MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2bdd798ffb987a7447b1886509658e7143dbeb63103aef0b5c705014726ceb92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2bdd798ffb987a7447b1886509658e7143dbeb63103aef0b5c705014726ceb92
SHA3-384 hash: 2f4d7e49015ec38fe021c4c2fd38177f100534d4fb4f5122834b05870f3c9952d6db57b38994af5bd0a8ef2dfbf527bb
SHA1 hash: a5dc15f9515f9dc86e565991823807610e91a4bd
MD5 hash: daa5044b5aeb897081b0fc2a6ac74e94
humanhash: july-mexico-thirteen-avocado
File name:INVOICE 0.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:806'912 bytes
First seen:2022-05-12 07:38:07 UTC
Last seen:2022-05-12 08:57:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 018a80c00aff107bf9538dc2e44950b6 (4 x Formbook, 1 x AveMariaRAT)
ssdeep 12288:PDVMCvQQIQzSswvpYTT4GhvcQLGSzX9GyT8ipYdaQHOJ0qKcFxilF0uFC1Vv8E:PZpnUpyT4G9cQxxgirOgFNY0y
Threatray 753 similar samples on MalwareBazaar
TLSH T1CD05AE23B1D0C437C077D9B95D47A6A46839BE142F78984A3BE91C788F38AE1393D197
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13101/52/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 10808a8c8c8a8010 (77 x Formbook, 51 x AgentTesla, 44 x RemcosRAT)
Reporter lowmal3
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
251
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269969/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Reading critical registry keys
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17291/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger packed replace.exe
Link:
https://www.filescan.io/uploads/627cb9c040028d3247cc035c/reports/90445ceb-a14d-4b26-a93c-0d1e3f05d280/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4bb54675-689e-4ba6-8a8f-7ae8f15a4ba4
Result
Threat name:
AveMaria, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/992469
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Found evasive API chain checking for user administrative privileges
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 624978 Sample: INVOICE 0.exe Startdate: 12/05/2022 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Multi AV Scanner detection for domain / URL 2->55 57 Found malware configuration 2->57 59 10 other signatures 2->59 6 INVOICE 0.exe 1 17 2->6         started        11 Qgzpvpl.exe 15 2->11         started        13 Qgzpvpl.exe 15 2->13         started        process3 dnsIp4 27 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49751, 49764 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 6->27 29 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49746, 49756 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 6->29 35 3 other IPs or domains 6->35 23 C:\Users\Public\Libraries\Qgzpvpl.exe, PE32 6->23 dropped 25 C:\Users\...\Qgzpvpl.exe:Zone.Identifier, ASCII 6->25 dropped 61 Writes to foreign memory regions 6->61 63 Allocates memory in foreign processes 6->63 65 Creates a thread in another existing process (thread injection) 6->65 15 logagent.exe 3 4 6->15         started        31 onedrive.live.com 11->31 37 2 other IPs or domains 11->37 67 Injects a PE file into a foreign processes 11->67 19 DpiScaling.exe 4 11->19         started        33 onedrive.live.com 13->33 39 2 other IPs or domains 13->39 69 Multi AV Scanner detection for dropped file 13->69 21 logagent.exe 1 13->21         started        file5 signatures6 process7 dnsIp8 41 wizzycheddah1.duckdns.org 194.5.98.221, 49777, 49811, 5200 DANILENKODE Netherlands 15->41 43 Tries to steal Mail credentials (via file / registry access) 15->43 45 Contains functionality to inject threads in other processes 15->45 47 Contains functionality to steal Chrome passwords or cookies 15->47 51 4 other signatures 15->51 49 Tries to harvest and steal browser information (history, passwords, etc) 19->49 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2bdd798ffb987a7447b1886509658e7143dbeb63103aef0b5c705014726ceb92/
Threat name:
Win32.Trojan.AveMariaRAT
Create hunting rule
Status:
Malicious
First seen:
2022-05-12 07:39:07 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fpoxtd73tb5hir5rrbsqszmoofb5x23dca5o6c24obibi4tm5oja._file
Verdict:
malicious
Similar samples:
25f95bec948dd2f304c9a68b61e057d3f7ac656ec3b9849c87c0751949e858e8
AveMariaRAT
26f1c866764428bd6c9e6f777177770aa709615daff7282bd2616e5aef18d513
AveMariaRAT
340ffaf73b1d7c0548cde151ec9acaa2afada53f3e8d6616e558d524c12b36c8
AveMariaRAT
55d26408160a259d5909df6e44d73e7b8b972bd2c23635c94389b512b76245d1
AveMariaRAT
62422d7709489bd4bfe5e5feb34bfd22f0a91269b9b8e8246e407dd597d3f79a
AveMariaRAT
81b648fca4135b631044dd68aee71ee704dcc930ae635658b9438585c5dc6b90
AveMariaRAT
870e8d111b67ac2aaa21010b2697028f606fcdf9f96baa8e005d7c58c5480737
AveMariaRAT
b8df890fac057175f86dc5f301f1e1f6d45b2a1b36598934c3fc0144cf433137
AveMariaRAT
d54a0608390383528e6b2df14faa9a079aa0c55dec871e8904ef4f356282007b
AveMariaRAT
e8f78daca9b15bcd2b04cc47bdbc2e2aa1b1fa20530df437620f83cfa5097270
AveMariaRAT
+ 743 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat collection infostealer persistence rat trojan
Link:
https://tria.ge/reports/220512-jgyqwsdhfk/
Behaviour
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Adds Run key to start application
Loads dropped DLL
ModiLoader Second Stage
Warzone RAT Payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
wizzycheddah1.duckdns.org:5200
Unpacked files
SH256 hash:
21c0fb2b53a8dc9d38a9cef684adce53f0dd311c3e8861cddda7946408f00b77
MD5 hash:
e91f52a1d9b8f23ae40be2e76017452c
SHA1 hash:
f86fd2cfcc8513e76c7c3ae74ae03d509aa3f453
Link:
https://www.unpac.me/results/a6d3aa89-9a78-489e-95c0-ea40207b90d8/
SH256 hash:
7d496abdfeee1d12eed1ccfee78566940df0fe01f81f7eb72b07324c760bc569
MD5 hash:
0a83bb946ab97210bb57025ef665c7e0
SHA1 hash:
6b1b1d39a4c12648a7755fb5a139bd9c9313673c
Link:
https://www.unpac.me/results/a6d3aa89-9a78-489e-95c0-ea40207b90d8/
SH256 hash:
2bdd798ffb987a7447b1886509658e7143dbeb63103aef0b5c705014726ceb92
MD5 hash:
daa5044b5aeb897081b0fc2a6ac74e94
SHA1 hash:
a5dc15f9515f9dc86e565991823807610e91a4bd
Link:
https://www.unpac.me/results/a6d3aa89-9a78-489e-95c0-ea40207b90d8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2bdd798ffb98/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2bdd798ffb987a7447b1886509658e7143dbeb63103aef0b5c705014726ceb92

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AveMaria
Create hunting rule
Author:@bartblaze
Description:Identifies AveMaria aka WarZone RAT.
Rule name:AveMaria_WarZone
Create hunting rule
Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_1_RID2C2D
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2_RID2C2E
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding command execution via IExecuteCommand COM object
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_WarzoneRAT
Create hunting rule
Author:ditekSHen
Description:Detects AveMaria/WarzoneRAT
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.ave_maria.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 2bdd798ffb987a7447b1886509658e7143dbeb63103aef0b5c705014726ceb92

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/269969/

Comments