MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e85d8d1a443b9ae7ecc3dc3e40f6408cf69240e5853b9c7a2bb0f01e96dcdb9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 5

Intelligence 5 IOCs YARA 6 File information Comments

SHA256 hash:	e85d8d1a443b9ae7ecc3dc3e40f6408cf69240e5853b9c7a2bb0f01e96dcdb9a
SHA3-384 hash:	39d1188ac687bc4f1b07b24531861c59e27a6c8ffa692bd91933d618588ad1e5cd6a6f48c9ef834c32df6f5a96b52746
SHA1 hash:	8ec4fd000a42b09ec3db9b55c9a8e456e339715b
MD5 hash:	0147437166a9be862d2a1b460d8ef36e
humanhash:	cardinal-quiet-network-low
File name:	haretionrs.club_images.exe.malw
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	604'776 bytes
First seen:	2020-05-21 01:14:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	95a90467276c4ee2609552b9704c6d4b (21 x AgentTesla, 12 x Loki, 1 x NetWire)
ssdeep	12288:48JsIitBttf+zZa7oPNr3JfjLxEwApEcNV6ggMrbh:RaBJeK0r5hVIsgvrl
Threatray	483 similar samples on MalwareBazaar
TLSH	CCD48E22F2B05837D1631E788D1B97689C36BD107A2C7947EBE41D4C6F396B1392B293
Reporter	ov3rflow1
Tags:	AveMariaRAT malw

Code Signing Certificate

Organisation:
Issuer:	GeoTrust RSA CA 2018
Algorithm:	sha256WithRSAEncryption
Valid from:	Jan 15 00:00:00 2018 GMT
Valid to:	Jan 14 12:00:00 2021 GMT
Serial number:	0B8310E63CBB6E960CC1F52F19D9A400
Intelligence:	3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	FDFA45E9BBC10C497E4FF99AE04A9601EEF9DA0CDBEF74FE43192738CFF08A40
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Malware.Generic-7839353-0

Win.Dropper.LokiBot-7841010-0

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.BehavesLike.Win32.AdwareDealPly.bc.5405.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-05-19 06:25:49 UTC

File Type:

PE (Exe)

Extracted files:

285

AV detection:

27 of 31 (87.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5boy2gsehonop3gd3q7eb5sart3jeqhfqu5zy6rlwdyb5fw43ona._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

60f009566c2479b5bee70549b982714018f04154ea8d9dba6b4842bc6c04c915

AveMariaRAT

664dafe5521c5a437960398fb265536760d2128e569237a3479107ac9ce76e35

AveMariaRAT

71a557b6d87e8310e13470fc5e46384d141f204ca8ee629fe645b6de4393a781

AveMariaRAT

95e8c723b490c8ca0e85775a0d7357ac942130bd993504d84c91bbc3f55fb90c

AveMariaRAT

9c70d941efea5b6a8005e5c92158d814f826c504adecb6b58d5fba7468abbdea

AveMariaRAT

9d36d90f9c2899d43c70a09d23e06ac6d151f738f83cd69d590c76d4bb9b6c9e

AveMariaRAT

9f05fc0d62bbb451cfeb45c29b08ba8c556fcbc0aabcb1b783c056cca004db6e

AveMariaRAT

bdf768ac30153fead698380efb662efa3e4d3caaab38e85fb52e0ddafeac2a60

AveMariaRAT

d0e77c36c71e2dae1705f822cc621d38b630126edc97a8ce871440ea59405d3b

AveMariaRAT

+ 473 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat infostealer persistence rat

Link:

https://tria.ge/reports/201109-7a2j9gmla2/

Behaviour

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Drops startup file

Loads dropped DLL

Executes dropped EXE

Warzone RAT Payload

ServiceHost packer

WarzoneRat, AveMaria

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	win_ave_maria_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_ave_maria_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

URLhaus

https://urlhaus.abuse.ch/url/364757/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample