MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b22b166ce3ca7e4037817f694b36beefb1faad44406f7fef1ab939935c671a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b22b166ce3ca7e4037817f694b36beefb1faad44406f7fef1ab939935c671a1
SHA3-384 hash: f1fab274b535045ecdedea539e27e338533be86885bd74922e01b3f30cde0b1e652744cfee924d0966d306c51cb863aa
SHA1 hash: 05d0e1b83f6fb17a8955106d314dc6d3f865c510
MD5 hash: 502d698a9ad79153b2ba063553393d3c
humanhash: hotel-east-speaker-kitten
File name:Detalles de la descripción de la oferta del producto.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:49'056 bytes
First seen:2020-11-06 17:22:59 UTC
Last seen:2020-11-06 19:03:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:Ja2iXcMf/Vq8NHJlCge+64h0QdwJgFmpaFZUf2hJ:J3iXcM1qm3CzJ4HljUfY
Threatray 559 similar samples on MalwareBazaar
TLSH 122372413245FD2FCEAA0E302F62DD6627B2DA711841C349E8A4499CDB436FA3C6D5DE
Reporter abuse_ch
Tags:AveMariaRAT exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: internet.pacifik.cl
Sending IP: 190.121.26.139
From: Maria García <account@atlanticnavigation.com>
Subject: Precio de oferta
Attachment: Detalles de la descripción de la oferta del producto.iso (contains "Detalles de la descripción de la oferta del producto.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.49839.22451.14669.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
DNS request
Adding an access-denied ACE
Creating a file
Connection attempt
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Enabling autorun by creating a file
Enabling autorun
Unauthorized injection to a system process
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/523510
Signature
Allocates memory in foreign processes
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 310853 Sample: Detalles de la descripci#U0... Startdate: 06/11/2020 Architecture: WINDOWS Score: 100 60 Malicious sample detected (through community Yara rule) 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 9 other signatures 2->66 7 Detalles de la descripci#U00f3n de la oferta del producto.exe 18 4 2->7         started        12 Detalles de la descripci#U00f3n de la oferta del producto.exe 2 2->12         started        14 Detalles de la descripci#U00f3n de la oferta del producto.exe 2 2->14         started        16 3 other processes 2->16 process3 dnsIp4 56 hastebin.com 172.67.143.180, 443, 49718, 49726 CLOUDFLARENETUS United States 7->56 48 Detalles de la des...ta del producto.exe, PE32 7->48 dropped 50 Detalles de la des...exe:Zone.Identifier, ASCII 7->50 dropped 76 Creates an undocumented autostart registry key 7->76 78 Hides threads from debuggers 7->78 18 aspnet_state.exe 3 2 7->18         started        22 WerFault.exe 23 9 7->22         started        24 timeout.exe 1 7->24         started        80 Writes to foreign memory regions 12->80 82 Allocates memory in foreign processes 12->82 84 Injects a PE file into a foreign processes 12->84 26 timeout.exe 1 12->26         started        34 4 other processes 12->34 28 timeout.exe 14->28         started        36 2 other processes 14->36 58 104.24.126.89, 443, 49729, 49737 CLOUDFLARENETUS United States 16->58 86 Creates autostart registry keys with suspicious names 16->86 88 Creates multiple autostart registry keys 16->88 30 timeout.exe 16->30         started        32 timeout.exe 16->32         started        file5 signatures6 process7 dnsIp8 52 178.170.138.163, 4554, 49722 ETOP-ASPL Netherlands 18->52 68 Contains functionality to inject threads in other processes 18->68 70 Contains functionality to steal Chrome passwords or cookies 18->70 72 Contains functionality to steal e-mail passwords 18->72 74 2 other signatures 18->74 54 192.168.2.1 unknown unknown 22->54 38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        42 conhost.exe 28->42         started        44 conhost.exe 30->44         started        46 conhost.exe 32->46         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b22b166ce3ca7e4037817f694b36beefb1faad44406f7fef1ab939935c671a1/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-11-06 01:34:57 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dmrlczwohst6ia3yc73jjm3l535r7kwuiqdpp7xrvojzsnogogqq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
2850ddcebc7ed468cb0db271e54956468f0c93dd57a233665646d28cb1139373
AveMariaRAT
285f4e79ae946ef179e45319caf11bf0c1cdaa376924b83bfbf82ed39361911b
AveMariaRAT
5b92d7f869973b50de0c707ce58afacd6f1202364283c7dffa6ffd79a41a93eb
AveMariaRAT
5bfecd5a96a527173e0d9a286ecfea7fc89f99abdda3459d85f00fe23f4cb2bc
AveMariaRAT
bec0fd02d4c6cc5da2d88a5bf2a53b8d3ad5cfc1d40a8c62852629d7de06ebd8
AveMariaRAT
c805a81435618323cd34e9729b058df78e9c496d1d6c752cc3e5c7cb30f26613
AveMariaRAT
c838da7346e7f3373f9f1a84a073c248f785e82be48db979cdb339460402de06
AveMariaRAT
e9ef69bd0b38ec9381f02d44dd893c75ac6c1e6a96f4e320416636860d05d398
AveMariaRAT
ec58c3fc201e9b9802d8a2b99dbe046fb29ef26c5f6fcc461ed968b66351473f
AveMariaRAT
fc4b29f54e0b3ed0493ba85310a2665ab47e5143f3cb3ce09686f0560dd1ed04
AveMariaRAT
+ 549 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/201106-1ach1f1t7s/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Warzone RAT Payload
Modifies WinLogon for persistence
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
1b22b166ce3ca7e4037817f694b36beefb1faad44406f7fef1ab939935c671a1
MD5 hash:
502d698a9ad79153b2ba063553393d3c
SHA1 hash:
05d0e1b83f6fb17a8955106d314dc6d3f865c510
Link:
https://www.unpac.me/results/f157d4ed-da10-4e9a-9fa2-2c0edf7a276d/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

iso 132f365a47276d41bf45bd6780dbd8b13e6f5ab8e65c3df02fb413d66fbb35e1

AveMariaRAT

Executable exe 1b22b166ce3ca7e4037817f694b36beefb1faad44406f7fef1ab939935c671a1

(this sample)

  
Dropped by
MD5 72b916a5f18efead3e6ecd24c86fa3eb
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 132f365a47276d41bf45bd6780dbd8b13e6f5ab8e65c3df02fb413d66fbb35e1

Comments