MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f520f6f73efb0658ac2ee9c61cff3bc8d95f2ab0853ef6bee3edbdfb3db7d3fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f520f6f73efb0658ac2ee9c61cff3bc8d95f2ab0853ef6bee3edbdfb3db7d3fc
SHA3-384 hash: 2546183a26a583aa7a4eae5520590854cd92a70d484a3621cec1b5dd78cd05f6fbf75512aa444c58ff599c2f9b2138ed
SHA1 hash: 4a58b42c2a82ff43d42eedc93becf741f4017c33
MD5 hash: c5559921fdf3950c63cba88ca2efd7e2
humanhash: freddie-rugby-violet-victor
File name:file
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:594'944 bytes
First seen:2023-01-26 13:48:43 UTC
Last seen:2023-01-26 13:48:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:CMjmOVDf3DES1C0MYE1/8GIG++F5IBRKYWTHK:CMlD9CIEGG+Ruq
TLSH T124C4F20B4AC36FB2C9788D75E3A924E847F0572B5416FB676DC802F5CEC9B4E26011E6
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter jstrosch
Tags:.NET AveMariaRAT exe MSIL

Intelligence

File Origin
# of uploads :
2
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
avemaria
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-01-26 13:52:37 UTC
Tags:
trojan rat stealer avemaria
Link:
https://app.any.run/tasks/c57a2b0f-a7c2-4bde-9cb4-94c767634166

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/357123/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a window
Running batch commands
Launching a process
Creating a file
Creating a file in the %AppData% directory
Creating a process from a recently created file
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/63d284d0fcc41339192eaad1/reports/5be2de45-ded0-4f94-ad97-37b25371b103/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/713d1eb8-7b7e-4647-b233-9b108ea89d0b
Result
Threat name:
AveMaria, DarkTortilla, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1159579
Signature
.NET source code contains very large array initializations
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides user accounts
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected DarkTortilla Crypter
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 792318 Sample: file.exe Startdate: 26/01/2023 Architecture: WINDOWS Score: 100 86 Snort IDS alert for network traffic 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 Multi AV Scanner detection for dropped file 2->90 92 8 other signatures 2->92 11 file.exe 15 3 2->11         started        process3 dnsIp4 80 www.google.com 142.250.203.100, 443, 49697, 49704 GOOGLEUS United States 11->80 70 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 11->70 dropped 124 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->124 16 cmd.exe 3 11->16         started        20 cmd.exe 1 11->20         started        file5 signatures6 process7 file8 60 C:\Users\user\AppData\Roaming\klnvand.exe, PE32 16->60 dropped 62 C:\Users\user\...\klnvand.exe:Zone.Identifier, ASCII 16->62 dropped 82 Uses ping.exe to sleep 16->82 22 klnvand.exe 14 5 16->22         started        27 conhost.exe 16->27         started        29 PING.EXE 1 16->29         started        31 PING.EXE 1 16->31         started        84 Uses ping.exe to check the status of other devices and networks 20->84 33 reg.exe 1 1 20->33         started        35 PING.EXE 1 20->35         started        37 conhost.exe 20->37         started        signatures9 process10 dnsIp11 74 www.google.com 22->74 64 C:\Users\user\AppData\Local\...\aQbbNbh.exe, PE32 22->64 dropped 102 Multi AV Scanner detection for dropped file 22->102 104 Machine Learning detection for dropped file 22->104 106 Writes to foreign memory regions 22->106 110 2 other signatures 22->110 39 AddInProcess32.exe 6 14 22->39         started        44 aQbbNbh.exe 2 22->44         started        46 AddInProcess32.exe 22->46         started        48 2 other processes 22->48 108 Creates an undocumented autostart registry key 33->108 76 127.0.0.1 unknown unknown 35->76 file12 signatures13 process14 dnsIp15 78 185.246.220.237, 49708, 7134 LVLT-10753US Germany 39->78 66 C:\Users\user\AppData\Local\Temp\24.exe, PE32 39->66 dropped 68 C:\Program Files\Microsoft DN1\sqlmap.dll, PE32+ 39->68 dropped 112 Hides user accounts 39->112 114 Increases the number of concurrent connection per server for Internet Explorer 39->114 116 Hides that the sample has been downloaded from the Internet (zone.identifier) 39->116 50 24.exe 39->50         started        118 Antivirus detection for dropped file 44->118 120 Multi AV Scanner detection for dropped file 44->120 122 Machine Learning detection for dropped file 44->122 54 aQbbNbh.exe 44->54         started        file16 signatures17 process18 dnsIp19 72 239.255.255.250 unknown Reserved 50->72 94 Antivirus detection for dropped file 50->94 96 Multi AV Scanner detection for dropped file 50->96 98 Uses netsh to modify the Windows network and firewall settings 50->98 100 Modifies the windows firewall 50->100 56 netsh.exe 50->56         started        signatures20 process21 process22 58 conhost.exe 56->58         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f520f6f73efb0658ac2ee9c61cff3bc8d95f2ab0853ef6bee3edbdfb3db7d3fc/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-01-26 02:55:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6uqpn5z67mdfrlbo5hdbz7z3zdmv6kvqqu7pnpxd5w67wpnx2p6a._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat evasion infostealer persistence rat upx
Link:
https://tria.ge/reports/230126-q4nyjadh29/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Sets DLL path for service in the registry
UPX packed file
Modifies WinLogon for persistence
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
f520f6f73efb0658ac2ee9c61cff3bc8d95f2ab0853ef6bee3edbdfb3db7d3fc
MD5 hash:
c5559921fdf3950c63cba88ca2efd7e2
SHA1 hash:
4a58b42c2a82ff43d42eedc93becf741f4017c33
Link:
https://www.unpac.me/results/e9e78855-b39a-42fe-8fbb-084d67d04647/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f520f6f73efb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/f520f6f73efb0658ac2ee9c61cff3bc8d95f2ab0853ef6bee3edbdfb3db7d3fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe f520f6f73efb0658ac2ee9c61cff3bc8d95f2ab0853ef6bee3edbdfb3db7d3fc

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2517138/
  
URLhaus
https://urlhaus.abuse.ch/url/2517137/
Cape
Cape
https://www.capesandbox.com/analysis/357123/

Comments