MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e762344f654c2275406fcf7f859fbc50ec1cf51c96240ea9f47c6574b525eae2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e762344f654c2275406fcf7f859fbc50ec1cf51c96240ea9f47c6574b525eae2
SHA3-384 hash: ab4c7d858f2388383348be54c5a72eb4aa23d92d8f4676e6eadd7737e251f3b17cce2a87e5e390f631e70b592c5789d6
SHA1 hash: 150e2974a52c2c8536c3e0582c25718a27a2cdee
MD5 hash: bda96926cfb5407d383f606f9ca4c636
humanhash: magnesium-jersey-aspen-alabama
File name:PO copy and the fabrication drawings.gz
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'051'154 bytes
First seen:2022-07-27 05:50:09 UTC
Last seen:Never
File type: gz
MIME type:application/gzip
ssdeep 24576:wY6JFvKOoEurMerB/cKALQk9XrII9LOvsBglte9:wY6N7lLT9XrII9Lic9
TLSH T1CE2533336AE39E195618997AFFB80F8429CD4218AF7FC14F2A054D62F15162D379EB0C
Reporter cocaman
Tags:AveMariaRAT gz


Avatar
cocaman
Malicious email (T1566.001)
From: ""Abdula Khalim I Kuwait " <mario@industrial.com>" (likely spoofed)
Received: "from industrial.com (unknown [45.137.22.120]) "
Date: "26 Jul 2022 17:05:18 +0200"
Subject: "Inquiry"
Attachment: "PO copy and the fabrication drawings.gz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.11621.28456.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62e0d2475c40cd8dc5ef9327/reports/2647ed22-4a8d-4505-a7f4-45cb2e732d1f/overview
Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e762344f654c2275406fcf7f859fbc50ec1cf51c96240ea9f47c6574b525eae2/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-07-26 14:43:56 UTC
File Type:
Binary (Archive)
Extracted files:
24
AV detection:
21 of 26 (80.77%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=45rdit3fjqrhkqdpz57ylh54kdwbz5i4sysa5kpuprsxjnjf5lra._file
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:redline family:warzonerat botnet:iyke discovery infostealer rat spyware stealer
Link:
https://tria.ge/reports/220727-gj57msecg2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Warzone RAT payload
RedLine
RedLine payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
76.8.53.133:1198
76.8.53.133:30308
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

gz e762344f654c2275406fcf7f859fbc50ec1cf51c96240ea9f47c6574b525eae2

(this sample)

AveMariaRAT

Executable exe 3eb465b93b32006a3ab6df42841bbef09d8386a12df6254038c52b1eddf1c1cd

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 3eb465b93b32006a3ab6df42841bbef09d8386a12df6254038c52b1eddf1c1cd
  
Dropping
AveMariaRAT

Comments