MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6fcfa2b71a7e372ec17ad65278786c011a32cd9008e3879bdd59ad1addf63bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6fcfa2b71a7e372ec17ad65278786c011a32cd9008e3879bdd59ad1addf63bb
SHA3-384 hash: 4365ecfb1b64b6530a7c68533d62d2b702db1f3d02fb01dc5b2308fd16d7dd613e3033897f58beeea46130df07ed6d73
SHA1 hash: e2a9ea92d6805f7e7bdea72c6953e32dbf9144c2
MD5 hash: 32ac830fd8d20efe0f7316bc724d67ca
humanhash: paris-stream-mexico-michigan
File name:32ac830fd8d20efe0f7316bc724d67ca.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'073'216 bytes
First seen:2022-01-12 11:05:56 UTC
Last seen:2022-01-12 13:08:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:jSfDg8dDSPWf/IvBSuUTaXzIiOYN1iOkInX4NWGvZ74FZMNZudRSaC2C:cPfQvBgGXzIiOyrPnXWZNZuHC
TLSH T16E356B846FA51620D5EE9B32BCF06F1587B0F960A66AF34E004469D50D76BBE4B0373B
File icon (PE):PE icon
dhash icon b29286aaaaaaaed4 (7 x AveMariaRAT, 3 x QuasarRAT)
Reporter abuse_ch
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
32ac830fd8d20efe0f7316bc724d67ca.exe
Verdict:
Malicious activity
Analysis date:
2022-01-12 11:10:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f0c09634-6f66-4413-8764-acc2c298b4af

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/218711/
Detection(s):
SecuriteInfo.com.Program.Unwanted.3981.5020.652.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Sending a UDP request
Gathering data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/43520fe8-4213-478d-a7ed-cd6df9042bdc
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/919185
Signature
Encrypted powershell cmdline option found
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Encoded PowerShell Command Line
Uses ipconfig to lookup or modify the Windows network settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 551664 Sample: Oz93x7uzRI.exe Startdate: 12/01/2022 Architecture: WINDOWS Score: 60 34 Multi AV Scanner detection for submitted file 2->34 36 Sigma detected: Suspicious Encoded PowerShell Command Line 2->36 7 Oz93x7uzRI.exe 2 2->7         started        process3 signatures4 38 Encrypted powershell cmdline option found 7->38 10 powershell.exe 9 7->10         started        13 powershell.exe 8 7->13         started        15 powershell.exe 17 7->15         started        17 2 other processes 7->17 process5 signatures6 40 Uses ipconfig to lookup or modify the Windows network settings 10->40 19 conhost.exe 10->19         started        21 ipconfig.exe 1 10->21         started        23 ipconfig.exe 1 13->23         started        26 conhost.exe 13->26         started        28 conhost.exe 15->28         started        30 conhost.exe 17->30         started        process7 dnsIp8 32 192.168.2.1 unknown unknown 23->32
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6fcfa2b71a7e372ec17ad65278786c011a32cd9008e3879bdd59ad1addf63bb/
Threat name:
ByteCode-MSIL.Ransomware.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-01-07 16:18:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
11 of 43 (25.58%)
Threat level:
  5/5
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer rat
Link:
https://tria.ge/reports/220112-m7ebqacdgr/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Executes dropped EXE
Nirsoft
Warzone RAT Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
nyambe.duckdns.org:5200
Unpacked files
SH256 hash:
c6fcfa2b71a7e372ec17ad65278786c011a32cd9008e3879bdd59ad1addf63bb
MD5 hash:
32ac830fd8d20efe0f7316bc724d67ca
SHA1 hash:
e2a9ea92d6805f7e7bdea72c6953e32dbf9144c2
Link:
https://www.unpac.me/results/f14ce8f6-49df-466f-8d4a-964c5c6dbb67/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c6fcfa2b71a7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.39
Link:
https://yomi.yoroi.company/submissions/c6fcfa2b71a7e372ec17ad65278786c011a32cd9008e3879bdd59ad1addf63bb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe c6fcfa2b71a7e372ec17ad65278786c011a32cd9008e3879bdd59ad1addf63bb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1970321/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/218711/

Comments