MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e670e7e426009d13b122f0f1bcc48c4f3cfcaaa3dd6159704290435c23200190. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e670e7e426009d13b122f0f1bcc48c4f3cfcaaa3dd6159704290435c23200190
SHA3-384 hash: 4a8bf5db4c25a4bb16b3c4f5e2a56c86275123219513755c6e67554dbe7b0041f8a0c3a5f7e010a6d52de3756ccd05d4
SHA1 hash: edadcc3146782c2fe591e5e2800c5b93512d06de
MD5 hash: 1d50411854b39c195e257fe4eb451cd8
humanhash: eleven-cold-helium-hotel
File name:1d50411854b39c195e257fe4eb451cd8
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'189'376 bytes
First seen:2022-07-26 17:04:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 205f6434858f3f8cc9e8b96d094507a2 (8 x DBatLoader, 4 x ModiLoader, 3 x AveMariaRAT)
ssdeep 24576:DDA1mchKTwkH17WtMBhiUDxvHiMYStttVSn52pAf2rDNtl2aCHX:DDhc8ZPbVIqSn52KN
TLSH T1A0455A2AF79B4C32F076363C5AC6816044277F202AF5D8A136DDE948DBB5E4078F598B
TrID 80.6% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
14.1% (.OCX) Windows ActiveX control (116521/4/18)
1.7% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.5% (.SCR) Windows screen saver (13101/52/3)
0.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon dc9c7ce6acace2c1 (1 x AveMariaRAT, 1 x RustyStealer)
Reporter zbetcheckin
Tags:32 AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
411
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/294437/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.12280.17299.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27544/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger obfuscated
Link:
https://www.filescan.io/uploads/62e01ed0cfc30516768e4a71/reports/c61f4e1e-0e3b-4559-8c8e-4eaaeef18f04/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e9ee34fb-e31b-47c5-81d2-3191cf06d09d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.troj.spyw.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1041284
Signature
Antivirus detection for dropped file
Increases the number of concurrent connection per server for Internet Explorer
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e670e7e426009d13b122f0f1bcc48c4f3cfcaaa3dd6159704290435c23200190/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-07-26 16:45:59 UTC
File Type:
PE (Exe)
Extracted files:
85
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4zyopzbgacorhmjc6dy3zremj46pzkvd3vqvs4ccsbbvyizaagia._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat collection infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220726-vlttaafae9/
Behaviour
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Accesses Microsoft Outlook profiles
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
ModiLoader Second Stage
Warzone RAT payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
e5cee39f56c43d207f40862077d5b015e62929ff21f9de4e45c3b958c8947770
MD5 hash:
0de7dbbda445e257c9169774b9a8000b
SHA1 hash:
23ab78a6fdd513f2b3877efc92a71fe7d44db0db
Link:
https://www.unpac.me/results/6fd96c1e-2def-4205-a910-1c3035b76258/
SH256 hash:
e670e7e426009d13b122f0f1bcc48c4f3cfcaaa3dd6159704290435c23200190
MD5 hash:
1d50411854b39c195e257fe4eb451cd8
SHA1 hash:
edadcc3146782c2fe591e5e2800c5b93512d06de
Link:
https://www.unpac.me/results/6fd96c1e-2def-4205-a910-1c3035b76258/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe e670e7e426009d13b122f0f1bcc48c4f3cfcaaa3dd6159704290435c23200190

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/294437/
  
URLhaus
https://urlhaus.abuse.ch/url/2261599/

Comments


Avatar
zbet commented on 2022-07-26 17:04:31 UTC

url : hxxp://103.153.78.204/dhl_invoice_2337990/vbc.exe