MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f55ca5741d27cb3afeafab713e5b7a774b09564c5eab8a8f7ba7a163dde03efd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 20

Intelligence 20 IOCs YARA 22 File information Comments

SHA256 hash:	f55ca5741d27cb3afeafab713e5b7a774b09564c5eab8a8f7ba7a163dde03efd
SHA3-384 hash:	2b0973d3993c596d6c7cd84a36dfe6c2b57b32696aaa97cecfe75f147514f6a666f8353cd3b06cb69a2bc7de8130a68c
SHA1 hash:	5bdd5759bc35c2b6526553993d0826ae990e4062
MD5 hash:	0cf8f0d2b27b39862abdc2d13a915da0
humanhash:	princess-twenty-oscar-timing
File name:	f55ca5741d27cb3afeafab713e5b7a774b09564c5eab8a8f7ba7a163dde03efd
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	156'160 bytes
First seen:	2025-10-14 14:47:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b9494f92817e4dfbe294ad842e8f1988 (37 x AveMariaRAT)
ssdeep	3072:4NLOpnhTdOw9YAJOzIY9gVl01T2ENipdDg0z5:4NLYdT97JSIFl0QENqF
Threatray	2'841 similar samples on MalwareBazaar
TLSH	T1A5E37C327BE188B9E6F6013109F53F39CB7DF93111208AAB63905A468D37ACDE955783
TrID	32.2% (.EXE) Win64 Executable (generic) (10522/11/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4504/4/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	23-95-62-27 AveMariaRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

235

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

_f55ca5741d27cb3afeafab713e5b7a774b09564c5eab8a8f7ba7a163dde03efd.exe

Verdict:

Malicious activity

Analysis date:

2025-10-14 14:48:49 UTC

Tags:

bazaloader loader warzone

Link:

https://app.any.run/tasks/2ba85b3b-91f8-4a29-b2d1-51da6218fa9f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

WarzoneRAT

Link:

https://www.capesandbox.com/analysis/32745/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68ee628c04e22ce9acda0a4c

Tags:

shellcode dropper emotet remo

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Connection attempt

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm cmd cobalt cobalt crypt crypto evasive explorer fingerprint hacktool installer keylogger lolbin microsoft_visual_cc packed packed regedit remcos warzone wmic xpack

Link:

https://www.filescan.io/uploads/68ee629c4f3013c55e4d7d5a/reports/026176ed-fa06-435b-babc-ebe58e24a6c6/overview

Verdict:

Malicious

Labled as:

ShellCode.RDI.Marte.1.Generic

Link:

https://www.hybrid-analysis.com/sample/f55ca5741d27cb3afeafab713e5b7a774b09564c5eab8a8f7ba7a163dde03efd

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-08-08T17:04:00Z UTC

Last seen:

2025-08-08T17:26:00Z UTC

Hits:

~10

Detections:

Trojan.Win32.Zenpak.sb Trojan.Win32.Shelemo.sb HEUR:Trojan.Win32.Agent.gen HEUR:Backdoor.Win32.Agent.gen PDM:Trojan.Win32.Generic PDM:Exploit.Win32.Generic Trojan-Spy.Win32.AveMaria.sb Trojan.Win64.Agent.sb

Link:

https://opentip.kaspersky.com/f55ca5741d27cb3afeafab713e5b7a774b09564c5eab8a8f7ba7a163dde03efd/results?tab=lookup

Malware family:

AVE_MARIA

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/18be94e5-ab2a-471d-b870-a3d2069749ea

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f55ca5741d27cb3afeafab713e5b7a774b09564c5eab8a8f7ba7a163dde03efd

Verdict:

inconclusive

YARA:

6 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/0cf8f0d2b27b39862abdc2d13a915da0

Detection:

warzone

Link:

https://mwdb.cert.pl/sample/f55ca5741d27cb3afeafab713e5b7a774b09564c5eab8a8f7ba7a163dde03efd/

Verdict:

Malicious

Threat:

Family.WARZONERAT

Link:

https://tip.neiki.dev/file/f55ca5741d27cb3afeafab713e5b7a774b09564c5eab8a8f7ba7a163dde03efd

Threat name:

