MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f69faea7165ab34da776a4afaeb59a46c6061f58d431bc231bbab76db9e2ec4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	f69faea7165ab34da776a4afaeb59a46c6061f58d431bc231bbab76db9e2ec4c
SHA3-384 hash:	091e9e63c18147b61f261aba944ae63492441e5e4de6517db7258d4665206db02dec30df8abae85893d8ee65835e9647
SHA1 hash:	3494d3e65c320dc21fadf9b30a07559fb17fecbf
MD5 hash:	d0d76dd90174c03fd72d95662a7830e1
humanhash:	spring-butter-yellow-magnesium
File name:	8b42ea4894ab2cbae9f9810d43833e82
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	1'396'392 bytes
First seen:	2020-11-17 11:29:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3b4a52a08bd0152d124fdb84d8fb3e25 (2 x AveMariaRAT, 1 x ModiLoader)
ssdeep	24576:do/zsuNJWH+24+bEJ1et69NtE2jr4H1YY/YX:IB4HotEOTp
Threatray	606 similar samples on MalwareBazaar
TLSH	6C55BFE2E7800933F122DA7CCD7B9FD75A35BD213D2888A73AF86C5C1E766416419293
Reporter	seifreed
Tags:	AveMariaRAT

Intelligence

File Origin

# of uploads :

1

# of downloads :

75

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Changing a file

DNS request

Sending a custom TCP request

Creating a file

Launching a process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Result

Verdict:

0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f69faea7165ab34da776a4afaeb59a46c6061f58d431bc231bbab76db9e2ec4c/

Threat name:

Win32.Trojan.Jacard

Status:

Malicious

First seen:

2020-11-17 11:30:31 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Verdict:

malicious

Label(s):

avemaria

Similar samples:

0629278e51106220eb8727f80f4c24cfb432e6344561e8518030b19b669bcc72

122ef85900670d4776f3afdbe676d59c23c4cd9944b9d392eb9a446b3bb40dde

4d322ecc6fcc290df5cad72839e39862e84be629b7debc71474f5760e4430019

5cbed2f8a5fdadbd99816c4c8792bd51a2db7479f80bf70409f0f257f942d0c9

5d393a34a6faf41a81f32a8866ef2468cedf9912b9df8fab2970361b030da87a

803ed954a2fbfa36e1b154d7b1b6b270021eb72583d5a876e5aaedd728c39cc7

af84cf642737e0b62537d9a78861cc129fbc0e68a34770cb70c6ccaa3f553687

b98f29a897354964b324ad55f046ae324f4f43efe17abdfbbfd726792ec3c763

d5dc65df9d699ffab0563963fa22ed0a1d833d451dfbd1d724f2a5b988494538

e4769506e482cbdbaeae35eb657e75cfb941ab66253770896493666b023851a5

+ 596 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:modiloader family:warzonerat infostealer persistence rat trojan

Link:

https://tria.ge/reports/201117-9tzpclae7n/

Behaviour

Modifies system certificate store

Suspicious use of WriteProcessMemory

Adds Run key to start application

ModiLoader First Stage

ModiLoader Second Stage

Warzone RAT Payload

ModiLoader, DBatLoader

WarzoneRat, AveMaria

Unpacked files

SH256 hash:

f69faea7165ab34da776a4afaeb59a46c6061f58d431bc231bbab76db9e2ec4c

MD5 hash:

d0d76dd90174c03fd72d95662a7830e1

SHA1 hash:

3494d3e65c320dc21fadf9b30a07559fb17fecbf

Link:

https://www.unpac.me/results/1656a51a-48c7-4f9d-94b0-4a6e14d5b8e8/

SH256 hash:

8c79008d2ae643e31ef03445a9a02b9ac97cfa0e77329311bd938d0f30c75b24

MD5 hash:

b0a215b69e01dff746fef7d51a92cadf

SHA1 hash:

cc857f411df20f953b5a524a923b352295666f45

Link:

https://www.unpac.me/results/1656a51a-48c7-4f9d-94b0-4a6e14d5b8e8/

SH256 hash:

c8c5774eba69c93a947995427bd6f3500cca5577622b508ea2171a70b389dc3b

MD5 hash:

95a9be6b36ccc706cd21f3aaeabfced2

SHA1 hash:

df7f63d87c67924f434daf0ee064e3b73a9683ed

Link:

https://www.unpac.me/results/1656a51a-48c7-4f9d-94b0-4a6e14d5b8e8/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample