MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ec80487df001c0f6d41a90bbe2451242977a6f36a276d6eefa8aef0f593ab6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ec80487df001c0f6d41a90bbe2451242977a6f36a276d6eefa8aef0f593ab6b
SHA3-384 hash: 4b70739a9d66c148dd4992b30d5d093670d386ff60af2d153583c0aebebd78cf6295922dfc354ed73dc4aecdfe1b0efc
SHA1 hash: 57b7bd782126186cb0cd40919a5a88e2283b978b
MD5 hash: da76723b187edc1913d3151d6ba0dd78
humanhash: network-idaho-finch-salami
File name:RFQ#8086A_461A_0000086_300_3550_2021.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'007'392 bytes
First seen:2021-04-04 16:50:38 UTC
Last seen:2021-04-04 17:54:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f249a0bdc75ed098d9aaa95dc140f0ff (1 x AveMariaRAT)
ssdeep 12288:O3Z1rQt44xwsSJ2LF8IIlhFDld2WGFlKqJU1SiPWm4UjvFx:kr642wsMc83JRd2WGD1XiL4Ujdx
Threatray 810 similar samples on MalwareBazaar
TLSH CC259276BB5A8E32F08BA03CE58AF5744453B91235C950622EDCFB05DB67B403AF1876
Reporter abuse_ch
Tags:AveMariaRAT exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.econt.com
Sending IP: 213.91.197.11
From: Nesma Trading Co. Ltd <tenders@sanmed.in>
Subject: Nesma Trading Co. Ltd- Purchase Order #8086A-46
Attachment: RFQ8086A_461A_0000086_300_3550_2021.img (contains "RFQ#8086A_461A_0000086_300_3550_2021.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ#8086A_461A_0000086_300_3550_2021.exe
Verdict:
Malicious activity
Analysis date:
2021-04-04 16:51:44 UTC
Tags:
installer
Link:
https://app.any.run/tasks/322705da-7605-4a14-936f-2733a61c3276

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/132107/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Sending a UDP request
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Deleting a recently created file
Reading critical registry keys
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Stealing user critical data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/275246aa-4b01-4aa4-b7bc-271e14baf6c3
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/665637
Signature
Allocates memory in foreign processes
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 381746 Sample: RFQ#8086A_461A_0000086_300_... Startdate: 04/04/2021 Architecture: WINDOWS Score: 100 39 Multi AV Scanner detection for domain / URL 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 6 other signatures 2->45 6 RFQ#8086A_461A_0000086_300_3550_2021.exe 1 19 2->6         started        11 Obyeke.exe 13 2->11         started        13 Obyeke.exe 13 2->13         started        process3 dnsIp4 25 banglaboi.com.bd 172.67.212.122, 443, 49710, 49711 CLOUDFLARENETUS United States 6->25 23 C:\Users\Public\Libraries\Obyeke\Obyeke.exe, PE32 6->23 dropped 47 Writes to foreign memory regions 6->47 49 Allocates memory in foreign processes 6->49 51 Creates a thread in another existing process (thread injection) 6->51 15 ieinstal.exe 3 4 6->15         started        27 104.21.16.122, 443, 49727, 49728 CLOUDFLARENETUS United States 11->27 53 Multi AV Scanner detection for dropped file 11->53 55 Injects a PE file into a foreign processes 11->55 19 ieinstal.exe 1 11->19         started        21 ieinstal.exe 1 13->21         started        file5 signatures6 process7 dnsIp8 29 xchilogs.duckdns.org 199.249.230.32, 23411, 49724 QUINTEXUS United States 15->29 31 Tries to steal Mail credentials (via file access) 15->31 33 Tries to harvest and steal browser information (history, passwords, etc) 15->33 35 Increases the number of concurrent connection per server for Internet Explorer 15->35 37 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->37 signatures9
Gathering data
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-04-04 07:07:52 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d3eajb67aaoa63kbvef34jcrequxpjxtnitw23xpvcxpb5mtvnvq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
08424a8ed34a7731f4118f3e4ddc49ae332b20f6ce042f1c967fd5d75ec1f0c7
AveMariaRAT
122ef85900670d4776f3afdbe676d59c23c4cd9944b9d392eb9a446b3bb40dde
AveMariaRAT
29c359a430263d1482f855d74d16a653f7bdcd6ab01abcb6090c1163a1568f71
AveMariaRAT
3139ed0df84c327db60fb109ac29aee322c9340327a24382270c321fa645a2e5
AveMariaRAT
5cbed2f8a5fdadbd99816c4c8792bd51a2db7479f80bf70409f0f257f942d0c9
AveMariaRAT
688db922ed6771475dc6c379990567dc7e07ecaa848ada113472d1021eb02926
AveMariaRAT
803ed954a2fbfa36e1b154d7b1b6b270021eb72583d5a876e5aaedd728c39cc7
AveMariaRAT
9b342770fe4594e3a6d22b0b8d50269f8c749fb6d43c4f22d6ba48ddbff23bb4
AveMariaRAT
a67866e26c35be123728faf13ab166a05eb79ad7e8c6c79768ea059326d5cb60
AveMariaRAT
be783c2bd964fe9b8cc8a49b0312a6125ca2981ab1abe3d2d2b42c32395368fd
AveMariaRAT
+ 800 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat infostealer persistence rat trojan
Link:
https://tria.ge/reports/210404-7texez1t4j/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Warzone RAT Payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
xchilogs.duckdns.org:23411
Unpacked files
SH256 hash:
68247adf9c5d5961c0fc61a2af5bbfa7da927f36c0a9ae05003599b4b27e38b7
MD5 hash:
1b8ca94170420aee9e1609e419d7c2b0
SHA1 hash:
7c04b1b128246ab1421ca34fd7723a4a027d8510
Link:
https://www.unpac.me/results/c6d456ba-8081-442c-b0e0-d81d370dec49/
SH256 hash:
1ec80487df001c0f6d41a90bbe2451242977a6f36a276d6eefa8aef0f593ab6b
MD5 hash:
da76723b187edc1913d3151d6ba0dd78
SHA1 hash:
57b7bd782126186cb0cd40919a5a88e2283b978b
Link:
https://www.unpac.me/results/c6d456ba-8081-442c-b0e0-d81d370dec49/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_KB_CERT_56f008e69a7c4c3feb389c66eaf58259
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:MALWARE_Win_DLAgent07
Create hunting rule
Author:ditekSHen
Description:Detects delf downloader agent

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

img b52ddc71a99712e6158625d19f11001cf29ec4cd05df9b8112fb6fdbc2a1bc71

AveMariaRAT

Executable exe 1ec80487df001c0f6d41a90bbe2451242977a6f36a276d6eefa8aef0f593ab6b

(this sample)

  
Dropped by
MD5 5809e2049713bda86766fb5d07763f10
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b52ddc71a99712e6158625d19f11001cf29ec4cd05df9b8112fb6fdbc2a1bc71
Cape
Cape
https://www.capesandbox.com/analysis/132107/

Comments