MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3cf6d2ae60dde6232e5e820cb6e6a2d9dbe53a5bea09e8985cb6c80ca6d51ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3cf6d2ae60dde6232e5e820cb6e6a2d9dbe53a5bea09e8985cb6c80ca6d51ad
SHA3-384 hash: fc1a89d654d36ab2f59f142d5ef7ddad868168f8ae5f09c208c6bce8669fa6061db3598e858dff8724bf454c6e3886d3
SHA1 hash: 9601635800928f964d02b70d8312befc79e9a95e
MD5 hash: 26912238679165eec67430c9739b5590
humanhash: connecticut-yellow-tennis-wolfram
File name:26912238679165eec67430c9739b5590.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:647'168 bytes
First seen:2021-09-22 06:08:32 UTC
Last seen:2021-09-23 07:11:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:5bNcmjanS4wsKRt0s5V/C946bpKIbpcydvtJ04Cay0zwW6gghU4kX6cKlE:3c8anWGFG4CaPzQhU4kX6v
Threatray 1'269 similar samples on MalwareBazaar
TLSH T116D4B27937A1E9AAF62F8F34835313001C6BFD5B0E5913A4E9CA3D457CB22009DB59E6
File icon (PE):PE icon
dhash icon 9232b272e9ccacc2 (10 x AveMariaRAT, 1 x NanoCore, 1 x RedLineStealer)
Reporter abuse_ch
Tags:AveMariaRAT exe RAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL QA-Tracker.doc
Verdict:
Malicious activity
Analysis date:
2021-09-22 06:00:05 UTC
Tags:
macros macros-on-open generated-doc trojan stealer rat avemaria
Link:
https://app.any.run/tasks/feba6044-4bdb-4d8c-bb84-3f86be040cfe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190058/
Detection(s):
SecuriteInfo.com.Artemis269122386791.29529.25690.UNOFFICIAL
Create hunting rule

Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/87b901f4-1943-4b5e-86de-f48419c66d58
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/855352
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 487780 Sample: iUUw81oel1.exe Startdate: 22/09/2021 Architecture: WINDOWS Score: 56 17 Multi AV Scanner detection for submitted file 2->17 19 .NET source code contains potential unpacker 2->19 21 Machine Learning detection for sample 2->21 7 iUUw81oel1.exe 3 2->7         started        process3 process4 9 powershell.exe 18 7->9         started        11 powershell.exe 14 7->11         started        process5 13 conhost.exe 9->13         started        15 conhost.exe 11->15         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3cf6d2ae60dde6232e5e820cb6e6a2d9dbe53a5bea09e8985cb6c80ca6d51ad/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-09-21 23:07:52 UTC
AV detection:
13 of 45 (28.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6phw2kxgbxpgemxf5aqmw3tkfwo34u5fx2qj5cmfznwibstnkgwq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
2e4256a1d7bc9f40528cded530aaf91410b3b55eff762908d7bd61cb5962e51e
AveMariaRAT
3284251610f91e544bffaa6c1da206bd8adedb911212a3d6374dc5b58526f080
AveMariaRAT
4ae3522e80d4dbf4e6e50053d3104e327309ed478bf50040ba14a615b1da3d56
AveMariaRAT
4b3e872365db5c5fd41d596837b761900d549c8d70247105b2a3451a34b7e74d
AveMariaRAT
5a36b6f9fe8852daabca8093de029904ab5e024426cfe3ffaeca6c14fb093501
AveMariaRAT
6f0be13909a62a5d257151b140d27dd0902ad758449ea487a04e571a04bc1223
AveMariaRAT
89cb4e62eb3869c359997938999404bc9825a47ebd1d88c8e98e693a36b5c125
AveMariaRAT
9049285c909f97f6342cd619ec5292e73c1cef65706904d7665743358fd6eb1f
AveMariaRAT
b2df0162081db60f8a9ee6ee0b31611c0ef96d5c272789f995e0c4d887e568cf
AveMariaRAT
+ 1'259 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat spyware stealer
Link:
https://tria.ge/reports/210922-gwf4aaedbk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Warzone RAT Payload
Modifies WinLogon for persistence
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
warzonepw.ddns.net:6568
Unpacked files
SH256 hash:
76d28bf94372f8dcdb96da6ebff55a1b86755f0287e7b46242096447aa99249f
MD5 hash:
b65b0da60645f6dbeb327008e6d80c79
SHA1 hash:
6b679161bfa6606a2aa57bd6750b0aa055d9fb82
Link:
https://www.unpac.me/results/ce05b4c5-558f-4d79-b143-07fb202ad730/
SH256 hash:
f3cf6d2ae60dde6232e5e820cb6e6a2d9dbe53a5bea09e8985cb6c80ca6d51ad
MD5 hash:
26912238679165eec67430c9739b5590
SHA1 hash:
9601635800928f964d02b70d8312befc79e9a95e
Link:
https://www.unpac.me/results/ce05b4c5-558f-4d79-b143-07fb202ad730/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f3cf6d2ae60dde6232e5e820cb6e6a2d9dbe53a5bea09e8985cb6c80ca6d51ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe f3cf6d2ae60dde6232e5e820cb6e6a2d9dbe53a5bea09e8985cb6c80ca6d51ad

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1639049/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/190058/

Comments