MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 288b6ecc06b4333903ad475d83dcc5fe6a4ea59cd3ee57136d858c58a1e582e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 288b6ecc06b4333903ad475d83dcc5fe6a4ea59cd3ee57136d858c58a1e582e0
SHA3-384 hash: 983483a8c2f0df89cae58745c015cae642a8e6a8c8a6b3fe193030e5e79371ea3776e968976a57997fc026ead49008ce
SHA1 hash: bab4bb1fc474a365f2fc32ddf66781e0e4fb79e8
MD5 hash: d3858ef6f7ab89450aaab1690885da3b
humanhash: river-spaghetti-indigo-bravo
File name:SecuriteInfo.com.Mal.Generic-S.17895.26667
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:17'328 bytes
First seen:2020-12-14 15:39:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 384:Xq9KzQQ7rbe+eiP0+x/6+WLU3O7Dgf2hE:Xq9KzQQ7rb0iP0+96xLUf2hE
Threatray 640 similar samples on MalwareBazaar
TLSH D272E6E62B5C4DA2DA1DF335319301137731A2F662738BAB9449B2036D833823ADD697
Reporter SecuriteInfoCom
Tags:AveMariaRAT

Code Signing Certificate

Organisation:Dadedbddcbce
Issuer:Dadedbddcbce
Algorithm:sha256WithRSAEncryption
Valid from:Dec 11 20:16:31 2020 GMT
Valid to:Dec 11 20:16:31 2021 GMT
Serial number: E46590CD5F5CCECBE87290ACD2553C0E
Thumbprint Algorithm:SHA256
Thumbprint: D6CE0243D9660ECEE171E2AEA916F79A097D7E786C023EAFF97967B547412ADC
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Administrator Notification_ Redirecting email with malware.msg
Verdict:
Malicious activity
Analysis date:
2020-12-14 15:02:38 UTC
Tags:
loader trojan rat stealer avemaria
Link:
https://app.any.run/tasks/e98c4667-ee6a-46c5-9402-1b48f879058b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107988/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.17895.26667.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Creating a file
Creating a process from a recently created file
Sending a UDP request
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Setting a keyboard event handler
Creating a file in the %AppData% directory
Deleting a recently created file
Reading critical registry keys
Creating a file in the %temp% directory
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/562308
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Connects to a pastebin service (likely for C&C)
Contains functionality to create processes via WMI
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Creates files in alternative data streams (ADS)
Creates processes via WMI
Drops script or batch files to the startup folder
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 330248 Sample: SecuriteInfo.com.Mal.Generi... Startdate: 14/12/2020 Architecture: WINDOWS Score: 100 75 Malicious sample detected (through community Yara rule) 2->75 77 Multi AV Scanner detection for dropped file 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 6 other signatures 2->81 10 SecuriteInfo.com.Mal.Generic-S.17895.exe 15 4 2->10         started        15 cmd.exe 2->15         started        process3 dnsIp4 71 hastebin.com 172.67.143.180, 443, 49723, 49727 CLOUDFLARENETUS United States 10->71 67 SecuriteInfo.com.M...ric-S.17895.exe.log, ASCII 10->67 dropped 99 Drops script or batch files to the startup folder 10->99 101 Contains functionality to inject threads in other processes 10->101 103 Contains functionality to steal Chrome passwords or cookies 10->103 105 2 other signatures 10->105 17 SecuriteInfo.com.Mal.Generic-S.17895.exe 4 8 10->17         started        21 cmd.exe 1 10->21         started        23 SgrmBroker.exe 10->23         started        25 WMIC.exe 15->25         started        27 conhost.exe 15->27         started        file5 signatures6 process7 file8 59 C:\ProgramData\images.exe, PE32 17->59 dropped 61 C:\ProgramData:ApplicationData, PE32 17->61 dropped 63 C:\Users\user\AppData\...