MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5e1b30ec44e8c2a6e6a3c67bf7a5ecd7474c978668724eb49141608a3a60add. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5e1b30ec44e8c2a6e6a3c67bf7a5ecd7474c978668724eb49141608a3a60add
SHA3-384 hash: bae1664e832f34c4681dd5825a056b8e50d565a5164b106ffb2200cd55b0fa331c6ca4d3122f8e787bc5ce6f100001a2
SHA1 hash: 78a89671c275e0498f66393d2bf0c0d9ca84569e
MD5 hash: 4b541ff698f1b6cb633140e65dcb6f5f
humanhash: maryland-arkansas-november-monkey
File name:TQVDz.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:803'328 bytes
First seen:2023-12-23 01:30:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Iwh6wEx2iNNFR9YJcR8bNvX+nXq2ow+Ubm1Dt4:Kwk1fFLakaNvX+swK
TLSH T1F905B13C49BE223BD6B5C6B5CBEC8827F01CA46F3150AD6594DBC3A653C694274E322D
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter adm1n_usa32
Tags:AveMariaRAT exe WarzoneRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
329
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TQVDz.exe
Verdict:
Malicious activity
Analysis date:
2023-12-23 01:26:49 UTC
Tags:
warzone
Link:
https://app.any.run/tasks/85713bc5-f0e1-4cec-b08d-c48224a5514a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/469092/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/65863857ffafd83ebc984523/reports/be9d1e77-15d3-4616-bc98-2a731c7d196a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f5e1b30ec44e8c2a6e6a3c67bf7a5ecd7474c978668724eb49141608a3a60add
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cea14222-3425-49fe-b29e-e9b7205e2837
Result
Threat name:
AveMaria, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1366442
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1366442 Sample: TQVDz.exe Startdate: 23/12/2023 Architecture: WINDOWS Score: 100 36 omc2015asm.ddns.net 2->36 40 Multi AV Scanner detection for domain / URL 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 48 12 other signatures 2->48 8 ZxDpxUVmZXI.exe 5 2->8         started        11 TQVDz.exe 7 2->11         started        signatures3 46 Uses dynamic DNS services 36->46 process4 file5 50 Antivirus detection for dropped file 8->50 52 Multi AV Scanner detection for dropped file 8->52 54 Found evasive API chain (may stop execution after checking mutex) 8->54 62 5 other signatures 8->62 14 ZxDpxUVmZXI.exe 1 8->14         started        17 schtasks.exe 1 8->17         started        32 C:\Users\user\AppData\...\ZxDpxUVmZXI.exe, PE32 11->32 dropped 34 C:\Users\user\AppData\Local\...\tmpD3E5.tmp, XML 11->34 dropped 56 Contains functionality to hide user accounts 11->56 58 Uses schtasks.exe or at.exe to add and modify task schedules 11->58 60 Adds a directory exclusion to Windows Defender 11->60 19 TQVDz.exe 3 2 11->19         started        22 powershell.exe 21 11->22         started        24 schtasks.exe 1 11->24         started        signatures6 process7 dnsIp8 64 Contains functionality to hide user accounts 14->64 26 conhost.exe 17->26         started        38 omc2015asm.ddns.net 212.36.208.85, 5201 Beirut-LebanonLB Lebanon 19->38 66 Increases the number of concurrent connection per server for Internet Explorer 19->66 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->68 28 conhost.exe 22->28         started        30 conhost.exe 24->30         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f5e1b30ec44e8c2a6e6a3c67bf7a5ecd7474c978668724eb49141608a3a60add
Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f5e1b30ec44e8c2a6e6a3c67bf7a5ecd7474c978668724eb49141608a3a60add/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-12-20 13:30:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
25 of 37 (67.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6xq3gdwej2gcu3tkhrt366s6zv2hjslym2dsj22jcqlari5gbloq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer rat
Link:
https://tria.ge/reports/231223-bxdfwsgcg5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Warzone RAT payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
omc2015asm.ddns.net:5201
Unpacked files
SH256 hash:
d87a19ac9d1cec221840427c0452258ecdae0d67aed22bbb934f02e64587ae4b
MD5 hash:
f26d7a421da0d7ac304f228e1a62e51d
SHA1 hash:
d65a5d7d63d4e6f257ed5f4441957e08521ff179
Link:
https://www.unpac.me/results/bd1d073a-3eb5-4424-bad7-aca3c5cdd4a1/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/bd1d073a-3eb5-4424-bad7-aca3c5cdd4a1/
SH256 hash:
c5328f7af843244b56d6a208c322a9315daea139d1b255cda993b243e4394ecf
MD5 hash:
160f4669c06c6496d79a92ea9d33e89b
SHA1 hash:
baae226fdb2a9739f118db781bdc74f2efc6a585
Link:
https://www.unpac.me/results/bd1d073a-3eb5-4424-bad7-aca3c5cdd4a1/
SH256 hash:
f5e1b30ec44e8c2a6e6a3c67bf7a5ecd7474c978668724eb49141608a3a60add
MD5 hash:
4b541ff698f1b6cb633140e65dcb6f5f
SHA1 hash:
78a89671c275e0498f66393d2bf0c0d9ca84569e
Link:
https://www.unpac.me/results/bd1d073a-3eb5-4424-bad7-aca3c5cdd4a1/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f5e1b30ec44e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/f5e1b30ec44e8c2a6e6a3c67bf7a5ecd7474c978668724eb49141608a3a60add

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/85713bc5-f0e1-4cec-b08d-c48224a5514a
Cape
Cape
https://www.capesandbox.com/analysis/469092/

Comments