MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07915b1a44803fc9bd86d2d9ddad19434440b3d73f5c77f3400c84a935dd0255. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07915b1a44803fc9bd86d2d9ddad19434440b3d73f5c77f3400c84a935dd0255
SHA3-384 hash: 68629aa28185984f0e7f461c1e59a5f200b476ba27959688c5d5e54be3c91d788653c55f1aa303108641f1e1e8d65e61
SHA1 hash: fa000ffcf784ddc5a823621ec88d873104699c86
MD5 hash: 260681aa222d5ba83d38554857c00fe6
humanhash: uncle-bravo-may-thirteen
File name:SKM_C454e20121811360.pdf.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:839'096 bytes
First seen:2021-09-08 10:20:39 UTC
Last seen:2021-09-15 06:58:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a6f9ce49927a1276962e131ee30a4701 (4 x AveMariaRAT, 2 x NetWire, 2 x RemcosRAT)
ssdeep 12288:QDylNhPTW3jR+9bHoraZlojpF/b8PmcuVpvC1VGEdrjP3:V7I3N8DoraZ6d8unzUV9T3
Threatray 2'151 similar samples on MalwareBazaar
TLSH T1CE057D11A1E5BEFDD1221B381CAB35E744767FA23E196CD52FA839488E7C281383175E
dhash icon acacacb6a2968eaa (13 x RemcosRAT, 4 x Formbook, 4 x AveMariaRAT)
Reporter GovCERT_CH
Tags:AveMariaRAT exe WarzoneRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SKM_C454e20121811360.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-09-08 10:21:23 UTC
Tags:
trojan stealer rat avemaria
Link:
https://app.any.run/tasks/032e1359-a8e5-4a98-83cb-ba11c0984643

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/186309/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Creating a process from a recently created file
Deleting a recently created file
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Setting a keyboard event handler
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Connection attempt to an infection source
Sending a TCP request to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c7977522-90da-462a-a485-caa499b42e27
Result
Threat name:
AveMaria UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/847284
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to create processes via WMI
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Creates files in alternative data streams (ADS)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Drops script or batch files to the startup folder
Found malware configuration
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Double Extension
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 479715 Sample: SKM_C454e20121811360.pdf.exe Startdate: 08/09/2021 Architecture: WINDOWS Score: 100 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Detected unpacking (changes PE section rights) 2->62 64 12 other signatures 2->64 10 SKM_C454e20121811360.pdf.exe 15 2->10         started        14 cmd.exe 1 2->14         started        process3 dnsIp4 48 cdn.discordapp.com 162.159.135.233, 443, 49708, 49709 CLOUDFLARENETUS United States 10->48 70 Detected unpacking (changes PE section rights) 10->70 72 Drops script or batch files to the startup folder 10->72 74 Contains functionality to inject threads in other processes 10->74 76 3 other signatures 10->76 16 SKM_C454e20121811360.pdf.exe 4 8 10->16         started        20 WMIC.exe 1 14->20         started        22 conhost.exe 14->22         started        signatures5 process6 file7 36 C:\ProgramData\windows explorer.exe, PE32 16->36 dropped 38 C:\ProgramData:ApplicationData, PE32 16->38 dropped 40 C:\Users\user\AppData\...\programs.bat:start, ASCII 16->40 dropped 42 2 other malicious files 16->42 dropped 52 Creates files in alternative data streams (ADS) 16->52 54 Increases the number of concurrent connection per server for Internet Explorer 16->54 24 windows explorer.exe 13 16->24         started        56 Creates processes via WMI 20->56 signatures8 process9 dnsIp10 44 162.159.133.233, 443, 49713 CLOUDFLARENETUS United States 24->44 46 cdn.discordapp.com 24->46 66 Injects code into the Windows Explorer (explorer.exe) 24->66 68 Injects a PE file into a foreign processes 24->68 28 windows explorer.exe 4 24->28         started        signatures11 process12 dnsIp13 50 79.134.225.39, 1990, 49716 FINK-TELECOM-SERVICESCH Switzerland 28->50 78 Writes to foreign memory regions 28->78 80 Allocates memory in foreign processes 28->80 82 Installs a global keyboard hook 28->82 84 Creates a thread in another existing process (thread injection) 28->84 32 cmd.exe 1 28->32         started        signatures14 process15 process16 34 conhost.exe 32->34         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/07915b1a44803fc9bd86d2d9ddad19434440b3d73f5c77f3400c84a935dd0255/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-09-08 10:21:06 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a6ivwgseqa74tpmg2lm53lizincebm6xh5ohp42abscksno5ajkq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
18557447ecf0465479dbc151e8b1370550f10211373cd738e3a67e9112927bc8
AveMariaRAT
4ae3522e80d4dbf4e6e50053d3104e327309ed478bf50040ba14a615b1da3d56
AveMariaRAT
7874dba4574e453fe396d85635c7247d9b769e3d3b5b1011bddb0f0c4d26948d
AveMariaRAT
7da243e349f6cca906f1e36ab36f2a05837c452f0d6c3492da39f934bdc4d860
AveMariaRAT
7f6b099267911103a2ed4968d73900bbdc667fde2d574fe8300f891a25a33f55
AveMariaRAT
995253676a48f849d9f6c5c8e23a612a4aed9fbb3526e9b15894e9397e25fb69
AveMariaRAT
a9321317116649103debb8a03f5b36ee8b015fa48fc7da5c2b5eb5192dac8233
AveMariaRAT
c1576e2a6542baf1bedf9a8f9b62da6a5e2f17dfcef52e5d977bc268c11306ca
AveMariaRAT
f15224a9cc3713a1ffff26de7d7e962bafa436c98962d2f7cc2bbdcf47c977a6
AveMariaRAT
+ 2'141 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/210908-mdncjaecf4/
Behaviour
NTFS ADS
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Warzone RAT Payload
Suspicious use of NtCreateProcessExOtherParentProcess
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
79.134.225.39:1990
Unpacked files
SH256 hash:
cd4b225505e84218ef7418c8e5f41acbb67c51bd43e9ddcfa25341259377d3df
MD5 hash:
b7816cb3535b2f2675804d3052295003
SHA1 hash:
db4588853aa1ec16b1f2d29b1e873a653a1ecb13
Link:
https://www.unpac.me/results/2e282be6-f8e8-46f5-8585-7289ed0e9832/
SH256 hash:
07915b1a44803fc9bd86d2d9ddad19434440b3d73f5c77f3400c84a935dd0255
MD5 hash:
260681aa222d5ba83d38554857c00fe6
SHA1 hash:
fa000ffcf784ddc5a823621ec88d873104699c86
Link:
https://www.unpac.me/results/2e282be6-f8e8-46f5-8585-7289ed0e9832/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/07915b1a4480/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/07915b1a44803fc9bd86d2d9ddad19434440b3d73f5c77f3400c84a935dd0255

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 07915b1a44803fc9bd86d2d9ddad19434440b3d73f5c77f3400c84a935dd0255

(this sample)

  
Dropped by
warzonerat
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/186309/

Comments