MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a33a4dcab1d0b4c87dc0041862aef871d365273a0baa94162ef4ff85af51c578. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 5


Intelligence 5 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a33a4dcab1d0b4c87dc0041862aef871d365273a0baa94162ef4ff85af51c578
SHA3-384 hash: 3a9a27d49659cfd25539e9f29f7d195cba0dca0e560b527d62da7f5186db2b92210860e8d808263289d425f861a45528
SHA1 hash: c4a066ecb0e73b431561eb5f209af51e361f0467
MD5 hash: fb5b35716632d1ec30f13ea6c1c8ac69
humanhash: alaska-two-mexico-twenty
File name:New Order.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'374'720 bytes
First seen:2020-06-02 10:46:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 10abec0d09b3458ed0aeef51541dd70d (5 x AveMariaRAT)
ssdeep 12288:OI48RL+Xbzj+Lj5a0hg1nbWWfcIeln1Wj0glQDSrxSWeVMru+nEJd7+rE493C:J481ZLj5a0hg1n6kelnD83
Threatray 509 similar samples on MalwareBazaar
TLSH B4555C023682A825E9F742F08D7E8A963C3D7E904F1090FB53D61BDE49E26E46D34767
Reporter abuse_ch
Tags:AveMariaRAT exe RAT


Avatar
abuse_ch
Malspam distributing AveMariaRAT:

HELO: standfordgroups.com
Sending IP: 62.173.142.172
From: Stefania Pitta <StefaniaPitta@mediform.com>
Subject: Re: New Order - Mediform S.A
Attachment: New Order.zip (contains "New Order.exe")

AveMariaRAT C2:
79.134.225.40:5200

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2020-06-02 10:19:00 UTC
AV detection:
17 of 48 (35.42%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=um5e3svr2c2mq7oaaqmgflxyohjwkjz2bovjifro6t7yll2ryv4a._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
2c17ec053eeef1daed652560bd9bd8672fd2bd160595f998f87c017b3c7095c5
AveMariaRAT
40503a4df817599fdf0125c5b99076700718e3eb50bbb759d139aa95a8d18d59
AveMariaRAT
785c0d4d25629a52bf22014d5e21c10dbd19e6e7958eb400ea445182a827578f
AveMariaRAT
7c186a7edf751a516c70679dd03e248eabb14a56497c064c16d43b1133b9b86a
AveMariaRAT
8b8c1a8d955a33aee2a355050c138ce891207b2dcb37967ab24d278abdf98254
AveMariaRAT
922be6acb1365bac828b5493a4ba1a5fd0d214a5273f39bfbaf932d80c9b5a75
AveMariaRAT
b6fe251f63967620aa825a84bec39adea438c1c8e29193f236ffc22bda75523b
AveMariaRAT
d0c16d7dd39f3e0c3972b5c19de8e9daeb031d3ce55a6329a0ce76271904d078
AveMariaRAT
f6992d6684eb90b504ae13c3a5159e336005a415c7e50ed2dc7f1420ffa488b1
AveMariaRAT
f99107fb49e1a9ae31d72e1a052baa79ce419ce970bc521010885c98a3d6e6ac
AveMariaRAT
+ 499 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/201109-67w9ken5pn/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Warzone RAT Payload
ServiceHost packer
WarzoneRat, AveMaria
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_malumpos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

zip 894c5373ef237ed4ac23126973dbc1862929a4d175039c42673a6acf2486a9fd

AveMariaRAT

Executable exe a33a4dcab1d0b4c87dc0041862aef871d365273a0baa94162ef4ff85af51c578

(this sample)

  
Dropped by
MD5 bed2d285f1b7b393ce53932c805d28b6
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 894c5373ef237ed4ac23126973dbc1862929a4d175039c42673a6acf2486a9fd

Comments