MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1c2c8e4bc95429bf9c936655e953db1048d56561feaf1a765008c18b713652c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1c2c8e4bc95429bf9c936655e953db1048d56561feaf1a765008c18b713652c
SHA3-384 hash: 482ecca5a6aba363729a93def8c52d7c0c05611ea67fdb0ee20f8319ff6d9e0e992020262dbe771ad5e9cea829495e9b
SHA1 hash: 7763f669ae41693674434b7c03921f22100f5865
MD5 hash: 72397a0783392438c1b499311c79d2c4
humanhash: three-ceiling-colorado-burger
File name:DHL89987567.PDF.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:458'752 bytes
First seen:2022-05-12 07:23:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 6144:fGKem3iOAKXeFJg+6GUwhkYN8CObdMqrM8TnRPUODJZViRb1xXw2h29u2e:ssTXoJgbOhnNmWqVnRbDJHi7xw20e
Threatray 3'536 similar samples on MalwareBazaar
TLSH T188A4120433BEF36AC86E97B5CE2915CC23746D069C16C22B0DE0B4EF9BB6725509179B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:AveMariaRAT DHL exe RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269917/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/627cb625ae83652f0e9ab2e9/reports/bb3038fa-2eda-4e1f-a62a-57cf74bad0f0/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c8827427-4d29-4cac-a20b-26f1a7b07122
Result
Threat name:
AveMaria, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/992692
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 625187 Sample: DHL89987567.PDF.exe Startdate: 12/05/2022 Architecture: WINDOWS Score: 100 33 Snort IDS alert for network traffic 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 16 other signatures 2->39 7 DHL89987567.PDF.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\AfhEOdP.exe, PE32 7->23 dropped 25 C:\Users\user\...\AfhEOdP.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmp36BF.tmp, XML 7->27 dropped 29 C:\Users\user\...\DHL89987567.PDF.exe.log, ASCII 7->29 dropped 41 Uses schtasks.exe or at.exe to add and modify task schedules 7->41 43 Writes to foreign memory regions 7->43 45 Adds a directory exclusion to Windows Defender 7->45 47 Injects a PE file into a foreign processes 7->47 11 RegSvcs.exe 3 4 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 31 warzone.ddns.net 185.106.123.212, 49773, 5678 HSAE Netherlands 11->31 49 Tries to steal Mail credentials (via file / registry access) 11->49 51 Contains functionality to inject threads in other processes 11->51 53 Contains functionality to steal Chrome passwords or cookies 11->53 55 3 other signatures 11->55 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c1c2c8e4bc95429bf9c936655e953db1048d56561feaf1a765008c18b713652c/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-05-12 01:53:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yhbmrzf4svbjx6ojgzsv5fj5weci2vswd7vpdj3facgbrnytmuwa._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0b2bfb9e06a4a926b8cba73fe9e9dfb793bb37b6d153cababbf33db1757104ba
AveMariaRAT
2afb0a45a821e6892c80113fec8a6c334772d97d5a870c531b6e3b1129d9a15e
AveMariaRAT
41cd83f2bc8e750ea88fbe3e517e55ae88359e9655b8a6a26b2924318c2c6a7d
AveMariaRAT
46d24de7277e3e2bc4197da59a405ce0d223736102773145c56c39089ce40627
AveMariaRAT
5a2fed655848858edfcb2a159cafc19cef92da5fb5e6d8e6b6b94ceb330f134c
AveMariaRAT
9f87376697212d314fb717bbb5fe8fcb72e567df246ab58d6739089f10138815
AveMariaRAT
b1d6a4b94c5508ac4948d91498b574710dcc2bae3ab4eff42ffb889eca5a97a2
AveMariaRAT
d3b47647c4910a938229bdc38abeb3e5b7a5a0bab20913438bc3937be5c47f0c
AveMariaRAT
e8e7cf611bfb468ddf6f73abccd708d9f25b9b2c76e2c4f7f9a1e10af38304a9
AveMariaRAT
+ 3'526 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat collection infostealer rat
Link:
https://tria.ge/reports/220512-h8c3tsdgep/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Loads dropped DLL
Warzone RAT Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
warzone.ddns.net:5678
Unpacked files
SH256 hash:
c206122a7336385be557580c114ac0923192f61bc8f77aa58c898135438399f9
MD5 hash:
6c9e813248a01432890c476813d210b8
SHA1 hash:
fd54aa3af58fc3a88cb3fd6753d773cd6c51b7f8
Link:
https://www.unpac.me/results/ae735a07-d36a-4898-8a2d-c9fab4b82a86/
SH256 hash:
383e7e72d0a7d74efede5dc7cc77c094b1d2e7c360fd916bdf0fa83582a1fedb
MD5 hash:
36e83c54fd27128dfda6ce7fe8e519f3
SHA1 hash:
32469a4f8bf4e205236f7baab90fc436ea8c607e
Link:
https://www.unpac.me/results/ae735a07-d36a-4898-8a2d-c9fab4b82a86/
SH256 hash:
c1c2c8e4bc95429bf9c936655e953db1048d56561feaf1a765008c18b713652c
MD5 hash:
72397a0783392438c1b499311c79d2c4
SHA1 hash:
7763f669ae41693674434b7c03921f22100f5865
Link:
https://www.unpac.me/results/ae735a07-d36a-4898-8a2d-c9fab4b82a86/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c1c2c8e4bc95429bf9c936655e953db1048d56561feaf1a765008c18b713652c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269917/

Comments