MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 210907c63a822466ef533403076830467ea49fd5fad67af25528ab558eeb9415. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 210907c63a822466ef533403076830467ea49fd5fad67af25528ab558eeb9415
SHA3-384 hash: 251a87cf6fb6fb4f1255d30bf00b9971ac34ae9aa4d2289df1980d2d4339e6e4dc96c3da9c000076521ffe598691b243
SHA1 hash: 595a9a6b07e38bd071481b82b138284f6e3dfae0
MD5 hash: 6ba67fe3cec56ff86d404d459e46038c
humanhash: beer-montana-don-island
File name:zaproszenie.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'111'960 bytes
First seen:2020-10-22 11:51:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b370bd9acb33b65a37dff94bd60f0a01 (10 x ModiLoader, 2 x AveMariaRAT, 2 x Loki)
ssdeep 12288:RfbnamhHbXW763V8d8OAqUo3priVlP3lVJN2wNkmRPxkcIhl9weV+8YZqckawUN+:Rf75m8OWo0l/iOk4PHIh1luYyejz
Threatray 537 similar samples on MalwareBazaar
TLSH A9356C127290C332C1369AB9CD5FA7BC59A5BE40ED247887FAFC3D4D6B35E80242B156
Reporter abuse_ch
Tags:AveMariaRAT exe geo POL


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mx1.e-tiger.net
Sending IP: 193.23.139.20
From: Policja <notifications@policja.pl>
Subject: Ostatnie zaproszenie od policji
Attachment: zaproszenie.iso (contains "zaproszenie.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74629/
Detection(s):
SecuriteInfo.com.Variant.Zusy.322401.10551.27714.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/507045
Signature
Allocates memory in foreign processes
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 302645 Sample: zaproszenie.exe Startdate: 22/10/2020 Architecture: WINDOWS Score: 100 30 efiigbo9.duckdns.org 2->30 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected AveMaria stealer 2->48 50 6 other signatures 2->50 7 zaproszenie.exe 1 15 2->7         started        12 Prjjdrv.exe 13 2->12         started        14 Prjjdrv.exe 13 2->14         started        signatures3 process4 dnsIp5 32 cdn.discordapp.com 162.159.133.233, 443, 49733, 49748 CLOUDFLARENETUS United States 7->32 34 discord.com 162.159.135.232, 443, 49730 CLOUDFLARENETUS United States 7->34 24 C:\Users\user\AppData\Local\...\Prjjdrv.exe, PE32 7->24 dropped 52 Writes to foreign memory regions 7->52 54 Injects a PE file into a foreign processes 7->54 16 ieinstal.exe 3 2 7->16         started        36 162.159.128.233, 443, 49742, 49745 CLOUDFLARENETUS United States 12->36 38 162.159.135.233, 443, 49743 CLOUDFLARENETUS United States 12->38 56 Multi AV Scanner detection for dropped file 12->56 58 Machine Learning detection for dropped file 12->58 60 Allocates memory in foreign processes 12->60 20 ieinstal.exe 1 12->20         started        22 ieinstal.exe 14->22         started        file6 signatures7 process8 dnsIp9 26 efiigbo9.duckdns.org 91.193.75.34, 49740, 49741, 49744 DAVID_CRAIGGG Serbia 16->26 28 192.168.2.1 unknown unknown 16->28 40 Increases the number of concurrent connection per server for Internet Explorer 16->40 42 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->42 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/210907c63a822466ef533403076830467ea49fd5fad67af25528ab558eeb9415/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-10-22 08:03:09 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eeeqprr2qisgn32tgqbqo2bqiz7kjh6v7llhv4svfcvvldxlsqkq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0629278e51106220eb8727f80f4c24cfb432e6344561e8518030b19b669bcc72
AveMariaRAT
3db67e5cc713186d3bc6e3ad98c72213bc7bfa65c481b368aa51691e68c592a0
AveMariaRAT
4fa4af45c70295513c486589c0e36e7436be6abbf3c75e97b544db959e9dfcb5
AveMariaRAT
51966d322a39d2b7c08c85a58e19b558ab678862385be75ab90e69b84fde583f
AveMariaRAT
7fa4e7e851fd8997ceb6a4b87912523dd682387f70eb840afc01806e08c26c2f
AveMariaRAT
b44646b530b067dadca8a6b31582efa9b9738c068a209af3b1bb4d403bd574fc
AveMariaRAT
d30b949fc05b15b611b3fe420b6883062c5bb2b270c769540c48f703a46cbbf3
AveMariaRAT
e0e3ae47b7e48c3c81724d0a63f5f6f8033bb516d97c538ea52349a102a0e1b6
AveMariaRAT
e4769506e482cbdbaeae35eb657e75cfb941ab66253770896493666b023851a5
AveMariaRAT
f908e0abb7cf81d0e8f6604cf08bf71a431a409a44073a1a5c542b1987f9cadc
AveMariaRAT
+ 527 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
rat persistence trojan family:modiloader infostealer family:warzonerat
Link:
https://tria.ge/reports/201022-93chzzgags/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
Warzone RAT Payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
210907c63a822466ef533403076830467ea49fd5fad67af25528ab558eeb9415
MD5 hash:
6ba67fe3cec56ff86d404d459e46038c
SHA1 hash:
595a9a6b07e38bd071481b82b138284f6e3dfae0
Link:
https://www.unpac.me/results/780db429-259a-44f6-b556-2126023f9559/
SH256 hash:
48d02dac0411df294ca68097b87e928435c8a53534ab939eff8d1bf016340cab
MD5 hash:
4583f19b9b84b6ab5380870299fe0e64
SHA1 hash:
037af28a0cf96d9d6868b7901d534e33ac7ec2fa
Link:
https://www.unpac.me/results/780db429-259a-44f6-b556-2126023f9559/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Choice_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

iso bdcc2ec8d51032a590bb77502fffb2548b0fc9cc6803be55ba17c37b1a4b2d88

AveMariaRAT

Executable exe 210907c63a822466ef533403076830467ea49fd5fad67af25528ab558eeb9415

(this sample)

  
Dropped by
MD5 8d2777b5c8070832697f0a785a771c5f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74629/
  
Dropped by
SHA256 bdcc2ec8d51032a590bb77502fffb2548b0fc9cc6803be55ba17c37b1a4b2d88

Comments