250e
34b6799a600ee5174594a4a2d047bc8dbe7b667ced9de8d452d78431b6b075ca
a665187e18e7f9666da6e401c3c09093db2a404912f3e69984fc39bd6ee1cd90
ab3f6d53c07cb9b2a7f20569090b72e3ef405e8b9376268793857b98c3715b5d
14b430ff66208cf2afc283b6242e845793a00d8b577dda3efa34fc43ab441bd7
38f3b0091a63de45d06e5d073684a9ac020dd9963f2cde74dffc00d7ede040cc
623ae88bce9d510aafbbeb7a65d3eb39510b563231e0e22108fe04c77be90a29
d8ce9d7bb93911413a8dae7b85dbd7ba085a87900dcbc5087e1719da40bb4448
56439f2c3a02075273e7ec8cad208e231d9576bf4f9dce25905d18a888b3b92e
bbaa3341664b5cad875b8510d3382594a4027345c520e998e41c3fdf78309d91
52e2b49e0f984106767e959a30fd5af4a0ae8b8589660123a3ade4692d43ebd2
ad8f61066e79e711cf2d4f56522d4dd2383a3ca39ef89eba8ab2f9467ce0aced
1e291af24e96233dace8b196896a6b9c6dd185ab98f40d5869483b039586315a
d2df9078d5a72c5212ef2423afc8a6b04f50ab4f4c79f63f270c2d8249ebd3d9
e6467917f8ba730b9d20d4df66e1fdef1cfbacd2cfd6e15cacbf4374a3ef114e
d264787c86170b5704f7ca06c65df5f8f6007699bc8e8a76ff06af2cb2c562f6
912350f695617227e3644f49e97c597c83f2f53363251802245cad33c7466d16
6758299aa38548e854ba372cea8a99d20578059a34d2572d3d4fc8bc76362186
ff82e890982c7581994ec00d26ca72dcf6fccd826da43db1b806f1b61d972eae
a0fb1b78653306e1f6e110457fa3e9723c8a43e5b236a1b880b1724ab07bf415
fb5f29ba7b562bb99de4c48eec30ecd7de055db7e4cae9104dca7eda41c7198c
7c1b5c0d17c9cccf560f4dc6f07809a28b4908e505817984d6eb17da80be34d4
2ede91c491c0f0be911e2bc12f5c2b94c3fd717f27f89cfa0af475f34bee525f
23db1a1d6db934f635f353189beb610124ee7243030edf13f549b25d7972de5b
a34a8ccae60c06d71d28db52c7bf0630177cd9ee20fd65363b565d2a1b88e072
df011861231413952f0d069257942b342bf62befd354a5c4ad8d2b6b3f7093ec
a79c13e326d308fa0596474c6de1001639e9ffaa86872cae9a121ffad9f0039a
4a73b7f50b95f4164c68e1e003b5e149f6fcf83352702fe29d722260c7fb57ff
b0183d2016f99466eb45c654e9dc8e53bd4b90df2512acf3c526bdf65b372ba5
91d4c54eb5e24448922894a73d0a3ca2b0a84caa3d2a5526e57098791ad75f73
f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d
e797bb75f04bcac68e688769585623a306a0442a5614f28cb1a38d4232f525ec
bd2104c458f1c7197b830efb636df4741232585d55334fcdb6e37e8657571c24
c3dc5d9c25e3ef368835ad761bc9b0650170a018d70f93869608105375b73019
ce69de794ef8654455e9323c8dd184a507c39bb319b9c1b34fce460deca631bf
SH256 hash:
3e9df139fc284218d0e4f004b3303e560f308f424a0c3c5ebcb2356645a1ff68
MD5 hash:
275f6c78b03a6ce9a1f9f6a53e660c58
SHA1 hash:
0203c234e4777aea959adcd00055c4ad5d42c337
Detections:
win_ave_maria_g0
Create hunting rule
win_ave_maria_auto
Create hunting rule
Link:
https://www.unpac.me/results/1fb33670-d3b7-4a80-950d-cf61ec3c4604/
Parent samples :
2a2c98c65ef497baf7ebfa7ecca3b177869eaa2f73a9dc9b438990fa9e42250e
34b6799a600ee5174594a4a2d047bc8dbe7b667ced9de8d452d78431b6b075ca
38f3b0091a63de45d06e5d073684a9ac020dd9963f2cde74dffc00d7ede040cc
56439f2c3a02075273e7ec8cad208e231d9576bf4f9dce25905d18a888b3b92e
bbaa3341664b5cad875b8510d3382594a4027345c520e998e41c3fdf78309d91
52e2b49e0f984106767e959a30fd5af4a0ae8b8589660123a3ade4692d43ebd2
1e291af24e96233dace8b196896a6b9c6dd185ab98f40d5869483b039586315a
d2df9078d5a72c5212ef2423afc8a6b04f50ab4f4c79f63f270c2d8249ebd3d9
e6467917f8ba730b9d20d4df66e1fdef1cfbacd2cfd6e15cacbf4374a3ef114e
d264787c86170b5704f7ca06c65df5f8f6007699bc8e8a76ff06af2cb2c562f6
912350f695617227e3644f49e97c597c83f2f53363251802245cad33c7466d16
ff82e890982c7581994ec00d26ca72dcf6fccd826da43db1b806f1b61d972eae
fb5f29ba7b562bb99de4c48eec30ecd7de055db7e4cae9104dca7eda41c7198c
2ede91c491c0f0be911e2bc12f5c2b94c3fd717f27f89cfa0af475f34bee525f
23db1a1d6db934f635f353189beb610124ee7243030edf13f549b25d7972de5b
a34a8ccae60c06d71d28db52c7bf0630177cd9ee20fd65363b565d2a1b88e072
df011861231413952f0d069257942b342bf62befd354a5c4ad8d2b6b3f7093ec
4a73b7f50b95f4164c68e1e003b5e149f6fcf83352702fe29d722260c7fb57ff
b0183d2016f99466eb45c654e9dc8e53bd4b90df2512acf3c526bdf65b372ba5
91d4c54eb5e24448922894a73d0a3ca2b0a84caa3d2a5526e57098791ad75f73
f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d
e797bb75f04bcac68e688769585623a306a0442a5614f28cb1a38d4232f525ec
bd2104c458f1c7197b830efb636df4741232585d55334fcdb6e37e8657571c24
c3dc5d9c25e3ef368835ad761bc9b0650170a018d70f93869608105375b73019
ce69de794ef8654455e9323c8dd184a507c39bb319b9c1b34fce460deca631bf
SH256 hash:
bbaa3341664b5cad875b8510d3382594a4027345c520e998e41c3fdf78309d91
MD5 hash:
db58fedb013186658c28fa421164e79b
SHA1 hash:
b2a7c31c874fe43e3d90d8e123b498bd51df4d0b
Detections:
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/1fb33670-d3b7-4a80-950d-cf61ec3c4604/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bbaa3341664b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bbaa3341664b5cad875b8510d3382594a4027345c520e998e41c3fdf78309d91

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:AveMaria
Create hunting rule
Author:@bartblaze
Description:Identifies AveMaria aka WarZone RAT.
Rule name:AveMaria_WarZone
Create hunting rule
Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_1_RID2C2D
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2_RID2C2E
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_WarzoneRAT
Create hunting rule
Author:ditekSHen
Description:Detects AveMaria/WarzoneRAT
Rule name:netwire
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:netwire
Create hunting rule
Author:jeFF0Falltrades
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.ave_maria.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/190980/

Comments