Win32.Backdoor.Warzone

Status:

Malicious

First seen:

2025-08-06 20:45:26 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

36 of 38 (94.74%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6vokk5a5e7ftv7vpvnyt4w32o5fqsvsml2vyvd33u6qwhxpah36q._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

5ff4d73cbcddd2c8f6fa1ec60c1e8e49980d180dce672e84974b1b51d90d4a50

AveMariaRAT

77db79af2f66fb41ede6dbb5c11e2864569f9781f5e78b06427e904a60505277

AveMariaRAT

a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249

AveMariaRAT

bea1713591d822f671be473257016cc48f085ea6e217ba031c4ce7eef41523f6

AveMariaRAT

e7f98ddb4183f82f7931888ff9237f898dc0e484241b02c5e0780204fe680c7f

AveMariaRAT

error

AveMariaRAT

fb9d0187ef58360b6877dc38f0509030b2e7d57d060deae2bb6e3233dda8f47d

AveMariaRAT

+ 2'831 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat discovery infostealer rat

Link:

https://tria.ge/reports/251014-r554wabm7v/

Behaviour

System Location Discovery: System Language Discovery

WarzoneRat, AveMaria

Warzonerat family

Malware Config

C2 Extraction:

23.95.62.27:5050

Verdict:

Malicious

Tags:

red_team_tool rat ave_maria trojan Win.Malware.AveMaria-8799014-1

YARA:

Cobalt_functions Windows_Trojan_AveMaria_31d2bce9 MALWARE_Win_WarzoneRAT AveMaria_WarZone MALWARE_Win_AveMaria Windows_Generic_Threat_76a7579f

Link:

https://app.threat.zone/submission/8952f6db-92b6-4837-9dfa-ad832c4ae696

Unpacked files

SH256 hash:

f55ca5741d27cb3afeafab713e5b7a774b09564c5eab8a8f7ba7a163dde03efd

MD5 hash:

0cf8f0d2b27b39862abdc2d13a915da0

SHA1 hash:

5bdd5759bc35c2b6526553993d0826ae990e4062

Detections:

win_ave_maria_g0

win_ave_maria_auto

Warzone

Link:

https://www.unpac.me/results/0183703e-8d4f-45ee-92a3-ca3ababd68a1/

Parent samples :

f55ca5741d27cb3afeafab713e5b7a774b09564c5eab8a8f7ba7a163dde03efd
425bdcae8624fd13ca4d75eeb557e781bb96d329856d5d5dca13b619756950de

SH256 hash:

cc84d00146e74fdb25e4981e44565564d3a8d326a8bba0bb5d0083bd918e15ac

MD5 hash:

3471b38c7f0af0a8fe69b99cd13e3bb2

SHA1 hash:

040a96c1a80aae94154834a544e3b64a234f5fb0

Link:

https://www.unpac.me/results/0183703e-8d4f-45ee-92a3-ca3ababd68a1/

SH256 hash:

f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36

MD5 hash:

6c72218c48cd68cbcb654675053a0abb

SHA1 hash:

12207fa32070f99683648d87b44410e5d3cdf2de

Link:

https://www.unpac.me/results/0183703e-8d4f-45ee-92a3-ca3ababd68a1/

SH256 hash:

477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52

MD5 hash:

16a9ddc4b32981114fe4f069a4353105

SHA1 hash:

bf73849f57c150f9e2199c61427f631be2dfa595

Link:

https://www.unpac.me/results/0183703e-8d4f-45ee-92a3-ca3ababd68a1/

Malware family:

Warzone

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f55ca5741d27/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f55ca5741d27cb3afeafab713e5b7a774b09564c5eab8a8f7ba7a163dde03efd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	avemaria_rat_yhub Create hunting rule
Author:	Billy Austin
Description:	Detects AveMaria RAT a.k.a. WarZone

Rule name:	AveMaria_WarZone Create hunting rule

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding command execution via IExecuteCommand COM object

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_WarzoneRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AveMaria/WarzoneRAT

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Windows_Generic_Threat_76a7579f Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_AveMaria_31d2bce9 Create hunting rule
Author:	Elastic Security

Rule name:	win_ave_maria_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.ave_maria.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/32745/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample