MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d64087bb6c3f3db707e9728a3800ad308ea6ce7e4b33a4dae2ee15101df4e134. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d64087bb6c3f3db707e9728a3800ad308ea6ce7e4b33a4dae2ee15101df4e134
SHA3-384 hash: ad1bbbb75da5d6ff30c6c3b0d6c652489be99bb12cb5a1217d5d10692b8bf98755e1070f8b32fe40f40a4868a7fec7d3
SHA1 hash: 3dd35ddb2c956771d25724353e252c47a6f0e905
MD5 hash: c3c67bef4331fe6e84638aae09a0dd6a
humanhash: kitten-princess-north-double
File name:Scan Copy.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:955'904 bytes
First seen:2023-01-31 09:15:24 UTC
Last seen:2023-01-31 10:33:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fab723900b8ba2b2a2705c88827e03ea (1 x AveMariaRAT, 1 x ModiLoader)
ssdeep 12288:BENV/fB+g9GgglTA/CsFA4Mv5Eko1M+c/ibBdxQ7zPZ+mLJtzR:Bo79CGPmtqc/i7IBnzR
TLSH T11F159D23BAA144B7F0672D3598579325593ABE002E3CE546ABF53D4E8F37742B8242D3
TrID 35.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
32.8% (.SCR) Windows screen saver (13097/50/3)
11.2% (.EXE) Win32 Executable (generic) (4505/5/1)
5.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon e4e0a48694b490e4 (2 x ModiLoader, 1 x AveMariaRAT)
Reporter abuse_ch
Tags:AveMariaRAT exe RAT


Avatar
abuse_ch
AveMariaRAT C2:
194.5.98.174:3355

Intelligence

File Origin
# of uploads :
2
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Scan Copy.exe
Verdict:
Malicious activity
Analysis date:
2023-01-31 09:17:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9ed66666-3caf-4768-afde-7d3cce69e425

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/358594/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.1198.14482.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Searching for the window
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/64223/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger shell32.dll
Link:
https://www.filescan.io/uploads/63d8dc541c9cbf7d6254d95f/reports/80f24eb0-01f8-44f2-b9a7-1a35a2b2ed3d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/658ad7f4-539a-4026-9c2b-f110272679fb
Result
Threat name:
AveMaria, DBatLoader, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1162264
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected DBatLoader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 795015 Sample: Scan Copy.exe Startdate: 31/01/2023 Architecture: WINDOWS Score: 100 79 Snort IDS alert for network traffic 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 Multi AV Scanner detection for dropped file 2->83 85 8 other signatures 2->85 10 Scan Copy.exe 1 23 2->10         started        15 Gsuodzzy.exe 14 2->15         started        17 Gsuodzzy.exe 2->17         started        process3 dnsIp4 63 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49697 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 10->63 65 ynfj2a.am.files.1drv.com 10->65 71 2 other IPs or domains 10->71 53 C:\Users\Public\Libraries\yzzdousG.pif, PE32 10->53 dropped 55 C:\Users\Public\Libraries\netutils.dll, PE32+ 10->55 dropped 57 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 10->57 dropped 59 2 other malicious files 10->59 dropped 103 Writes to foreign memory regions 10->103 105 Allocates memory in foreign processes 10->105 107 Creates a thread in another existing process (thread injection) 10->107 19 cmd.exe 3 10->19         started        22 yzzdousG.pif 10->22         started        73 3 other IPs or domains 15->73 109 Multi AV Scanner detection for dropped file 15->109 111 Injects a PE file into a foreign processes 15->111 25 yzzdousG.pif 15->25         started        67 onedrive.live.com 17->67 69 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49706 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 17->69 75 3 other IPs or domains 17->75 27 yzzdousG.pif 17->27         started        file5 113 Uses dynamic DNS services 67->113 signatures6 process7 dnsIp8 87 Uses ping.exe to sleep 19->87 89 Drops executables to the windows directory (C:\Windows) and starts them 19->89 91 Uses ping.exe to check the status of other devices and networks 19->91 29 easinvoker.exe 19->29         started        31 PING.EXE 1 19->31         started        34 xcopy.exe 2 19->34         started        37 6 other processes 19->37 61 pelewz.duckdns.org 194.5.98.174, 3355, 49703, 49705 DANILENKODE Netherlands 22->61 93 Increases the number of concurrent connection per server for Internet Explorer 22->93 95 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->95 signatures9 process10 dnsIp11 39 cmd.exe 1 29->39         started        77 127.0.0.1 unknown unknown 31->77 49 C:\Windows \System32\easinvoker.exe, PE32+ 34->49 dropped 51 C:\Windows \System32\netutils.dll, PE32+ 37->51 dropped file12 process13 signatures14 97 Suspicious powershell command line found 39->97 99 Adds a directory exclusion to Windows Defender 39->99 42 powershell.exe 21 39->42         started        45 conhost.exe 39->45         started        process15 signatures16 101 DLL side loading technique detected 42->101 47 conhost.exe 42->47         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d64087bb6c3f3db707e9728a3800ad308ea6ce7e4b33a4dae2ee15101df4e134/
Threat name:
Win32.Trojan.AveMariaRAT
Create hunting rule
Status:
Malicious
First seen:
2023-01-31 09:16:08 UTC
File Type:
PE (Exe)
Extracted files:
50
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2zaipo3mh463ob7jokfdqafngchkntt6jmz2jwxc5ykrahpu4e2a._file
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat infostealer persistence rat trojan
Link:
https://tria.ge/reports/230131-k8gr5afg74/
Behaviour
Enumerates system info in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
ModiLoader Second Stage
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
17bac612c9b6cf52b198ee1eb70003c8f86eeefe21305f3c63858bb77e2c322c
MD5 hash:
7b72abb55df82ba832e2819ebe7cbf45
SHA1 hash:
2db357f40c6816cf1386bf248fb338b203ffb3dc
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/b870485b-eee1-4deb-be8e-a56251d5f6f8/
Parent samples :
6cc55a2e242baca97ac93ff859f4da04a9cbdeab28c3c69cef1806e87538feff
b72a8753d475c079cec084dc32cf8addec72b670d4cd094f67900d73781cace1
8bcf46ad691c82dc43513e12486bd798277cc7a4bd14de0b7c829e4e3ad2f730
16a3f220167bcdefd947617ea5f392677706f4d2a051bb03d0072bfdd42ac61b
50a13f6bced0bda92a35b13106f74959e15a48f47d18b04bc49ee95c82482cf7
35ac0593c5deea7885634a73e272e4bc177670c11a5b6bde6208abe4f4da3e8f
72a32e559653c3ef0b9f2c2065707850b24225f77dd9ec4dd3ebfffed43002fb
41cdb9b685b9507c22d4e44394e835fe9c6a7fb4f3e82923125d7431098b2f2b
b7285db14a569eccf6e5cca5416478153c38b9b7931f0bdea403901c3632cbc9
677655bbdf0459c53866f748f516e959a53c5843c2ec03f6c32d8210e7bf32cd
0f2de8eba0953c020f80d8558336b129f778c7a1296714f7b132115b23ae0d69
8698f02ff192f743528ca13ac53580c8495237f8d4be7d22eabf71d0f1a89468
4b382c5497bb61b9cc4189101e9595a031f37db9fa712b61cdc4a60f59bff8b4
7f354681e9ec602aef4dcdedfc3eb05a8f1a777b3691ae4d9d58e78240d49fe8
c71d80598f7d508be65e817fccefce6868b2a49efa99745f9a9a0d7a5bb68937
a108743bb80883049341b1383c477c97e0792cb40e0b15fcc4fa106f4d6aa5cc
6c0a67f2ab277962eec22ba75349ccfdf630eb3375b930a2fb852c932abce8e6
5e4a76f6e138e48915a6e38f071ca4e56f081cacadf102441bc188531a90ca1b
f7dfbc65446f96df449d3697012ea5b4c7925f4e2ff18c62481a1df722668c02
74e4c00d0f97715f60a4d78ee945ce8cc33686a85a82c4a0a48e3fb02c00e1e9
7a91a1cbaa20e78c0e6814b51ed7d239074c95dd348159817e16606a6a04f344
2e2a209e33d4b08ade19f874fab2aa15cf0bf2fb52fc002dd51c29b5f6a706a6
18951e369039dce6c21dcbf08f39da6d5dcc2bb23b90a0e13a3960f1de22288d
fd252e29ab84fc92e2084a5b06e85015d3216c0dd8e1d972972b899cc6ae1200
86eb0c65dc84614a458b9d0c095f10b87a5254ab1b1fd82168222d21a0320382
040a34e5884c29dd12452d342e344fe0d40f8dc1ea161d93c2a6c35b0a7da08b
2a53c1ef3fae150a0af2ec37f05a376d69cee7e56472ea1ec5fc1f8591f953a6
bc4567c45b05545162635889f7e50c26e610d3420cbd8d26401d430423d2e408
c266fa606a35b4ede65ae441e448dfcbf63b7a4e52091be0a6dc013b3e93c1f8
6f898510dabd717ad5b9a0057dc3a2e89d69a0fe8ffb5b8c50183e767bfee34f
f8cef01635333a94989c04697ddbff764081408e98a8f3203d0242b9c5b02408
e11e4728a96017107ba948c2b4653b96a2a633587aa1bd55b3d94c1d613b4ca4
bf143e643c42cd50ed2f712b9d1ee7996a27097ec9ffcbd52d914d643ac5151d
8aa2c54c1258e329b48d9ec31b3b8872440fa4216d23887ea8e8b7d66ae2f94f
23dc5d937451c57dc7137a2c84ff7763822b5bf627fbd8ab6b5305e4f0a0bb13
0ac31dec394cf07f302cb335061463e1358d769e0c01dfebea99ea38a04c1c84
f5f0160004ef74541cf1e83e4ed059e7f31bb162d779dc25d2114afab0c2c12f
1c66e9e00ba7adb9eb22363ff146d7c48875bf81b180c0e9ca6055f470d47424
d64087bb6c3f3db707e9728a3800ad308ea6ce7e4b33a4dae2ee15101df4e134
bc5e5b32cee20470d93b3152c3cb5faeee1434a11e07b5ac5efaa76fe1221034
9b7289ad08319ae1f731f988d955b06206b64cc7864f9af457a9fa0049a9021c
f89bdf26235faffcde237bebb15da55250f780d07a87a4304651a2e6b7e7e45a
3fc5fe06474624df2032970d6c877080a12fdbd0b35f53622e11eb8788ed6c4a
02033ee5f18dc5c14cca3e808111693ff1b41d8d705268ae55e86251fe6bcc8b
5454c9a4283d8a9ab17f32dc47e5bb60cd8d4a56d678e2e4c4f3001faa833fee
7e82cf496170e81178aa01bb117531aaf096b2ee9797e5d82e6e141ad550c0ef
9846c8ffd0aec6ff3c8b8db350032e4d9586ac6aa22b06944672c837d3bbcf28
e62a8dd12a0fe7876f858f80bfc1e9658f52f4594d7194ecc6dd656cd715b9d4
221784974f49f2b54c90c63ce6cf9550d94b15c3442c29c959300dbbf5b91f61
525d58527438fd6f9e3e6a98e6fab50faeef68a92d067a2caa53cbb34b2100cd
c3590c9943ef8ebc4c4b428dd8d5ca97e7855b4a86ef8db6913316d7711ea8a3
SH256 hash:
d64087bb6c3f3db707e9728a3800ad308ea6ce7e4b33a4dae2ee15101df4e134
MD5 hash:
c3c67bef4331fe6e84638aae09a0dd6a
SHA1 hash:
3dd35ddb2c956771d25724353e252c47a6f0e905
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/b870485b-eee1-4deb-be8e-a56251d5f6f8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.21
Link:
https://yomi.yoroi.company/submissions/d64087bb6c3f3db707e9728a3800ad308ea6ce7e4b33a4dae2ee15101df4e134

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AveMaria
Create hunting rule
Author:@bartblaze
Description:Identifies AveMaria aka WarZone RAT.
Rule name:avemaria_rat_yhub
Create hunting rule
Author:Billy Austin
Description:Detects AveMaria RAT a.k.a. WarZone
Rule name:AveMaria_WarZone
Create hunting rule
Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_1_RID2C2D
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2_RID2C2E
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding command execution via IExecuteCommand COM object
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_EXEPWSH_DLAgent
Create hunting rule
Author:ditekSHen
Description:Detects SystemBC
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_AveMaria_31d2bce9
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/358594/

Comments