MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e57273b7f448b8713bd164d86bfd24a01570a4f5902e09fd07d6df7088458cd1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e57273b7f448b8713bd164d86bfd24a01570a4f5902e09fd07d6df7088458cd1
SHA3-384 hash: fe623a9f072c6a4e5171b8cd482a8b3abe49b176cfdd5b43e08c352e0f0996a5cfb700c93d883b92baa0fe00ab01acde
SHA1 hash: e36e2d035f0f4cfae0b43cde8bc276d9ea9ccb13
MD5 hash: 3ae8a915191e154e1d390f011d1403b0
humanhash: chicken-fillet-low-video
File name:Etahlplefwxouf.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:752'128 bytes
First seen:2022-10-11 14:07:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 60ed1e095e254a993d83e426e0a00efc (1 x AveMariaRAT)
ssdeep 12288:ARGCFg0BOWvJ4sFJzZDM94u2itVSX3x7FRS8H8VML2kjO9:AMiBOWvpPlLHitVSn52rmKk
Threatray 2'658 similar samples on MalwareBazaar
TLSH T139F49E21F2E085F3CD721A7D4C5A935DDCEA7D202E2C268757E438C8DB39982791B267
TrID 33.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
30.5% (.SCR) Windows screen saver (13101/52/3)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
6.9% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon b330d4f6d6d630b3 (2 x AveMariaRAT)
Reporter abuse_ch
Tags:AveMariaRAT exe RAT


Avatar
abuse_ch
AveMariaRAT C2:
20.98.138.214:2222

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
20.98.138.214:2222 https://threatfox.abuse.ch/ioc/878109/

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318977/
Detection(s):
SecuriteInfo.com.Win32.InjectorX-gen.18966.13011.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42516/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/6345788baab5b3e31a6a817a/reports/7b47b484-9f66-4c21-999b-8d9db7bc09b5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a3cae0c-e46c-4b2d-aaa2-d96d0fe5a9d8
Result
Threat name:
AveMaria, DBatLoader, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1088118
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Found evasive API chain checking for user administrative privileges
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected DBatLoader
Yara detected UAC Bypass using ComputerDefaults
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 720711 Sample: Etahlplefwxouf.exe Startdate: 11/10/2022 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 7 other signatures 2->43 6 Etahlplefwxouf.exe 1 20 2->6         started        11 Etahlple.exe 16 2->11         started        process3 dnsIp4 23 whnmta.sn.files.1drv.com 6->23 25 sn-files.fe.1drv.com 6->25 27 onedrive.live.com 6->27 19 C:\Users\Public\Librariestahlple.exe, PE32 6->19 dropped 21 C:\Users\...tahlple.exe:Zone.Identifier, ASCII 6->21 dropped 45 Writes to foreign memory regions 6->45 47 Allocates memory in foreign processes 6->47 49 Creates a thread in another existing process (thread injection) 6->49 13 wscript.exe 3 4 6->13         started        29 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49723, 49726 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->29 31 whnmta.sn.files.1drv.com 11->31 33 2 other IPs or domains 11->33 51 Machine Learning detection for dropped file 11->51 53 Injects a PE file into a foreign processes 11->53 17 colorcpl.exe 2 4 11->17         started        file5 signatures6 process7 dnsIp8 35 su1d.nerdpol.ovh 20.98.138.214, 2222, 49720, 49733 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 13->35 55 System process connects to network (likely due to code injection or exploit) 13->55 57 Contains functionality to inject threads in other processes 13->57 59 Contains functionality to steal Chrome passwords or cookies 13->59 61 4 other signatures 13->61 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e57273b7f448b8713bd164d86bfd24a01570a4f5902e09fd07d6df7088458cd1/
Threat name:
Win32.Trojan.AveMariaRAT
Create hunting rule
Status:
Malicious
First seen:
2022-10-11 14:02:14 UTC
File Type:
PE (Exe)
Extracted files:
23
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4vzhhn7ujc4hco6rmtmgx7jeuakxbjhvsaxat7ih23pxbccfrtiq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
4abee8ed31d31112c7338025f2bd96f0d6232a36db9711e6e45ee9e7f1f9c461
AveMariaRAT
508af91f6a041f7c6484e5a94e921f034efc13d5e27877042693a938709b4c2d
AveMariaRAT
5852bf7347b25ab7e1f19cd1ce6e09a5c0fd0a6bf3282db4273e0a2446476af7
AveMariaRAT
7391303e2231d2f0143f8b0e86df253054e461a52279139fb800180d32271dbb
AveMariaRAT
8277ded95ca557ee07ed92ce3460f4f9f28aa5e87486837968f4f893efa42e7c
AveMariaRAT
b4b14f0512858ecd957152f6f21d06070ad3f371206568871d0f92d5a41ecd83
AveMariaRAT
bb95fa20a55260f729584b7932c7dba208dcc5b0a7597be447a72e481e0dcb09
AveMariaRAT
c1888e5a3195447def8a4c6f8ca5d2c44ae26d9f16f24b1c46916319d7195dbb
AveMariaRAT
e0f2ea5a9d7bfe2e8938ce4d6add87369783a48c2d54caf674fcc355fccb56e3
AveMariaRAT
e41578bc2d18e9eb7359e062697ecdf2ea32afc0bcbbece876b3b75b406eb619
AveMariaRAT
+ 2'648 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat infostealer persistence rat trojan
Link:
https://tria.ge/reports/221011-re1fpshcer/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader Second Stage
Warzone RAT payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
su1d.nerdpol.ovh:2222
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/feec3880-66e3-4f11-8216-c3a52a34ba24
Unpacked files
SH256 hash:
e57273b7f448b8713bd164d86bfd24a01570a4f5902e09fd07d6df7088458cd1
MD5 hash:
3ae8a915191e154e1d390f011d1403b0
SHA1 hash:
e36e2d035f0f4cfae0b43cde8bc276d9ea9ccb13
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/3ec3fb37-8fbe-4524-9d59-484f01509638/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e57273b7f448/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e57273b7f448b8713bd164d86bfd24a01570a4f5902e09fd07d6df7088458cd1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AveMaria
Create hunting rule
Author:@bartblaze
Description:Identifies AveMaria aka WarZone RAT.
Rule name:AveMaria_WarZone
Create hunting rule
Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_1_RID2C2D
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2_RID2C2E
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding command execution via IExecuteCommand COM object
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_WarzoneRAT
Create hunting rule
Author:ditekSHen
Description:Detects AveMaria/WarzoneRAT
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.ave_maria.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/318977/

Comments