MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6db5403668bc33460530eb17508bb86018e24025aa365c653e9ce24c8d33cdc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6db5403668bc33460530eb17508bb86018e24025aa365c653e9ce24c8d33cdc
SHA3-384 hash: 5728e0a185b488badbcd058c830b894228a52149b546877285bf37063d1ad2eb8d96829ef4c1e210452be13899b84847
SHA1 hash: 3d6b9033285f98ce020f2e0a5addbd1ae4e36d9a
MD5 hash: 7257c86674da2740b5a8ced6a0c755ce
humanhash: hydrogen-social-whiskey-papa
File name:DHL_119040 receipt document,pdf.iso
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:864'256 bytes
First seen:2021-09-15 14:08:22 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 24576:+0KXbYUlmM/OwPVPZzKHrCHW2h8DAaTY2kjpPPobRf+0awpxh9aWRZEfhqdrpXeW:+ZmMjxVW2h8DAaTY2kjpPPobRf+0awpm
TLSH T170057EB1CA46DB72E82E1A3D4CE63829AE26FE403E1CDC11ABF4DA7556347512C7D04B
Reporter cocaman
Tags:AveMariaRAT DHL iso


Avatar
cocaman
Malicious email (T1566.001)
From: ""DHL Express Cargo" <delivery@dhl.com>" (likely spoofed)
Received: "from ns1.omnis.com (unknown [38.103.244.230]) "
Date: "15 Sep 2021 13:04:33 +0000"
Subject: "DHL CARGO DELIVERY"
Attachment: "DHL_119040 receipt document,pdf.iso"

Intelligence

File Origin
# of uploads :
1
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Iso_badexts72.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/61751b61db358dd15ed925cd/reports/3aea1b4e-759a-41b7-a7bb-f23c5ee69e2c/overview
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f6db5403668bc33460530eb17508bb86018e24025aa365c653e9ce24c8d33cdc/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-09-15 14:09:10 UTC
File Type:
Binary (Archive)
Extracted files:
39
AV detection:
14 of 45 (31.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=63nvia3grpbtiyctb2yxkcf3qyay4jaclkrwlrst5hhcjsgthtoa._file
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/210915-rf5rtadggr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Executes dropped EXE
Warzone RAT Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
ugob.ddns.net:5200
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f6db5403668bc33460530eb17508bb86018e24025aa365c653e9ce24c8d33cdc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

iso f6db5403668bc33460530eb17508bb86018e24025aa365c653e9ce24c8d33cdc

(this sample)

AveMariaRAT

Executable exe c6efb11667620971bfa2b783b75762c69c1bf3fe2cee9bd4ddc51164e8ba8563

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 c6efb11667620971bfa2b783b75762c69c1bf3fe2cee9bd4ddc51164e8ba8563
  
Dropping
AveMariaRAT

Comments