MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c07e38348293f1d9f3960272b93567a678005b6ad8036886d439b31f351095e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c07e38348293f1d9f3960272b93567a678005b6ad8036886d439b31f351095e1
SHA3-384 hash: eb84be69d3681d216628503dc5948ea15a47c9482042102388f8007c0ffb62a66833cf5c922f4fe9d7ee69438a1165e5
SHA1 hash: b9186416102083d1d0c14eedb0f493588359fc42
MD5 hash: bdc096717c359b865a89c113bdeb5c35
humanhash: minnesota-hamper-london-bacon
File name:FT. PRO INVOICE N. 6 DATE 28.01.2022.img.rar
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:597'813 bytes
First seen:2022-02-11 08:13:20 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 12288:OdxmVM9BzftzQHYKTLvBl3gQVHVEVBWJ2KzU78seFBM9JTosNXxfAa7/Cr0:4MV0BzKHxFW0IWwlABM9JT1Nhfr7U0
TLSH T11FD423A54961AD31B35C858B3D81E48D2B53B415C7BDBC8E0A78F8AA94DE2CB7023671
Reporter cocaman
Tags:AveMariaRAT INVOICE rar


Avatar
cocaman
Malicious email (T1566.001)
From: ""Franco De Agazio" <batinelli@pec.it>" (likely spoofed)
Received: "from postfix-inbound-v2-0.inbound.mailchannels.net (inbound-egress-5.mailchannels.net [199.10.31.237]) "
Date: "11 Feb 2022 03:33:27 +0100"
Subject: "FT. PRO INVOICE N. 6 DATE 28.01.2022 for aaron.young"
Attachment: "FT. PRO INVOICE N. 6 DATE 28.01.2022.img.rar"

Intelligence

File Origin
# of uploads :
1
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed strictor
Link:
https://www.filescan.io/uploads/62061ace45ddfa2e18bee218/reports/fdb25cfa-a278-4af4-8e3a-491656eb1ffc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c07e38348293f1d9f3960272b93567a678005b6ad8036886d439b31f351095e1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-11 08:14:13 UTC
File Type:
Binary (Archive)
Extracted files:
14
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yb7dqnecspy5t44wajzlsnlhuz4aaw3k3abwrbwuhgzr6niqsxqq._file
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/220211-j415jacda3/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Warzone RAT Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
79.134.225.81:2022
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

rar c07e38348293f1d9f3960272b93567a678005b6ad8036886d439b31f351095e1

(this sample)

AveMariaRAT

Executable exe 5f52c405a218ff95d64414fb9595de1f8a1babea5ab5b772abdf7717e9fba30f

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 5f52c405a218ff95d64414fb9595de1f8a1babea5ab5b772abdf7717e9fba30f

Comments