\programs.bat:start, ASCII 17->63 dropped 65 2 other malicious files 17->65 dropped 83 Creates files in alternative data streams (ADS) 17->83 85 Adds a directory exclusion to Windows Defender 17->85 87 Increases the number of concurrent connection per server for Internet Explorer 17->87 29 images.exe 14 4 17->29         started        33 powershell.exe 25 17->33         started        35 conhost.exe 21->35         started        37 timeout.exe 1 21->37         started        89 Creates processes via WMI 25->89 signatures9 process10 dnsIp11 73 hastebin.com 29->73 107 Multi AV Scanner detection for dropped file 29->107 109 Injects a PE file into a foreign processes 29->109 39 images.exe 29->39         started        43 cmd.exe 1 29->43         started        45 conhost.exe 33->45         started        signatures12 process13 dnsIp14 69 101.99.91.227, 49734, 5200 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 39->69 91 Tries to steal Mail credentials (via file access) 39->91 93 Tries to harvest and steal browser information (history, passwords, etc) 39->93 95 Writes to foreign memory regions 39->95 97 4 other signatures 39->97 47 powershell.exe 39->47         started        49 cmd.exe 39->49         started        51 conhost.exe 43->51         started        53 timeout.exe 1 43->53         started        signatures15 process16 process17 55 conhost.exe 47->55         started        57 conhost.exe 49->57         started       
Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/288b6ecc06b4333903ad475d83dcc5fe6a4ea59cd3ee57136d858c58a1e582e0/
Threat name:
ByteCode-MSIL.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-12-14 11:14:24 UTC
File Type:
PE (.Net Exe)
AV detection:
21 of 28 (75.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fcfw5tagwqztsa5ni5oyhxgf7zve5jm42pxfoe3nqwgfripfqlqa._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
3327d99c25c0d09e27fca09b9c362340be2696024bf4f9cb48776876de8fb472
AveMariaRAT
35908764b3057f4ec08d3d54758cae01f66a1b3389d036c2746dcd5a49b977cd
AveMariaRAT
40ed39645e952f345485dea73f460ed5aecc2c523f598e46f2b7f883b50b2281
AveMariaRAT
4e420c5efeb26330ec4eb618426d859222b791798df3ae65c59fc20ef2f2889a
AveMariaRAT
5670742a4eff2e01af5d2d8c29f6613683368b5b5f57517e67c695db3771d18f
AveMariaRAT
88cd6b3cae21bbdf028d5fee94c3552ecc427043b70b8407e9f936857c637ee5
AveMariaRAT
a0792945510f126714a42e9b4cef8b7e8d7aab504772b076c6df0a4e96f08e89
AveMariaRAT
a97528499bee868023a6898c85da34f9ed73a5a12b8a3a01817a88d82a8c5641
AveMariaRAT
d0bac6ada2cd0b49ac66bdaa4265e6cb61df1a4339f50cc7b7bdaade9029337e
AveMariaRAT
ffa217c445af7f07f0c9fbdcc488db8e06ecfdb43906c6c5e7a11f7ac04b4bf4
AveMariaRAT
+ 630 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat spyware
Link:
https://tria.ge/reports/201214-45921e79le/
Behaviour
Delays execution with timeout.exe
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
JavaScript code in executable
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Warzone RAT Payload
ServiceHost packer
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
288b6ecc06b4333903ad475d83dcc5fe6a4ea59cd3ee57136d858c58a1e582e0
MD5 hash:
d3858ef6f7ab89450aaab1690885da3b
SHA1 hash:
bab4bb1fc474a365f2fc32ddf66781e0e4fb79e8
Link:
https://www.unpac.me/results/b74231a9-1e08-4880-847f-319d29b04afa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/288b6ecc06b4333903ad475d83dcc5fe6a4ea59cd3ee57136d858c58a1e582e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AveMaria
Create hunting rule
Author:@bartblaze
Description:Identifies AveMaria aka WarZone RAT.
Rule name:AveMaria_WarZone
Create hunting rule
Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekshen
Description:AveMaria variant payload
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_malumpos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe 288b6ecc06b4333903ad475d83dcc5fe6a4ea59cd3ee57136d858c58a1e582e0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/917909/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/107988/

Comments