MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d25c34a0e717a908abd9b9e6a21070ffd74a43025dcd55eae7e787b57b7c181a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 6

Intelligence 6 IOCs YARA 21 File information Comments

SHA256 hash:	d25c34a0e717a908abd9b9e6a21070ffd74a43025dcd55eae7e787b57b7c181a
SHA3-384 hash:	ca8d1102ca21ddd7c50087caf5316cb0f9975d148af1fbd7dd046f0da017f2381ac614df36e06da03c75da75f10cb94c
SHA1 hash:	484809b9c031026ebf68070d88b3269356b65b02
MD5 hash:	7c43fe5d157ed2c173659230051f4120
humanhash:	football-bacon-whiskey-earth
File name:	Purchase Request LIST_T7FIBA00541.z
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	565'510 bytes
First seen:	2023-09-22 14:42:33 UTC
Last seen:	Never
File type:	z
MIME type:	application/x-rar
ssdeep	12288:5mAKjfxT+RiIeAHaRj2LScNRGBnhEzh9ZbiUGNAdObotVR:EfxqRheziLP28ZbiUGNMOb+
TLSH	T153C423253440F481F9A7B13E7A813D06B167B3798A9127F1BEF9AA144EB14375C2A0F7
TrID	58.3% (.RAR) RAR compressed archive (v-4.x) (7000/1) 41.6% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	cocaman
Tags:	AveMariaRAT z

cocaman

Malicious email (T1566.001)
From: "Steve Yin<codent@wavlink.com>" (likely spoofed)
Received: "from [185.225.75.192] (unknown [185.225.75.192]) "
Date: "22 Sep 2023 04:50:08 +0200"
Subject: "Quote."
Attachment: "Purchase Request LIST_T7FIBA00541.z"

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:	Purchase Request LIST_T7FIBA00541·PDF.scr
File size:	1'451'472 bytes
SHA256 hash:	ece230bd3c6294d5e194ebd36d26ffdbe7e0ce7681b920713224b3742f7498c2
MD5 hash:	4f189d306d0a40ffb194a296261111b2
MIME type:	application/x-dosexec
Signature	AveMariaRAT

File name:	32512
File size:	188 bytes
SHA256 hash:	50754318d26dba3f88614de1876671de7b6da4221d50886070da0b620045c36e
MD5 hash:	2b813330dc0a2164eb1fa23549e3828d
MIME type:	application/octet-stream
Signature	AveMariaRAT

Vendor Threat Intelligence

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

lolbin masquerade overlay packed remcos replace

Link:

https://www.filescan.io/uploads/650da7f683a0c6425dfc8d88/reports/e3e4ac16-f011-431e-b670-0045dae9705b/overview

Verdict:

Malicious

Labled as:

Mal/DrodRar

Link:

https://www.hybrid-analysis.com/sample/d25c34a0e717a908abd9b9e6a21070ffd74a43025dcd55eae7e787b57b7c181a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d25c34a0e717a908abd9b9e6a21070ffd74a43025dcd55eae7e787b57b7c181a/

Threat name:

ByteCode-MSIL.Backdoor.Warzone

Status:

Malicious

First seen:

2023-09-22 03:17:54 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

20 of 36 (55.56%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2jodjihhc6uqrk6zxhtkeedq77luuqyclxgvl2xh46d3k634dana._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/d25c34a0e717a908abd9b9e6a21070ffd74a43025dcd55eae7e787b57b7c181a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding command execution via IExecuteCommand COM object

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_WarzoneRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AveMaria/WarzoneRAT

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_AveMaria_31d2bce9 Create hunting rule
Author:	Elastic Security

Rule name:	win_ave_maria_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

z d25c34a0e717a908abd9b9e6a21070ffd74a43025dcd55eae7e787b57b7c181a

(this sample)

AveMariaRAT

exe ece230bd3c6294d5e194ebd36d26ffdbe7e0ce7681b920713224b3742f7498c2

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 ece230bd3c6294d5e194ebd36d26ffdbe7e0ce7681b920713224b3742f7498c2

Dropping

AveMariaRAT

Dropping

MD5 4f189d306d0a40ffb194a296261111b2

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample