MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 204671d989631c99ed12773546e79d980aec9a79922769d13c732fff64325353. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 12 File information Comments

SHA256 hash:	204671d989631c99ed12773546e79d980aec9a79922769d13c732fff64325353
SHA3-384 hash:	2590d8e518d6ea1eefb49f09c641e46933e4d54fa40dc250f77ee143acfa801120d568c109df1d3c9ec53660d8d02fc9
SHA1 hash:	1dcdea4c1a48c63962172a5cc0834bee790cb5b7
MD5 hash:	b432b63fa8ac6540ae3c6474ede8c923
humanhash:	october-bluebird-arizona-sixteen
File name:	Order confirmation request_25.08.21.pdf.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	757'760 bytes
First seen:	2021-08-25 11:49:32 UTC
Last seen:	2021-08-25 13:20:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	95ca75521f0d84796bcc75c19eb91d03 (4 x RemcosRAT, 1 x AveMariaRAT)
ssdeep	12288:HG0z7gLLMuRN/tMvdEAwM3nrkaoUfpACXDoVttivrly5g1+yVt:HfzMzRxtMEqAP0iCXDvvrlm8xV
Threatray	1'288 similar samples on MalwareBazaar
TLSH	T192F46DA56DFC0C73D693263E4C1986BA0530FD9039A4DD5A6BFA3D8ACE39340193E617
dhash icon	f8e88ea482a8a888 (8 x RemcosRAT, 1 x AveMariaRAT, 1 x Formbook)
Reporter	abuse_ch
Tags:	AveMariaRAT exe RAT

Intelligence

File Origin

# of uploads :

# of downloads :

157

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Order confirmation request_25.08.21.pdf.exe

Verdict:

Suspicious activity

Analysis date:

2021-08-25 11:51:00 UTC

Tags:

installer

Link:

https://app.any.run/tasks/23d425b9-5691-48e7-846a-b998c8798b4a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/182273/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Inject.4c.1673.6265.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Creating a file

Deleting a recently created file

Launching a process

Running batch commands

Creating a process with a hidden window

Launching cmd.exe command interpreter

Sending a UDP request

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% directory

Reading critical registry keys

Creating a file in the %temp% directory

Unauthorized injection to a recently created process

Stealing user critical data

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AVE_MARIA

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0471cc0d-73a6-452e-9b6f-3801e0fe0ff0

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/839070

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Creates a thread in another existing process (thread injection)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension

Sigma detected: Suspicious Svchost Process

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/204671d989631c99ed12773546e79d980aec9a79922769d13c732fff64325353/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2021-08-25 11:50:12 UTC

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ebdhdwmjmmojt3iso42unz45tafozgtzsitwtuj4omx76zbsknjq._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

37997c1eec37f3540a10458aa1e67be3cff20ef13feea966da82ec0f99f4fbc7

AveMariaRAT

501c54e45dcff8ae57742bc1ab0ba09791a68a6345b9a84f6c92af401556af07

AveMariaRAT

5a36b6f9fe8852daabca8093de029904ab5e024426cfe3ffaeca6c14fb093501

AveMariaRAT

7f6b099267911103a2ed4968d73900bbdc667fde2d574fe8300f891a25a33f55

AveMariaRAT

9049285c909f97f6342cd619ec5292e73c1cef65706904d7665743358fd6eb1f

AveMariaRAT

9958131d419bbaf7b385485777f83c03f2757f2aa263fbb1280b1e64f961a164

AveMariaRAT

e9306553fc49cf5964b3677986d125dbddad79546bdd37ba7dd9cf975b5976d1

AveMariaRAT

f15224a9cc3713a1ffff26de7d7e962bafa436c98962d2f7cc2bbdcf47c977a6

AveMariaRAT

+ 1'278 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat infostealer rat

Link:

https://tria.ge/reports/210825-3sfz4mkv6s/

Behaviour

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Loads dropped DLL

Warzone RAT Payload

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

blacice24.hopto.org:5032

Unpacked files

SH256 hash:

69b43f764e65daf8af6feec1aaceae822fc6705587d86a9eb490ebcd23c157eb

MD5 hash:

1ba17c2bbea2acdefc2e510c70936486

SHA1 hash:

3a753d99891da45886d265760db33d9e06d9c9e9

Link:

https://www.unpac.me/results/310233e6-3490-4f08-8ed1-315ac2b3a919/

SH256 hash:

204671d989631c99ed12773546e79d980aec9a79922769d13c732fff64325353

MD5 hash:

b432b63fa8ac6540ae3c6474ede8c923

SHA1 hash:

1dcdea4c1a48c63962172a5cc0834bee790cb5b7

Link:

https://www.unpac.me/results/310233e6-3490-4f08-8ed1-315ac2b3a919/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/204671d98963/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.36

Link:

https://yomi.yoroi.company/submissions/204671d989631c99ed12773546e79d980aec9a79922769d13c732fff64325353

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AveMaria Create hunting rule
Author:	@bartblaze
Description:	Identifies AveMaria aka WarZone RAT.

Rule name:	AveMaria_WarZone Create hunting rule

Rule name:	ave_maria_warzone_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding command execution via IExecuteCommand COM object

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_WarzoneRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AveMaria/WarzoneRAT

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	RDPWrap Create hunting rule
Author:	@bartblaze
Description:	Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:	https://github.com/stascorp/rdpwrap

Rule name:	win_ave_maria_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.ave_maria.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

exe 204671d989631c99ed12773546e79d980aec9a79922769d13c732fff64325353

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/182273/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample