MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9ca14fcdffeb48b11ea026812ac0a7dc941f27e0c1384dc8e9b83b18de4c2a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9ca14fcdffeb48b11ea026812ac0a7dc941f27e0c1384dc8e9b83b18de4c2a7
SHA3-384 hash: 5caffb306f6309611c8394fb29887c349e1542dc1104ac4c3ad1edf945f4f55842129c379e5c17b0bffb32b74d30caa3
SHA1 hash: 698657bce5870929f55ffd6a8d10e2a4a5be90ae
MD5 hash: 51f96dfcb6d8ea6422b9bba50ccd31ac
humanhash: sierra-hamper-fifteen-comet
File name:crat.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:538'641 bytes
First seen:2021-05-07 11:58:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 12288:VhqxSLo5C1Ps4XhWT+trB850CmfxHfG2qMBk2SbCBXXk3:VHLmCiIhjckfxO2qT2SQX03
Threatray 1'318 similar samples on MalwareBazaar
TLSH 00B4E103F9C58872D52209311A29AB51697D7D201F248EEBB3E8792DEB351E17734BB3
Reporter James_inthe_box
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/152664/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Sending a UDP request
Launching a process
Connection attempt
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Enabling autorun
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/719765
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes memory attributes in foreign processes to executable or writable
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates an undocumented autostart registry key
Detected unpacking (overwrites its own PE header)
Drops PE files to the document folder of the user
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 408813 Sample: crat.exe Startdate: 09/05/2021 Architecture: WINDOWS Score: 100 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 5 other signatures 2->56 9 crat.exe 7 2->9         started        process3 file4 34 C:\Users\user\AppData\Roaming\test.exe, PE32 9->34 dropped 12 test.exe 5 9->12         started        process5 file6 36 C:\Users\user\Documents\ph88AcgfPIO.exe, PE32 12->36 dropped 38 C:\Users\user\AppData\Local\...\test.exe.log, ASCII 12->38 dropped 40 C:\Users\user\AppData\Local\Temp\...\test.dll, PE32+ 12->40 dropped 68 Antivirus detection for dropped file 12->68 70 Multi AV Scanner detection for dropped file 12->70 72 Detected unpacking (overwrites its own PE header) 12->72 74 3 other signatures 12->74 16 ph88AcgfPIO.exe 4 4 12->16         started        signatures7 process8 file9 32 C:\ProgramData\images.exe, PE32 16->32 dropped 42 Antivirus detection for dropped file 16->42 44 Multi AV Scanner detection for dropped file 16->44 46 Machine Learning detection for dropped file 16->46 48 9 other signatures 16->48 20 images.exe 1 16->20         started        23 cmd.exe 1 16->23         started        25 explorer.exe 16->25 injected signatures10 process11 signatures12 58 Antivirus detection for dropped file 20->58 60 Multi AV Scanner detection for dropped file 20->60 62 Machine Learning detection for dropped file 20->62 64 3 other signatures 20->64 27 reg.exe 1 1 23->27         started        30 conhost.exe 23->30         started        process13 signatures14 66 Creates an undocumented autostart registry key 27->66
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9ca14fcdffeb48b11ea026812ac0a7dc941f27e0c1384dc8e9b83b18de4c2a7/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-03-26 03:59:55 UTC
File Type:
PE (Exe)
Extracted files:
35
AV detection:
27 of 47 (57.45%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7hfbj7g7722iwepkajubflakpxeud4t6bqjyjxeotob3ddpeyktq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
40ed39645e952f345485dea73f460ed5aecc2c523f598e46f2b7f883b50b2281
AveMariaRAT
411a7c0f381354be120c25158756008260b2ba2f3b2a83e4a514602ab09edbea
AveMariaRAT
6d72e21f8eed71f706041b12c6efaa66fd12ad213a48415f682a19b0f3e46f17
AveMariaRAT
72e1816b0f9e1fb44f557dda6696b1596b8c61369e7e91e4e730de33646d4d72
AveMariaRAT
80d7ab50aed6ab9e27bf65103b139cb0f54f8438ef4f831bf3c29f330f1f5eeb
