MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 196789782f6dcb856fb75cc2f08f70fa7643ce5183ebba9b677253d86cac9b41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 196789782f6dcb856fb75cc2f08f70fa7643ce5183ebba9b677253d86cac9b41
SHA3-384 hash: 2142c3ba338f089addbcfeccaa0d54e7972b80d3494337676d41b205423b0ae213869561826e086a4c0e717e7aa80d63
SHA1 hash: 5ed5769fc05b388ec911352a6a206a912004e586
MD5 hash: ade6651839e1dc32dca145ea6c83b676
humanhash: march-princess-twenty-mars
File name:Cont_IMG_60712133_1247066872129983_2152132284377989120.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'140'744 bytes
First seen:2021-03-01 07:29:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b4043a309d0347d03a7fb07fb4b5acc1 (2 x AveMariaRAT, 1 x RemcosRAT, 1 x BitRAT)
ssdeep 24576:VhTP85JKIq20xIQ40TMt7zVT6lVINGgZi4:vTPAvTzVT6lKNGL4
Threatray 769 similar samples on MalwareBazaar
TLSH 44358D12A29348F7D0221637993A5274D8A5BE20F5385D4636ECAC7CBFEF2507C1F986
Reporter abuse_ch
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Cont_IMG_60712133_1247066872129983_2152132284377989120.exe
Verdict:
Malicious activity
Analysis date:
2021-03-01 08:08:44 UTC
Tags:
trojan stealer rat avemaria
Link:
https://app.any.run/tasks/440e03ab-8be4-4798-848c-68e8077cf8f0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/120136/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.20015.3732.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Creating a file in the %AppData% directory
Reading critical registry keys
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Connection attempt to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621869
Signature
Allocates memory in foreign processes
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359924 Sample: Cont_IMG_60712133_124706687... Startdate: 01/03/2021 Architecture: WINDOWS Score: 100 39 Multi AV Scanner detection for domain / URL 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 5 other signatures 2->45 6 Diszztec.exe 2->6         started        9 Diszztec.exe 2->9         started        11 Cont_IMG_60712133_1247066872129983_2152132284377989120.exe 1 18 2->11         started        process3 dnsIp4 47 Multi AV Scanner detection for dropped file 6->47 49 Machine Learning detection for dropped file 6->49 51 Writes to foreign memory regions 6->51 15 sethc.exe 5 6->15         started        53 Allocates memory in foreign processes 9->53 55 Creates a thread in another existing process (thread injection) 9->55 57 Injects a PE file into a foreign processes 9->57 19 calc.exe 5 9->19         started        25 cdn.discordapp.com 162.159.130.233, 443, 49714 CLOUDFLARENETUS United States 11->25 23 C:\Users\Public\Libraries\Diszztec.exe, PE32 11->23 dropped 21 eventvwr.exe 3 5 11->21         started        file5 signatures6 process7 dnsIp8 27 192.168.2.1 unknown unknown 19->27 31 System process connects to network (likely due to code injection or exploit) 19->31 33 Tries to steal Mail credentials (via file access) 19->33 35 Tries to harvest and steal browser information (history, passwords, etc) 19->35 29 warzone05b.duckdns.org 194.5.98.154, 25820, 49722, 49725 DANILENKODE Netherlands 21->29 37 Increases the number of concurrent connection per server for Internet Explorer 21->37 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/196789782f6dcb856fb75cc2f08f70fa7643ce5183ebba9b677253d86cac9b41/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-03-01 07:30:09 UTC
AV detection:
15 of 49 (30.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dftys6bpnxfyk35xltbpbd3q7j3ehtsrqpv3vg3hojj5q3fmtnaq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
2002e2506e59be859c12de94b1d9ddbfeeee31373684ce15f4e5b952da036a69
AveMariaRAT
2a73b5bcf40617742a535178183021aa1f0ed55f85a431e1535a0b65030b6867
AveMariaRAT
33a76af55237d9ba192ee8496fd6c4adc489593705e81c663a890b39e1c92a8e
AveMariaRAT
4fe45a8e07fc28eb30222f08219ca2bb8832220a97ff56333193bd422a876f0c
AveMariaRAT
62a9e0bc56c03b9ad7ff3ff1242415b95c29b10c2699a55c4d8940338e18887e
AveMariaRAT
7b7b7e7ad9b106a5508583f1b60e3a3d7385bf0d6592ca816839f6633f5e8045
AveMariaRAT
8fbd0e656a1ee90b82591111e01fb0e8b7a3d3e711e0d5165d05a5d844b8c03f
AveMariaRAT
ed21e9b47bc6e3343b98a6a69795c35c0b9ed34d9963a65e5df0afdcfdad9820
AveMariaRAT
f58206c0e3f90670105f3d92f49e4f3e4dd36970697f24de762862f24ea130cf
AveMariaRAT
fae5d87e8771f0025e306697f68afe511275e9772af23dfd081ffbfc0b56f38d
AveMariaRAT
+ 759 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/210301-6ye9g387g2/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Warzone RAT Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
warzone05b.duckdns.org:25820
Unpacked files
SH256 hash:
5bcde4d165f66f58ce0446462a038b7ae84e2fd2275885f61f68287547aac66d
MD5 hash:
34cb499bbd566c24dcf888e9bab46083
SHA1 hash:
3bb97e3103868691e57e7cf3be88a7ff30f46ea1
Link:
https://www.unpac.me/results/8c500ae1-da57-4c98-8e26-37bc5d2cda76/
SH256 hash:
196789782f6dcb856fb75cc2f08f70fa7643ce5183ebba9b677253d86cac9b41
MD5 hash:
ade6651839e1dc32dca145ea6c83b676
SHA1 hash:
5ed5769fc05b388ec911352a6a206a912004e586
Link:
https://www.unpac.me/results/8c500ae1-da57-4c98-8e26-37bc5d2cda76/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/196789782f6dcb856fb75cc2f08f70fa7643ce5183ebba9b677253d86cac9b41

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 196789782f6dcb856fb75cc2f08f70fa7643ce5183ebba9b677253d86cac9b41

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/120136/

Comments