MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7f98ddb4183f82f7931888ff9237f898dc0e484241b02c5e0780204fe680c7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7f98ddb4183f82f7931888ff9237f898dc0e484241b02c5e0780204fe680c7f
SHA3-384 hash: 623340aab8d9ced7b327fa2d8069fe27fa97dc66fecde8ff7ad14116e74720f82192d6d5c5f39d444374309111edaa83
SHA1 hash: 34dcf5a1913b660d2bf3fc2c0ffce74a3b8fc6d3
MD5 hash: 671f91d1c3acee050ca7106080a9d6f5
humanhash: high-india-stream-lithium
File name:rNEWORDER28938928384893029.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:99'840 bytes
First seen:2023-12-21 17:21:24 UTC
Last seen:2023-12-27 12:05:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 1536:jBtNyxERJQoQ5c0OMxnmOY4bza2iocHUw2gfP2jPfMIc4ppd6n2KxEINr:vcc3EmOY4MvHUwVfMPfMIc4ppd6x6M
Threatray 2'406 similar samples on MalwareBazaar
TLSH T1B7A32902322CC727C1FE02BAA431A17803B64E4A7275D7DD9DD9F9DF37A17815822A97
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b6494d555555596d (1 x AveMariaRAT)
Reporter FXOLabs
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
300
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
avemaria
Create hunting rule
ID:
1
File name:
rNEWORDER28938928384893029.exe
Verdict:
Malicious activity
Analysis date:
2023-12-21 17:22:52 UTC
Tags:
rat avemaria remote stealer warzone
Link:
https://app.any.run/tasks/77df6d8a-a6d4-4687-9bc2-bb5e4590ec2b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/468839/
Detection(s):
SecuriteInfo.com.Trojan-Downloader.MSIL.Agent.23662.24179.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
hook keylogger lolbin lolbin masquerade replace shell32 stealer
Link:
https://www.filescan.io/uploads/6584743c6b1c246046000997/reports/f4184a92-3823-4096-ac65-138fa6e32747/overview
Verdict:
Malicious
Labled as:
Trojan.GenericS
Link:
https://www.hybrid-analysis.com/sample/e7f98ddb4183f82f7931888ff9237f898dc0e484241b02c5e0780204fe680c7f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8df4cf76-6ea3-4da1-8def-1cf1e5d722f8
Result
Threat name:
AveMaria, PrivateLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1365713
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to create processes via WMI
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to log keystrokes (.Net Source)
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates files in alternative data streams (ADS)
Creates multiple autostart registry keys
Creates processes via WMI
DLL side loading technique detected
Drops PE files to the document folder of the user
Drops PE files with a suspicious file extension
Drops script or batch files to the startup folder
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected PrivateLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1365713 Sample: rNEWORDER28938928384893029.exe Startdate: 21/12/2023 Architecture: WINDOWS Score: 100 76 s22.filetransfer.io 2->76 78 filetransfer.io 2->78 84 Snort IDS alert for network traffic 2->84 86 Found malware configuration 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 13 other signatures 2->90 8 rNEWORDER28938928384893029.exe 15 3 2->8         started        12 rNEWORDER28938928384893029.pif 3 2->12         started        14 rNEWORDER28938928384893029.pif.pif.pif.pif.pif 2->14         started        16 9 other processes 2->16 signatures3 process4 dnsIp5 82 s22.filetransfer.io 104.21.13.139, 443, 49704, 49705 CLOUDFLARENETUS United States 8->82 116 Contains functionality to hide user accounts 8->116 118 Drops script or batch files to the startup folder 8->118 120 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->120 18 rNEWORDER28938928384893029.exe 3 15 8->18         started        23 cmd.exe 1 8->23         started        25 cmd.exe 3 8->25         started        122 Multi AV Scanner detection for dropped file 12->122 124 Found evasive API chain (may stop execution after checking mutex) 12->124 126 Contains functionality to inject threads in other processes 12->126 128 2 other signatures 12->128 27 cmd.exe 1 12->27         started        33 2 other processes 12->33 35 6 other processes 14->35 29 WMIC.exe 16->29         started        31 cmd.exe 16->31         started        37 24 other processes 16->37 signatures6 process7 dnsIp8 80 84.38.132.126, 49706, 59937 DATACLUBLV Latvia 18->80 58 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 18->58 dropped 60 C:\Users\user\AppData\Local\Temp\nss3.dll, PE32 18->60 dropped 74 7 other files (5 malicious) 18->74 dropped 92 Creates files in alternative data streams (ADS) 18->92 94 Tries to steal Mail credentials (via file / registry access) 18->94 96 Tries to harvest and steal browser information (history, passwords, etc) 18->96 98 Increases the number of concurrent connection per server for Internet Explorer 18->98 100 Drops PE files to the document folder of the user 23->100 102 Uses cmd line tools excessively to alter registry or file data 23->102 104 Drops PE files with a suspicious file extension 23->104 39 reg.exe 1 1 23->39         started        42 conhost.exe 23->42         started        62 C:\Users\...\rNEWORDER28938928384893029.pif, PE32 25->62 dropped 44 conhost.exe 25->44         started        46 reg.exe 1 1 27->46         started        48 conhost.exe 27->48         started        106 Contains functionality to create processes via WMI 29->106 108 DLL side loading technique detected 29->108 110 Creates processes via WMI 29->110 52 2 other processes 31->52 64 C:\...\rNEWORDER28938928384893029.pif.pif, PE32 33->64 dropped 112 Contains functionality to hide user accounts 33->112 50 conhost.exe 33->50         started        66 rNEWORDER289389283...pif.pif.pif.pif.pif, PE32 35->66 dropped 54 3 other processes 35->54 68 rNEWORDER289389283...pif.pif.pif.pif.pif, PE32 37->68 dropped 70 rNEWORDER289389283...029.pif.pif.pif.pif, PE32 37->70 dropped 72 C:\...\rNEWORDER28938928384893029.pif.pif.pif, PE32 37->72 dropped 56 22 other processes 37->56 file9 signatures10 process11 signatures12 114 Creates multiple autostart registry keys 39->114
Score:
84%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e7f98ddb4183f82f7931888ff9237f898dc0e484241b02c5e0780204fe680c7f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7f98ddb4183f82f7931888ff9237f898dc0e484241b02c5e0780204fe680c7f/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-12-20 04:41:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
17 of 37 (45.95%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=474y3w2bqp4c66jrrch7si37rgg4bzeeeqnqfrpapabaj7tibr7q._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
16a70a26c9560621c1626bdb45e21496aa9baad88688edf12f04ac56b794c214
AveMariaRAT
28899cd77a674fd8fc103e44aa12ce58b76dadcdcdecca0637c774df8dbdc61c
AveMariaRAT
511ac21d17ad7b77173c3007465b034ce0a83517749f7263d27243453f6728c3
AveMariaRAT
77db79af2f66fb41ede6dbb5c11e2864569f9781f5e78b06427e904a60505277
AveMariaRAT
8965cf5a3d57c204d8a88c7697589ad0e7964b5fa125c50f5170748ce6896f82
AveMariaRAT
8d241ada0e443465f7a76c1603677d5519b901a654a9a27b21c6e82a69ef7e3c
AveMariaRAT
cc0f8060db4621f80c89f6fcaecac1e626eff63478f63827deaba17077493edf
AveMariaRAT
f0b92472c6a95a379f7235c22460fdb3602d625a662141e7baecc48c049ad715
AveMariaRAT
fb9d0187ef58360b6877dc38f0509030b2e7d57d060deae2bb6e3233dda8f47d
AveMariaRAT
+ 2'396 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat collection infostealer persistence rat spyware stealer
Link:
https://tria.ge/reports/231221-vxj38adgb2/
Behaviour
Modifies system certificate store
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Warzone RAT payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
84.38.132.126:59937
Unpacked files
SH256 hash:
e7f98ddb4183f82f7931888ff9237f898dc0e484241b02c5e0780204fe680c7f
MD5 hash:
671f91d1c3acee050ca7106080a9d6f5
SHA1 hash:
34dcf5a1913b660d2bf3fc2c0ffce74a3b8fc6d3
Link:
https://www.unpac.me/results/f4e31d1e-bfb5-48dd-a963-6c0219aa39a8/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e7f98ddb4183/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7f98ddb4183f82f7931888ff9237f898dc0e484241b02c5e0780204fe680c7f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe e7f98ddb4183f82f7931888ff9237f898dc0e484241b02c5e0780204fe680c7f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/468839/

Comments