MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfb877a76229db5342b35bc947a0bb12d2b5564b3567eddcc708d5e9cb4edd8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 17 File information Comments

SHA256 hash:	dfb877a76229db5342b35bc947a0bb12d2b5564b3567eddcc708d5e9cb4edd8e
SHA3-384 hash:	4476e3731341d9a899dfdd14f685215e491eeb529c9c9130a9205a1bccef031662a2b3c3c3dfdb7aeff7ad1f55a04356
SHA1 hash:	9225e1a3aef2e5309308e1f2ea1dd4ac952d21b5
MD5 hash:	9607ad352affab592f84993152e50234
humanhash:	lactose-crazy-bluebird-charlie
File name:	Eriuekal.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	27'136 bytes
First seen:	2023-04-25 08:05:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	384:e5Q4kSygaDNkQVXZOxOK8MP93U7I2kGYb1ak/fbzp:yfrSXZK99AjYJakLzp
Threatray	146 similar samples on MalwareBazaar
TLSH	T13CC2F81072AB7BC3D3BD17F5CA71414403B57D62A462FA882D9C30DA1BA2FC59E42B67
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	69e8c496aaccf071 (1 x AveMariaRAT)
Reporter	abuse_ch
Tags:	AveMariaRAT exe RAT

abuse_ch

AveMariaRAT C2:
109.248.150.150:65535

Intelligence

File Origin

# of uploads :

# of downloads :

297

Origin country :

Vendor Threat Intelligence

Malware family:

avemaria

ID:

File name:

Eriuekal.exe

Verdict:

Malicious activity

Analysis date:

2023-04-25 08:06:05 UTC

Tags:

stealer rat avemaria warzone

Link:

https://app.any.run/tasks/eb2316b5-f64d-4134-92ba-f015d94ac63d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/384744/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Creating a file

Network activity

Enabling autorun by creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/644789ecc4c1dca4284a7819/reports/c1f16d81-8c30-421d-9d28-fb4eeb1ed68d/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/dfb877a76229db5342b35bc947a0bb12d2b5564b3567eddcc708d5e9cb4edd8e

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AVE_MARIA

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/958a1eb8-aaf7-4261-94f7-17ef6591bf12

Result

Threat name:

AveMaria, UACMe

Detection:

malicious

Classification:

phis.troj.adwa.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1220529

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to hide user accounts

Drops PE files to the startup folder

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Increases the number of concurrent connection per server for Internet Explorer

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AveMaria stealer

Yara detected UACMe UAC Bypass tool

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dfb877a76229db5342b35bc947a0bb12d2b5564b3567eddcc708d5e9cb4edd8e/

Threat name:

ByteCode-MSIL.Trojan.Vigorf

Status:

Malicious

First seen:

2023-04-25 08:06:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

12 of 24 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=364hpj3cfhnvgqvtlpeupif3cljlkvslgvt63xghbdk6ts2o3wha._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

3abea4ab1fa4c8497722e9b58c5981fbc90fefe5a1d0bda707bdabfe3c1bdb1f

AveMariaRAT

4f93f4cec712117b9e8bd20f079e8086b6358f0d0b2738a8a448dbdf9fc3db3c

AveMariaRAT

5bfe34e8eb631772435358e76505165c19651fb9750c1817a602e6e27d12c3bb

AveMariaRAT

635aff002f09930542b741c8e5ae7e6ed57b4cacf793dabb96a2df3397a8a945

AveMariaRAT

66b54ac951afcaae39c61d837f9f38543e164f8fa93e1479fb458e8e445f7e59

AveMariaRAT

be0fa67ce465f9ae26a1ed20ddb104f2731cd3b717b2df0f469937b2d88b57cb

AveMariaRAT

d6e26fa2f4dcfe5a112c21fb851f626aa7ee8e9f6cac73bd27f927b054f7182d

AveMariaRAT

f83914dd2ce0c31fda44574ae93ecdd188e9e974d0a45b619b03db7e3d279208

AveMariaRAT

+ 136 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat collection infostealer rat spyware stealer

Link:

https://tria.ge/reports/230425-jzd47shc73/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Warzone RAT payload

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

109.248.150.150:65535

Unpacked files

SH256 hash:

dfb877a76229db5342b35bc947a0bb12d2b5564b3567eddcc708d5e9cb4edd8e

MD5 hash:

9607ad352affab592f84993152e50234

SHA1 hash:

9225e1a3aef2e5309308e1f2ea1dd4ac952d21b5

Link:

https://www.unpac.me/results/9ab30750-6ec3-42b8-a645-23943ead4f20/

Malware family:

Warzone

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/dfb877a76229/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/dfb877a76229db5342b35bc947a0bb12d2b5564b3567eddcc708d5e9cb4edd8e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AveMaria Create hunting rule
Author:	@bartblaze
Description:	Identifies AveMaria aka WarZone RAT.

Rule name:	ave_maria_warzone_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_1_RID2C2D Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding command execution via IExecuteCommand COM object

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_EXEPWSH_DLAgent Create hunting rule
Author:	ditekSHen
Description:	Detects SystemBC

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_AveMaria_31d2bce9 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/384744/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample