MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eef5ae48384a5c5dff5d4c7b1a768c4eb1fe5d3df0347c85c9c1b404327dbba9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AveMariaRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments

SHA256 hash: eef5ae48384a5c5dff5d4c7b1a768c4eb1fe5d3df0347c85c9c1b404327dbba9
SHA3-384 hash: 9d890091d3758ec54927226babe3c5b7472c9d710de8cc0e89fd6cad99db7e7eaf737c3929dcab3d80852641e66b1628
SHA1 hash: 921e7008881d5e0e9a788ee310ddef60b343c647
MD5 hash: 81ba3d2de48272d692c4e6604e6b1db9
humanhash: missouri-eight-batman-uncle
File name:DocumentoSENAMHI20222103.exe
Download: download sample
Signature AveMariaRAT
File size:1'320'960 bytes
First seen:2022-03-21 13:12:08 UTC
Last seen:2022-03-21 15:05:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5ed77736e49da7d22b203d8d8f918a6b (2 x AveMariaRAT)
ssdeep 6144:aNk8vti3OqUP1bq00RiTwSltgxCKYPMXq9NmiQBYGhpX8x4MWy1FYCz8hJ2n3C+e:Ak8l7D4pa7+ocZ
TLSH T12755F964B3E51105E9D7A77F72A08B90C8AE3C419C6DA78F0D464AC6CA3D2F479086F7
Reporter @abuse_ch
Tags:AveMariaRAT exe RAT


Twitter
@abuse_ch
AveMariaRAT C2:
172.111.242.20:2033

Intelligence


File Origin
# of uploads :
2
# of downloads :
254
Origin country :
DE DE
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria LimeRAT UACMe
Detection:
malicious
Classification:
evad.troj.expl
Score:
100 / 100
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to hide user accounts
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AveMaria stealer
Yara detected LimeRAT
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 593268 Sample: DocumentoSENAMHI20222103.exe Startdate: 21/03/2022 Architecture: WINDOWS Score: 100 42 pastebin.com 2->42 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for URL or domain 2->60 62 15 other signatures 2->62 9 DocumentoSENAMHI20222103.exe 2->9         started        13 chrome.exe 2->13         started        signatures3 process4 dnsIp5 44 172.111.242.20, 2031, 2033, 49761 M247GB United States 9->44 32 C:\Users\user\AppData\Roaming\wtqsCpda..exe, PE32 9->32 dropped 34 C:\Users\user\AppData\Local\...\Chrome[1].exe, PE32 9->34 dropped 36 C:\Users\user\AppData\...\vcruntime140.dll, PE32 9->36 dropped 40 5 other files (none is malicious) 9->40 dropped 16 wtqsCpda..exe 9->16         started        20 cmd.exe 9->20         started        46 pastebin.com 104.23.98.190, 443, 49764 CLOUDFLARENETUS United States 13->46 38 C:\Users\user\AppData\Local\...\IconLib.dll, PE32 13->38 dropped 64 Antivirus detection for dropped file 13->64 66 Multi AV Scanner detection for dropped file 13->66 68 Protects its processes via BreakOnTermination flag 13->68 70 2 other signatures 13->70 file6 signatures7 process8 file9 30 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 16->30 dropped 48 Antivirus detection for dropped file 16->48 50 Multi AV Scanner detection for dropped file 16->50 52 Machine Learning detection for dropped file 16->52 54 3 other signatures 16->54 22 schtasks.exe 16->22         started        24 chrome.exe 16->24         started        26 conhost.exe 20->26         started        signatures10 process11 process12 28 conhost.exe 22->28         started       
Threat name:
Win32.Trojan.Woreflint
Status:
Malicious
First seen:
2022-03-21 13:13:10 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
7 of 42 (16.67%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
warzonerat
Score:
  10/10
Tags:
family:limerat family:warzonerat collection infostealer rat spyware stealer
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Warzone RAT Payload
LimeRAT
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
172.111.242.20:2031
Unpacked files
SH256 hash:
6e91e0565600c3d8cb5e83ebe4f65e3a1749cf646d4146e94c27974bbbd77712
MD5 hash:
2510727d18f0e4455bc89aa82f50e179
SHA1 hash:
6125c4f16917bb3717d98ecc4290db50baf6f031
Detections:
win_ave_maria_g0 win_ave_maria_auto
SH256 hash:
fc0c90044b94b080f307c16494369a0796ac1d4e74e7912ba79c15cca241801c
MD5 hash:
6b906764a35508a7fd266cdd512e46b1
SHA1 hash:
2a943b5868de4facf52d4f4c1b63f83eacd882a2
SH256 hash:
021d01fe3793879f57a2942664fc7c096710e94e87ad13dc21467c12edf61546
MD5 hash:
ad9fd1564dd1c6be54747e84444b8f55
SHA1 hash:
001495af4af443265200340a08b5e07dc2a32553
SH256 hash:
eef5ae48384a5c5dff5d4c7b1a768c4eb1fe5d3df0347c85c9c1b404327dbba9
MD5 hash:
81ba3d2de48272d692c4e6604e6b1db9
SHA1 hash:
921e7008881d5e0e9a788ee310ddef60b343c647

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
172.111.242.20:2033 https://threatfox.abuse.ch/ioc/433004

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments