MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35908764b3057f4ec08d3d54758cae01f66a1b3389d036c2746dcd5a49b977cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35908764b3057f4ec08d3d54758cae01f66a1b3389d036c2746dcd5a49b977cd
SHA3-384 hash: 79fe5545ace3f208a42d3a990b732d9a08ad3c6f5189bad63a0d54e63c40384c812df27071092c521bd0a0e00dbde311
SHA1 hash: 26a249f832cdc18570086d7048f6e3b7649fadb4
MD5 hash: e75b228aacfcb393383879cdffd2d70e
humanhash: september-king-bluebird-shade
File name:Documento de transferencia de Scotiabank7497574730084doc.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:91'648 bytes
First seen:2020-12-04 19:57:07 UTC
Last seen:2020-12-04 21:48:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 1536:pbqR4s0dQ+Zs0boTgQfA9qpYnfm6fxAsntRCAqr5:ER4s0dH20bpNqpOfm6fxAsXDq9
Threatray 625 similar samples on MalwareBazaar
TLSH 1A93306E1257AB2BF4468B31A1B3BCBFFA8482273BB72767C1D31355CC010D95A47992
Reporter abuse_ch
Tags:AveMariaRAT ESP exe geo RAT Scotiabank


Avatar
abuse_ch
Malspam distributing AveMariaRAT:

HELO: vps.mks-tr.org
Sending IP: 45.153.203.51
From: avisos.empresa.infoScotiabank.cl <office@mks-tr.org>
Subject: Aviso de transferencia de fondos
Attachment: Documento de transferencia de Scotiabank7497574730084doc.arj (contains "Documento de transferencia de Scotiabank7497574730084doc.exe")

AveMariaRAT C2:
178.170.138.163:4554

Intelligence

File Origin
# of uploads :
2
# of downloads :
320
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106824/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Basic.10.Gen.9127.20198.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Unauthorized injection to a recently created process
Creating a file
Connection attempt
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Result
Gathering data
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/556062
Signature
Connects to a pastebin service (likely for C&C)
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 327132 Sample: Documento de transferencia ... Startdate: 04/12/2020 Architecture: WINDOWS Score: 100 63 g.msn.com 2->63 73 Malicious sample detected (through community Yara rule) 2->73 75 Multi AV Scanner detection for dropped file 2->75 77 Yara detected AveMaria stealer 2->77 79 10 other signatures 2->79 8 Documento de transferencia de Scotiabank7497574730084doc.exe 18 6 2->8         started        13 Documento de transferencia de Scotiabank7497574730084doc.exe 2->13         started        15 Documento de transferencia de Scotiabank7497574730084doc.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 67 hastebin.com 172.67.143.180, 443, 49718, 49725 CLOUDFLARENETUS United States 8->67 57 Documento de trans...497574730084doc.exe, PE32 8->57 dropped 59 Documento de trans...exe:Zone.Identifier, ASCII 8->59 dropped 61 Documento de trans...74730084doc.exe.log, ASCII 8->61 dropped 85 Creates an undocumented autostart registry key 8->85 87 Injects a PE file into a foreign processes 8->87 19 Documento de transferencia de Scotiabank7497574730084doc.exe 3 2 8->19         started        23 cmd.exe 1 8->23         started        89 Creates autostart registry keys with suspicious names 13->89 91 Creates multiple autostart registry keys 13->91 25 cmd.exe 13->25         started        27 cmd.exe 15->27         started        35 2 other processes 15->35 69 104.24.126.89, 443, 49726 CLOUDFLARENETUS United States 17->69 71 192.168.2.1 unknown unknown 17->71 29 cmd.exe 1 17->29         started        31 cmd.exe 17->31         started        33 cmd.exe 17->33         started        37 2 other processes 17->37 file6 signatures7 process8 dnsIp9 65 178.170.138.163, 4554 ETOP-ASPL Netherlands 19->65 81 Increases the number of concurrent connection per server for Internet Explorer 19->81 83 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->83 39 conhost.exe 23->39         started        41 timeout.exe 1 23->41         started        51 2 other processes 25->51 53 2 other processes 27->53 43 conhost.exe 29->43         started        45 timeout.exe 1 29->45         started        47 conhost.exe 31->47         started        49 timeout.exe 31->49         started        55 2 other processes 33->55 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/35908764b3057f4ec08d3d54758cae01f66a1b3389d036c2746dcd5a49b977cd/
Threat name:
ByteCode-MSIL.Trojan.Emotet
Create hunting rule
Status:
Suspicious
First seen:
2020-12-04 19:58:06 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gwiiozftav7u5qenhvkhldfoah3gugztrhidnqtunxgvusnzo7gq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0629278e51106220eb8727f80f4c24cfb432e6344561e8518030b19b669bcc72
AveMariaRAT
40ed39645e952f345485dea73f460ed5aecc2c523f598e46f2b7f883b50b2281
AveMariaRAT
4e420c5efeb26330ec4eb618426d859222b791798df3ae65c59fc20ef2f2889a
AveMariaRAT
5670742a4eff2e01af5d2d8c29f6613683368b5b5f57517e67c695db3771d18f
AveMariaRAT
838bd3c3ce0091704b836352a4e5d489b8e172e8ef6a7dc18462ce3042c6d716
AveMariaRAT
88cd6b3cae21bbdf028d5fee94c3552ecc427043b70b8407e9f936857c637ee5
AveMariaRAT
a0792945510f126714a42e9b4cef8b7e8d7aab504772b076c6df0a4e96f08e89
AveMariaRAT
a97528499bee868023a6898c85da34f9ed73a5a12b8a3a01817a88d82a8c5641
AveMariaRAT
d0bac6ada2cd0b49ac66bdaa4265e6cb61df1a4339f50cc7b7bdaade9029337e
AveMariaRAT
ffa217c445af7f07f0c9fbdcc488db8e06ecfdb43906c6c5e7a11f7ac04b4bf4
AveMariaRAT
+ 615 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/201204-a6ngq5de8s/
Behaviour
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Warzone RAT Payload
Modifies WinLogon for persistence
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
35908764b3057f4ec08d3d54758cae01f66a1b3389d036c2746dcd5a49b977cd
MD5 hash:
e75b228aacfcb393383879cdffd2d70e
SHA1 hash:
26a249f832cdc18570086d7048f6e3b7649fadb4
Link:
https://www.unpac.me/results/a30deb46-cee0-4cd1-9e30-bd2efd50700a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.79
Link:
https://yomi.yoroi.company/submissions/35908764b3057f4ec08d3d54758cae01f66a1b3389d036c2746dcd5a49b977cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AveMaria
Create hunting rule
Author:@bartblaze
Description:Identifies AveMaria aka WarZone RAT.
Rule name:AveMaria_WarZone
Create hunting rule
Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

arj 33b9585ef18204022b9e9e708cb3467bbdb06138566055ee5403370243d2c87e

AveMariaRAT

Executable exe 35908764b3057f4ec08d3d54758cae01f66a1b3389d036c2746dcd5a49b977cd

(this sample)

  
Dropped by
MD5 8aac41caf00f026a1c454b144c95c448
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 33b9585ef18204022b9e9e708cb3467bbdb06138566055ee5403370243d2c87e
Cape
Cape
https://www.capesandbox.com/analysis/106824/

Comments