MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e098a467269bfebf147628c817355d237854e11071312850592c10282c329dc2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e098a467269bfebf147628c817355d237854e11071312850592c10282c329dc2
SHA3-384 hash: b3741360404d32b8267b6e5c08b825907899b238c71d40c8411f150d07c395eb37eedae010c456ea7236804295b059ec
SHA1 hash: 56d9f76b4f6eb25a1c61dff9d0969cfe31f1bcbe
MD5 hash: 9f124dc56425134b91a42322a831eef2
humanhash: five-thirteen-uncle-aspen
File name:e098a467269bfebf147628c817355d237854e11071312850592c10282c329dc2
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:687'104 bytes
First seen:2023-01-24 13:38:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:30TacS4nMlcQ2m+eFHRTjNf7/kow5+F5IBRKYWTHT5q:3p4qcQNRBMPRuVq
TLSH T19CE4CF771BC92FA3D12447358192146C13F8AB076422E7D23EE804F996C9FDE5A2639F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter malwarelabnet
Tags:AveMariaRAT exe WarzoneRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
avemaria
Create hunting rule
ID:
1
File name:
e098a467269bfebf147628c817355d237854e11071312850592c10282c329dc2
Verdict:
Malicious activity
Analysis date:
2023-01-24 13:41:33 UTC
Tags:
trojan rat stealer avemaria
Link:
https://app.any.run/tasks/679b5cbe-03f7-4548-ba3d-bcdc2dbac87a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/356388/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a window
Running batch commands
Launching a process
Creating a file
Creating a file in the %AppData% directory
Creating a process from a recently created file
Enabling autorun
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/63cfdf78416d38777a79fe26/reports/79dc759c-e123-43e1-b507-a20f4913fddd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9931904c-49f4-444c-8404-3ec451c61467
Result
Threat name:
AveMaria, DarkTortilla, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1157907
Signature
.NET source code contains very large array initializations
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides user accounts
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected DarkTortilla Crypter
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 790644 Sample: TNAkjXXmuf.exe Startdate: 24/01/2023 Architecture: WINDOWS Score: 100 96 Snort IDS alert for network traffic 2->96 98 Malicious sample detected (through community Yara rule) 2->98 100 Multi AV Scanner detection for dropped file 2->100 102 8 other signatures 2->102 11 TNAkjXXmuf.exe 15 3 2->11         started        16 rdpvideominiport.sys 2->16         started        18 rdpdr.sys 2->18         started        20 tsusbhub.sys 2->20         started        process3 dnsIp4 86 www.google.com 142.250.203.100, 443, 49702, 49704 GOOGLEUS United States 11->86 76 C:\Users\user\AppData\...\TNAkjXXmuf.exe.log, ASCII 11->76 dropped 116 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->116 22 cmd.exe 3 11->22         started        26 cmd.exe 1 11->26         started        file5 signatures6 process7 file8 72 C:\Users\user\AppData\Roaming\ghbsmc.exe, PE32 22->72 dropped 74 C:\Users\user\...\ghbsmc.exe:Zone.Identifier, ASCII 22->74 dropped 104 Uses ping.exe to sleep 22->104 28 ghbsmc.exe 14 5 22->28         started        33 conhost.exe 22->33         started        35 PING.EXE 1 22->35         started        37 PING.EXE 1 22->37         started        106 Uses ping.exe to check the status of other devices and networks 26->106 39 reg.exe 1 1 26->39         started        41 PING.EXE 1 26->41         started        43 conhost.exe 26->43         started        signatures9 process10 dnsIp11 88 www.google.com 28->88 78 C:\Users\user\AppData\Local\...\bLkbjJhh.exe, PE32 28->78 dropped 118 Multi AV Scanner detection for dropped file 28->118 120 Machine Learning detection for dropped file 28->120 122 Writes to foreign memory regions 28->122 126 2 other signatures 28->126 45 AddInProcess32.exe 8 25 28->45         started        50 bLkbjJhh.exe 2 28->50         started        52 bLkbjJhh.exe 28->52         started        54 bLkbjJhh.exe 28->54         started        124 Creates an undocumented autostart registry key 39->124 90 127.0.0.1 unknown unknown 41->90 92 192.168.2.1 unknown unknown 41->92 file12 signatures13 process14 dnsIp15 94 185.246.220.237, 49710, 7134 LVLT-10753US Germany 45->94 80 C:\Users\user\AppData\Local\Temp\60.exe, PE32 45->80 dropped 82 C:\Program Files\Microsoft DN1\sqlmap.dll, PE32+ 45->82 dropped 128 Hides user accounts 45->128 130 Increases the number of concurrent connection per server for Internet Explorer 45->130 132 Hides that the sample has been downloaded from the Internet (zone.identifier) 45->132 56 60.exe 45->56         started        134 Antivirus detection for dropped file 50->134 136 Multi AV Scanner detection for dropped file 50->136 138 Machine Learning detection for dropped file 50->138 60 bLkbjJhh.exe 50->60         started        62 bLkbjJhh.exe 52->62         started        64 bLkbjJhh.exe 54->64         started        file16 signatures17 process18 dnsIp19 84 239.255.255.250 unknown Reserved 56->84 108 Antivirus detection for dropped file 56->108 110 Multi AV Scanner detection for dropped file 56->110 112 Uses netsh to modify the Windows network and firewall settings 56->112 114 Modifies the windows firewall 56->114 66 netsh.exe 56->66         started        68 WerFault.exe 56->68         started        signatures20 process21 process22 70 conhost.exe 66->70         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e098a467269bfebf147628c817355d237854e11071312850592c10282c329dc2/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4cmkizzgtp7l6fdwfdebonk5en4fjyiqoeysquczfqicqlbstxba._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat evasion infostealer persistence rat upx
Link:
https://tria.ge/reports/230124-qxyt6ade7x/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Sets DLL path for service in the registry
UPX packed file
Modifies WinLogon for persistence
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
e098a467269bfebf147628c817355d237854e11071312850592c10282c329dc2
MD5 hash:
9f124dc56425134b91a42322a831eef2
SHA1 hash:
56d9f76b4f6eb25a1c61dff9d0969cfe31f1bcbe
Link:
https://www.unpac.me/results/3b081161-f974-46cd-a8f3-06ec0f88116f/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e098a467269b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/e098a467269bfebf147628c817355d237854e11071312850592c10282c329dc2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/356388/

Comments