MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 281c044f76037c63cb0cdb9da800b0e4320f6c8ddfe0509e7d8451a155d7e731. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 281c044f76037c63cb0cdb9da800b0e4320f6c8ddfe0509e7d8451a155d7e731
SHA3-384 hash: caa9cc81619d2d3eb1cd098435b5fcbdaac1fe039fe30200716ed165499c1d48d16490a90a209f1560e8acaad641f9d2
SHA1 hash: 7eb2ac1f58d4d3a1b50a47ee8f93cf0d966a5818
MD5 hash: 4403a9aec68ff3e50c13da6bf967b649
humanhash: beryllium-louisiana-crazy-high
File name:11998704458248.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:610'712 bytes
First seen:2021-01-09 08:25:06 UTC
Last seen:2021-01-09 10:12:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2852b70a86e9eff58a3c9d8892e7d0ee (1 x AveMariaRAT)
ssdeep 12288:7qIv4+Cye3J0KAppg1e0RQWsvlKD/Ya/3RntQ:7q2ve3J0KCEak5BntQ
Threatray 688 similar samples on MalwareBazaar
TLSH 13D49F66E6F18837D1332A7C5D0B9A65981ABFD12D2824463BE87D4C6F3D381341DE93
Reporter abuse_ch
Tags:AveMariaRAT exe RAT


Avatar
abuse_ch
Malspam distributing AveMariaRAT:

HELO: [96.9.210.108]
Sending IP: 96.9.210.108
From: 中华人民共和国标准化局(SAC) <legalsa_cert@sac.gov.cn>
Subject: 中华人民共和国标准化局- Companies with revoked iso certificate
Attachment: 11998704458248.img (contains "11998704458248.exe")

AveMariaRAT C2:
xchilogs.duckdns.org:5993 (54.37.160.157)

Intelligence

File Origin
# of uploads :
2
# of downloads :
343
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
11998704458248.exe
Verdict:
Malicious activity
Analysis date:
2021-01-09 08:28:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e542fa59-9f5d-4ef9-a1f8-92ed3b790c3b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111099/
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Deleting a recently created file
Reading critical registry keys
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/577229
Signature
Allocates memory in foreign processes
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 337666 Sample: 11998704458248.exe Startdate: 09/01/2021 Architecture: WINDOWS Score: 100 49 Malicious sample detected (through community Yara rule) 2->49 51 Yara detected AveMaria stealer 2->51 53 Contains functionality to hide user accounts 2->53 55 2 other signatures 2->55 6 11998704458248.exe 1 21 2->6         started        11 Xmzfrlution.exe 15 2->11         started        13 Xmzfrlution.exe 15 2->13         started        process3 dnsIp4 25 1drv.ws 168.235.93.122, 443, 49744, 49752 RAMNODEUS United States 6->25 27 192.168.2.1 unknown unknown 6->27 37 2 other IPs or domains 6->37 23 C:\Users\user\Contacts\Xmzfrlution.exe, PE32 6->23 dropped 57 Writes to foreign memory regions 6->57 59 Allocates memory in foreign processes 6->59 61 Creates a thread in another existing process (thread injection) 6->61 15 ieinstal.exe 3 4 6->15         started        29 bl-files.fe.1drv.com 11->29 31 0xqykq.bl.files.1drv.com 11->31 63 Multi AV Scanner detection for dropped file 11->63 65 Machine Learning detection for dropped file 11->65 67 Injects a PE file into a foreign processes 11->67 19 ieinstal.exe 1 11->19         started        33 bl-files.fe.1drv.com 13->33 35 0xqykq.bl.files.1drv.com 13->35 21 ieinstal.exe 1 13->21         started        file5 signatures6 process7 dnsIp8 39 xchilogs.duckdns.org 54.37.160.157, 49750, 5893 OVHFR France 15->39 41 Tries to steal Mail credentials (via file access) 15->41 43 Tries to harvest and steal browser information (history, passwords, etc) 15->43 45 Increases the number of concurrent connection per server for Internet Explorer 15->45 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->47 signatures9
Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/281c044f76037c63cb0cdb9da800b0e4320f6c8ddfe0509e7d8451a155d7e731/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-01-09 08:25:13 UTC
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=faoait3wan6ghsym3oo2qafq4qza63en37qfbht5qri2cvox44yq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0629278e51106220eb8727f80f4c24cfb432e6344561e8518030b19b669bcc72
AveMariaRAT
46520e8955eff183518aa7ad908eff5e9d0c7094be0d9821f037a11a25ff4b3e
AveMariaRAT
5d393a34a6faf41a81f32a8866ef2468cedf9912b9df8fab2970361b030da87a
AveMariaRAT
88cd6b3cae21bbdf028d5fee94c3552ecc427043b70b8407e9f936857c637ee5
AveMariaRAT
97b34cb713e879fb7cfe158a3180b73d1c71b71446368f242a0c004d0c3462dd
AveMariaRAT
9f5afe868a8dd23926e807303d8896b239b802a3c366e448f4c59a103540019f
AveMariaRAT
af84cf642737e0b62537d9a78861cc129fbc0e68a34770cb70c6ccaa3f553687
AveMariaRAT
b50f9caa6df41cf34a52f45f989dc38ba037fd68535f6d7015fe602c826b0c1c
AveMariaRAT
b98f29a897354964b324ad55f046ae324f4f43efe17abdfbbfd726792ec3c763
AveMariaRAT
f6878003c470e531787cd70fc0785bb01a5c64d6a39f0efec5aabc5ac3f5f889
AveMariaRAT
+ 678 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/210109-vzarhqpx1n/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Adds Run key to start application
JavaScript code in executable
Loads dropped DLL
Warzone RAT Payload
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
6c677eb4b8059be955b962a020acf1f6f75e5c02440371dedfed4a2bf8a51154
MD5 hash:
741744eca5c12059cefe9d4bdc48f46c
SHA1 hash:
5cb08c87bcd22d6d47e43f91514dc8a58614fc2c
Link:
https://www.unpac.me/results/9d52c244-c792-4919-a600-7e0bcb1a749d/
SH256 hash:
281c044f76037c63cb0cdb9da800b0e4320f6c8ddfe0509e7d8451a155d7e731
MD5 hash:
4403a9aec68ff3e50c13da6bf967b649
SHA1 hash:
7eb2ac1f58d4d3a1b50a47ee8f93cf0d966a5818
Link:
https://www.unpac.me/results/9d52c244-c792-4919-a600-7e0bcb1a749d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/281c044f76037c63cb0cdb9da800b0e4320f6c8ddfe0509e7d8451a155d7e731

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AveMaria
Create hunting rule
Author:@bartblaze
Description:Identifies AveMaria aka WarZone RAT.
Rule name:AveMaria_WarZone
Create hunting rule
Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_WarzoneRAT
Create hunting rule
Author:ditekSHen
Description:Detects AveMaria/WarzoneRAT
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_malumpos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

img 4794471a7e09e25299fdff21f8d304ed5e5d0e3143343cbbe97f8d008d92c19c

AveMariaRAT

Executable exe 281c044f76037c63cb0cdb9da800b0e4320f6c8ddfe0509e7d8451a155d7e731

(this sample)

  
Dropped by
MD5 60dfd413304afdac563fe11134a60374
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 4794471a7e09e25299fdff21f8d304ed5e5d0e3143343cbbe97f8d008d92c19c
Cape
Cape
https://www.capesandbox.com/analysis/111099/

Comments