MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec97fe2ca09d875ceab1a42580d4817aad2a6ecfea52586454cbc782fb74d5e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec97fe2ca09d875ceab1a42580d4817aad2a6ecfea52586454cbc782fb74d5e4
SHA3-384 hash: 2b9110c1275edf973551d4f47e9b4d6394342cd0ce3fcdcf125d9fc9b6edf4ca44fd2ca861c59433dbd223cf9a17aacf
SHA1 hash: c2e31c5426f0cb98ab8f8cf2e9f3eec95366476c
MD5 hash: 6a3f1d0a26574f5c1e2d0118ae1ec4aa
humanhash: freddie-lake-ohio-indigo
File name:invoice263886766 AWB.vbs
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:824'161 bytes
First seen:2024-11-12 00:30:10 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24576:pLybbSfsKK4LPzHYjtY5eDHex4AH0sTfaKJVmcO/dh5Z2xMsoqUaCSG:a
Threatray 386 similar samples on MalwareBazaar
TLSH T1E30586032E83231EFE1CD34625BC45649D59CAFF4EB1D0DCD1677DE16812C6A29EBAA0
Magika vba
Reporter abuse_ch
Tags:AveMariaRAT RAT vbs


Avatar
abuse_ch
AveMariaRAT C2:
193.161.193.99:43544

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.161.193.99:43544 https://threatfox.abuse.ch/ioc/1344325/

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.7839.17207.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6732a202af2d3dc89feed6ca
Tags:
trojan packed remo
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
confuserex dropper evasive lolbin masquerade obfuscated packed regasm
Link:
https://www.filescan.io/uploads/6732a1c861c63018b46b257a/reports/cfd11cf8-6ef3-43cb-aa37-5e59625e4a5b/overview
Verdict:
Malicious
Labled as:
GT:VB.AgentTesla.4
Link:
https://www.hybrid-analysis.com/sample/ec97fe2ca09d875ceab1a42580d4817aad2a6ecfea52586454cbc782fb74d5e4
Result
Threat name:
AveMaria, PrivateLoader, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1554065
Signature
.NET source code contains very large strings
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for dropped file
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Contains functionality to check if Internet connection is working
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential evasive VBS script found (sleep loop)
Potential evasive VBS script found (use of timer() function in loop)
Potential malicious VBS script found (has network functionality)
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Tries to harvest and steal browser information (history, passwords, etc)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected PrivateLoader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1554065 Sample: invoice263886766 AWB.vbs Startdate: 12/11/2024 Architecture: WINDOWS Score: 100 39 Multi AV Scanner detection for domain / URL 2->39 41 Suricata IDS alerts for network traffic 2->41 43 Found malware configuration 2->43 45 13 other signatures 2->45 7 wscript.exe 2 2->7         started        process3 file4 19 C:\Users\user\AppData\...\temp_file_rhjRS.exe, PE32 7->19 dropped 47 Benign windows process drops PE files 7->47 49 VBScript performs obfuscated calls to suspicious functions 7->49 51 Windows Scripting host queries suspicious COM object (likely to drop second stage) 7->51 53 Suspicious execution chain found 7->53 11 temp_file_rhjRS.exe 3 7->11         started        signatures5 process6 signatures7 55 Antivirus detection for dropped file 11->55 57 Contains functionality to hide user accounts 11->57 59 Machine Learning detection for dropped file 11->59 61 3 other signatures 11->61 14 RegAsm.exe 3 18 11->14         started        process8 dnsIp9 29 193.161.193.99, 43544, 49730 BITREE-ASRU Russian Federation 14->29 21 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 14->21 dropped 23 C:\Users\user\AppData\Local\Temp\nss3.dll, PE32 14->23 dropped 25 C:\Users\user\AppData\Local\...\mozglue.dll, PE32 14->25 dropped 27 3 other files (1 malicious) 14->27 dropped 31 Contains functionality to hide user accounts 14->31 33 Contains functionality to check if Internet connection is working 14->33 35 Contains functionality to inject threads in other processes 14->35 37 5 other signatures 14->37 file10 signatures11
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/ec97fe2ca09d875ceab1a42580d4817aad2a6ecfea52586454cbc782fb74d5e4
Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ec97fe2ca09d875ceab1a42580d4817aad2a6ecfea52586454cbc782fb74d5e4/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-11-12 00:31:04 UTC
File Type:
Text (VBS)
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5sl74lfatwdvz2vruqsybvebpkwsu3wp5jjfqzcuzpdyf63u2xsa._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
21d09c77de01cc95209727752e866221ad3b66d5233ab52cfe5249a3867ef8d8
AveMariaRAT
5cb3fb5b66cd56f7f3ed2ce5b1f3a02b9b615b7e8c41590ca04289ae692af8d2
AveMariaRAT
722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d
AveMariaRAT
83e9b16728b687a98b3cd5f140253f5114b61a4e7746718b1e3bb38c9d625790
AveMariaRAT
87576351067ea79fe0acb467ddb9c29ddce87f1179c0de4519df93bfad53dfe0
AveMariaRAT
c06128183df3792e280b8e22c98d5218668d68530e19c56ca77aa286bb7a4766
AveMariaRAT
e25681e1fa9f84e578c0c54c9283bb819074fe45b3551e549363c1112cfa3fc4
AveMariaRAT
error
AveMariaRAT
+ 376 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat collection discovery infostealer rat spyware stealer
Link:
https://tria.ge/reports/241112-at2hwazjf1/
Behaviour
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Warzone RAT payload
WarzoneRat, AveMaria
Warzonerat family
Malware Config
C2 Extraction:
193.161.193.99:43544
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ec97fe2ca09d875ceab1a42580d4817aad2a6ecfea52586454cbc782fb74d5e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments