MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 049a3258d1222a41415a8099d2b79c88ac64400543b9e8d83e450ca592593faf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 5


Intelligence 5 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 049a3258d1222a41415a8099d2b79c88ac64400543b9e8d83e450ca592593faf
SHA3-384 hash: 1648f857a853e2f3e67dbf793cea8ed42a694a218ff8867b13aa01be91ef753c9db0c5aa1cd507898d936dc7cd5f064e
SHA1 hash: 5cbc893e01f46010fa7df6016db48ee28860b3fd
MD5 hash: 8511a7a835eb8faf696e7ac96da0a438
humanhash: juliet-kitten-five-michigan
File name:scan001.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'057'792 bytes
First seen:2020-05-19 05:47:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 507b40b2dc63c889d0c41f7b024904c8 (2 x AveMariaRAT)
ssdeep 12288:1JW8DozxJ2YyaQiiguujW4kdb/B+OlAso1vxFMNIsRBTNdAL0++59m:JozX2YzOlA3NwpNuLI9
Threatray 514 similar samples on MalwareBazaar
TLSH 86255A64B762D018F9FB2AF642EE217D847EBBD40B29A0C711D019EE1526AE4FC31753
Reporter abuse_ch
Tags:AveMariaRAT exe nVpn RAT


Avatar
abuse_ch
Malspam distributing AveMariaRAT:

HELO: standfordgroups.com
Sending IP: 62.173.142.172
From: Ali Omar <ali.omar@outlook.com>
Subject: Fwd: Fw: Re: Re: Order Confirmation for advance payment
Attachment: scan001.zip (contains "scan001.exe")

AveMariaRAT C2:
79.134.225.34:5200

Hosted on nVpn:

% Information related to '79.134.225.0 - 79.134.225.63'

% Abuse contact for '79.134.225.0 - 79.134.225.63' is 'abuse@anmaxx.net'

inetnum: 79.134.225.0 - 79.134.225.63
netname: BASEL-HOSTING-225-0
country: CH
admin-c: AM38880-RIPE
tech-c: AM38880-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
created: 2016-04-17T00:42:52Z
last-modified: 2016-04-18T06:23:19Z
source: RIPE
remarks: abuse-c AIS166-RIPE
org: ORG-AGIS12-RIPE


Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-19 07:59:49 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=asndewgreivecqk2qcm5fn44rcwgiqafio46rwb6iugkleszh6xq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0ca6d24907152bf5a6dd6a35cf7ab3e7712ebfa0a2245f2bdfc8a17ebed71bc4
AveMariaRAT
1b13660c52adcccc1cef45f137a3373f5615500a609c61a9872e5ed4336e629a
AveMariaRAT
3a5943219f8400531a411b909b666337ba4f232d19e003a0128e0d699106f04f
AveMariaRAT
7c186a7edf751a516c70679dd03e248eabb14a56497c064c16d43b1133b9b86a
AveMariaRAT
8e2a4af633ffda92d8508e04274bad284ba57cddcdc2ee2c933a68ec6da5d4cd
AveMariaRAT
a607cec440113a15857e5af97900685979bc307112628b6667a8a231f6559145
AveMariaRAT
a6c22328747eaee0b88ce02ad48e8d2860cb275bc2494248a173ccc8bf891563
AveMariaRAT
b5b64f85cdeb5432018e22087fce4b6dc1e56593e8416335f471d4eac1e2b8cf
AveMariaRAT
da7d4b75bfe7b58a32a24ddc9f97e8b479933a515a20945c81d279dc29206bd8
AveMariaRAT
fe1fd26713b3290eb083f29aad553453ad78a6efd99c9b351bf405cfd45de4c3
AveMariaRAT
+ 504 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/201109-tkqfg9j7ej/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Warzone RAT Payload
ServiceHost packer
WarzoneRat, AveMaria
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_malumpos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

zip d17c5802ecdb09616b622837ec696dc09ef891444e23e6542d827b13cbd23314

AveMariaRAT

Executable exe 049a3258d1222a41415a8099d2b79c88ac64400543b9e8d83e450ca592593faf

(this sample)

  
Dropped by
MD5 b85e2fb1c7a2382d93ad2ff8b8e73a8c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d17c5802ecdb09616b622837ec696dc09ef891444e23e6542d827b13cbd23314

Comments