MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f39b59ac3799b134b02f8030b5658ef8c0d459fed07a914c5c58918a13d85a69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AveMariaRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 21 File information Comments

SHA256 hash: f39b59ac3799b134b02f8030b5658ef8c0d459fed07a914c5c58918a13d85a69
SHA3-384 hash: 24f77adfd9126ce5ccdf3c0c9761bde9e23029606aa50c069cfc1b0056883db58fd2e6afe69de7577fb5ec5b08d7a694
SHA1 hash: ddd6a2fe621297cf98d5f8e49fb73cc16de3a12b
MD5 hash: 3953d3fa4fc9bb0b56ca8ab21cd10c02
humanhash: queen-michigan-shade-uniform
File name:ConsoleApp1.exe.vir
Download: download sample
Signature AveMariaRAT
File size:120'832 bytes
First seen:2022-06-18 14:57:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (32'071 x AgentTesla, 11'207 x Formbook, 6'131 x SnakeKeylogger)
ssdeep 1536:MhkhP+S//71vb1WcHhjtm99B8006cuhNC+noBIb0OVE01p:0SF1L299+0lfk+otOVE0D
Threatray 2'132 similar samples on MalwareBazaar
TLSH T132C39D03B7E44474F3F205BC1AB97A39CBBFF9701875849B9364658A2D7198AEA30347
TrID 49.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
28.9% (.EXE) InstallShield setup (43053/19/16)
7.0% (.EXE) Win64 Executable (generic) (10523/12/4)
4.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter @KdssSupport
Tags:AveMariaRAT exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
222
Origin country :
RU RU
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ConsoleApp1.exe
Verdict:
Malicious activity
Analysis date:
2022-06-18 14:27:22 UTC
Tags:
installer warzone

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria, UACMe
Detection:
malicious
Classification:
troj.expl
Score:
96 / 100
Signature
.NET source code contains very large array initializations
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Threat name:
Win32.Backdoor.Remcos
Status:
Malicious
First seen:
2022-06-18 14:58:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Result
Malware family:
warzonerat
Score:
  10/10
Tags:
family:warzonerat infostealer rat
Behaviour
Warzone RAT Payload
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
f39b59ac3799b134b02f8030b5658ef8c0d459fed07a914c5c58918a13d85a69
MD5 hash:
3953d3fa4fc9bb0b56ca8ab21cd10c02
SHA1 hash:
ddd6a2fe621297cf98d5f8e49fb73cc16de3a12b
Detections:
win_ave_maria_g0 win_ave_maria_auto

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:AveMaria
Author:@bartblaze
Description:Identifies AveMaria aka WarZone RAT.
Rule name:AveMaria_WarZone
Rule name:ave_maria_warzone_rat
Author:jeFF0Falltrades
Rule name:Codoso_Gh0st_1
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_1_RID2C2D
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2_RID2C2E
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:exploit_any_poppopret
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Author:ditekSHen
Description:Detects executables embedding command execution via IExecuteCommand COM object
Rule name:MALWARE_Win_AveMaria
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_WarzoneRAT
Author:ditekSHen
Description:Detects AveMaria/WarzoneRAT
Rule name:MAL_Envrial_Jan18_1
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Lokibot_Stealer
Description:Detects Lokibot Stealer Variants
Rule name:meth_peb_parsing
Author:Willi Ballenthin
Rule name:pdb_YARAify
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Rule name:RDPWrap
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:win_ave_maria_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.ave_maria.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments