MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e4a719dbf73767e3fc658adda053f9e355298200b4ee8ac83380505db4e1125. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e4a719dbf73767e3fc658adda053f9e355298200b4ee8ac83380505db4e1125
SHA3-384 hash: 3731c73488b6b162b8011ca29d4cd981a0e8e9bf75b2a1f6385a4a585ae8012b404df7e52a3d4c605bbd44f2661dcf79
SHA1 hash: 695b43b1a1d84ae55f199676075d56fd97a37846
MD5 hash: 04241822f8bd8028712a24bfea7a2f8f
humanhash: london-king-thirteen-bravo
File name:NEW ORDER727733PO.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:707'072 bytes
First seen:2022-03-03 06:41:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:/kqd8sVCD6lU5F4ONFH7daeUSsIsIv1mbcA00f/0gBtQyAhmqrmRfm:i66/4ONh7daFIsIv1ucA0xEY3mR
Threatray 1'937 similar samples on MalwareBazaar
TLSH T16EE41AB96772D535F966863E84E9A40C13A06C15EE439EE370C6B7BE6E332C49D32143
File icon (PE):PE icon
dhash icon 3069cccce89696b2 (1 x AveMariaRAT)
Reporter lowmal3
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RDPWrap
Create hunting rule
Link:
https://www.capesandbox.com/analysis/246687/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39117901.28646.5654.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
DNS request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a file in the %AppData% directory
Reading critical registry keys
Creating a file in the %temp% directory
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bda7747e-e489-427b-ba56-197437750149
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/949703
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e4a719dbf73767e3fc658adda053f9e355298200b4ee8ac83380505db4e1125/
Threat name:
ByteCode-MSIL.Trojan.MortyStealer
Create hunting rule
Status:
Malicious
First seen:
2022-03-02 05:58:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dzfhdhn7on3h4p6glcw5ubj7ty2vfgbabnhorledhacqlw2ocesq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
53f3667f28ccf0d21ba05eb659a6138ae1a6bc24348d2750f16261bb5b6b2121
AveMariaRAT
649acc4a8ec45c2b3d6e217e3818db8174eb3a3bd923d8b907f6164fd42bb751
AveMariaRAT
74e572bc38bba5ae10cb950fb8002199c50479a1e7ad3e5f7f8b8507eb506c8d
AveMariaRAT
90c579c57ac202ad7230581299a82c3aba896fc61673efdb0e64fbd719a237f8
AveMariaRAT
995c82e7ea2a4f8882876f17fe0e3cacb47860744d48f250bdee6a7e9b01f0f7
AveMariaRAT
9cd6c84ba5aee64aca1a0e7d17839c3974b965efd4ab83cc0d1deb336793f590
AveMariaRAT
ca434fc22c9d646c7553432c66382e194c4eaeb09ee1015244eae33f176f1ca0
AveMariaRAT
dbdfbca2dcc01a530cd7c449500dc0f6b564c11f9ed9dc8d746709a235d6826f
AveMariaRAT
f9ca14fcdffeb48b11ea026812ac0a7dc941f27e0c1384dc8e9b83b18de4c2a7
AveMariaRAT
fb7c5dcc8038f5c13719469a6ec13b422b968afbb2f24eefa116d095ad493c7b
AveMariaRAT
+ 1'927 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat collection infostealer rat spyware stealer
Link:
https://tria.ge/reports/220303-hgcb8ahed4/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads user/profile data of web browsers
Suspicious use of NtCreateProcessExOtherParentProcess
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
bed.fastestmaking.com:5367
Unpacked files
SH256 hash:
477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52
MD5 hash:
16a9ddc4b32981114fe4f069a4353105
SHA1 hash:
bf73849f57c150f9e2199c61427f631be2dfa595
Link:
https://www.unpac.me/results/319aef92-3842-444a-a6d0-929c49219010/
SH256 hash:
7ab3f52fab576a1483178d6fdd698274a155f43f9749091c8353d080dc8d4fdd
MD5 hash:
730c1584b2d11c88f22378933772118b
SHA1 hash:
87f01fd74863c27e66d9a80b7ba943327c1a161a
Detections:
win_ave_maria_g0
Create hunting rule
win_ave_maria_auto
Create hunting rule
Link:
https://www.unpac.me/results/319aef92-3842-444a-a6d0-929c49219010/
Parent samples :
ca434fc22c9d646c7553432c66382e194c4eaeb09ee1015244eae33f176f1ca0
1e4a719dbf73767e3fc658adda053f9e355298200b4ee8ac83380505db4e1125
SH256 hash:
f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36
MD5 hash:
6c72218c48cd68cbcb654675053a0abb
SHA1 hash:
12207fa32070f99683648d87b44410e5d3cdf2de
Link:
https://www.unpac.me/results/319aef92-3842-444a-a6d0-929c49219010/
SH256 hash:
1e4a719dbf73767e3fc658adda053f9e355298200b4ee8ac83380505db4e1125
MD5 hash:
04241822f8bd8028712a24bfea7a2f8f
SHA1 hash:
695b43b1a1d84ae55f199676075d56fd97a37846
Link:
https://www.unpac.me/results/319aef92-3842-444a-a6d0-929c49219010/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1e4a719dbf73/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e4a719dbf73767e3fc658adda053f9e355298200b4ee8ac83380505db4e1125

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AveMaria_WarZone
Create hunting rule
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding command execution via IExecuteCommand COM object
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_WarzoneRAT
Create hunting rule
Author:ditekSHen
Description:Detects AveMaria/WarzoneRAT
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.ave_maria.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 1e4a719dbf73767e3fc658adda053f9e355298200b4ee8ac83380505db4e1125

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/246687/

Comments