AveMariaRAT
87783bb0a6d5e2846ba2b5e097fe49b9dafe36995916908fdb11e5170e81ac00
AveMariaRAT
893e86e1158bba99838764d3c07c810e03cbccce085f8638ab0bf59d0147981b
AveMariaRAT
9828da755c6ef395eb33cb37134401828bbbd5ee221ed6c6084f0d7a0cd25379
AveMariaRAT
c39354b4ee7cf38ff3c2390b5ae32811aa74b1d89c5dd65c9e1c07822791bb34
AveMariaRAT
ed2bb22bb3dd5725d0be4c93f3ee6bb3b0424db9a38e11a825eac6a8862d0241
AveMariaRAT
+ 1'308 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer rat
Link:
https://tria.ge/reports/210507-m76swx7n3n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Executes dropped EXE
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
149.28.124.150:5200
Unpacked files
SH256 hash:
55ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7
MD5 hash:
edd74be9723cdc6a5692954f0e51c9f3
SHA1 hash:
e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686
Link:
https://www.unpac.me/results/4b9886ce-af50-4c40-a8db-d702c8abb1ad/
SH256 hash:
477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52
MD5 hash:
16a9ddc4b32981114fe4f069a4353105
SHA1 hash:
bf73849f57c150f9e2199c61427f631be2dfa595
Link:
https://www.unpac.me/results/4b9886ce-af50-4c40-a8db-d702c8abb1ad/
SH256 hash:
a545e881e807387034b14ff9bf6b81fcc08537f96b1ba3fa3436d52670602034
MD5 hash:
a52675f380b49ba1777ee4fb69f89f97
SHA1 hash:
e93fb54e9afd46af23cc8ee36d255804f45ba060
Link:
https://www.unpac.me/results/4b9886ce-af50-4c40-a8db-d702c8abb1ad/
SH256 hash:
dcd7f7caad70d871e20d7410f8ec8d8e890795b02246de785349c9fbd6e51700
MD5 hash:
0710ab9276f117366190eeab66c7d1a4
SHA1 hash:
c1ac1d41892dd25068da144d9a55c699e1b44754
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/4b9886ce-af50-4c40-a8db-d702c8abb1ad/
SH256 hash:
1a5c1cfe37e5e2be092a7d4441cf8605c73d7e772c4fed0a61f370356ca82438
MD5 hash:
1e1b7cbed56a490e9b9b75ce72cb86dd
SHA1 hash:
b7195ffa85805a4e5eac5b46b840e237433583c4
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/4b9886ce-af50-4c40-a8db-d702c8abb1ad/
SH256 hash:
f9ca14fcdffeb48b11ea026812ac0a7dc941f27e0c1384dc8e9b83b18de4c2a7
MD5 hash:
51f96dfcb6d8ea6422b9bba50ccd31ac
SHA1 hash:
698657bce5870929f55ffd6a8d10e2a4a5be90ae
Link:
https://www.unpac.me/results/4b9886ce-af50-4c40-a8db-d702c8abb1ad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9ca14fcdffeb48b11ea026812ac0a7dc941f27e0c1384dc8e9b83b18de4c2a7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/152664/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-07 12:01:26 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
1) [C0029.002] Cryptography Micro-objective::SHA1::Cryptographic Hash
2) [C0029.003] Cryptography Micro-objective::SHA256::Cryptographic Hash
3) [C0031.001] Cryptography Micro-objective::AES::Decrypt Data
4) [C0032.001] Data Micro-objective::CRC32::Checksum
5) [C0026.002] Data Micro-objective::XOR::Encode Data
6) [C0030.001] Data Micro-objective::MurmurHash::Non-Cryptographic Hash
7) [F0004.007] Defense Evasion::Bypass Windows File Protection
9) [C0046] File System Micro-objective::Create Directory
10) [C0048] File System Micro-objective::Delete Directory
11) [C0047] File System Micro-objective::Delete File
12) [C0049] File System Micro-objective::Get File Attributes
13) [C0051] File System Micro-objective::Read File
14) [C0050] File System Micro-objective::Set File Attributes
15) [C0052] File System Micro-objective::Writes File
16) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
17) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
18) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
19) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
20) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
21) [C0040] Process Micro-objective::Allocate Thread Local Storage
22) [C0017] Process Micro-objective::Create Process
23) [C0038] Process Micro-objective::Create Thread
24) [C0041] Process Micro-objective::Set Thread Local Storage Value
25) [C0018] Process Micro-objective::Terminate Process