MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3bcaf191db8de9ae0926e3cc6c1e64b20187b1acdda8498c7856ac569e125204. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 12 File information Comments

SHA256 hash:	3bcaf191db8de9ae0926e3cc6c1e64b20187b1acdda8498c7856ac569e125204
SHA3-384 hash:	0cc393b3bf4681fad3c1f203dfb3b1f282227366e577eed19ee8a4822f9f9a2165a7fe8ef9133b5f56f1d812a59b32fa
SHA1 hash:	4d6caff8489d88e76b3d08715cf107a5e3ebfa3d
MD5 hash:	2679f8a6eb593ddccb40572888b59a3c
humanhash:	magnesium-one-comet-autumn
File name:	Attachment (1) - WEBER - RFQ N 21.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	1'128'960 bytes
First seen:	2021-07-29 11:22:42 UTC
Last seen:	2021-07-29 11:48:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	04e2fca09a354b909f05dafce23756a7 (2 x RemcosRAT, 1 x AveMariaRAT)
ssdeep	12288:ZrSTAKfXQD39eT9ufhyGFQ1gBF8UhWdu0SAJ9mvziPkpVtSj6+1G6v:BSk+28ufhEE7r1aG1LtQt
Threatray	990 similar samples on MalwareBazaar
TLSH	T185359DE263735837ED1368388D2B4654691EBAC50B10228A3AF9CDDCAF3569F7C7414B
dhash icon	89acae83529aaa82 (3 x RemcosRAT, 1 x AveMariaRAT)
Reporter	abuse_ch
Tags:	AveMariaRAT exe RAT

Intelligence

File Origin

# of uploads :

# of downloads :

127

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Attachment (1) - WEBER - RFQ N 21.exe

Verdict:

Suspicious activity

Analysis date:

2021-07-29 11:25:11 UTC

Tags:

installer

Link:

https://app.any.run/tasks/160939ad-bd02-4fdd-a4a4-fabc69ad4760

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/174991/

Detection(s):

SecuriteInfo.com.Variant.Midie.95309.28706.797.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AVE_MARIA

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/aec2b6c0-116c-489d-ba45-944cf806666e

Result

Threat name:

AveMaria UACMe

Detection:

malicious

Classification:

phis.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/823758

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to hide user accounts

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Increases the number of concurrent connection per server for Internet Explorer

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AveMaria stealer

Yara detected UACMe UAC Bypass tool

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Spyware.AveMaria

Status:

Malicious

First seen:

2021-07-29 10:30:33 UTC

AV detection:

22 of 46 (47.83%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hpfpdeo3rxu24cjg4pggyhtewiaypmnm3wuetddyk2wfnhqskica._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

411a7c0f381354be120c25158756008260b2ba2f3b2a83e4a514602ab09edbea

AveMariaRAT

7666f3d19250bc9b6d75e1b081407ea6a71c81f22a2c027d85b6445a65a0f247

AveMariaRAT

7ee0c62e76613b5cdf12f2fa8d408ba952d9ac828e97d65411f8e9f8619cfc6b

AveMariaRAT

885e34ff7befbdcdb027a017843cbacdba7eebb34d3df2e3113cceb9adafe8b5

AveMariaRAT

8b80c4addd945a6f6dfcf49ffa0c8b6b7cab49b683783e2e7522879ffe2f3475

AveMariaRAT

a5c4e0a33316630d870175895153a056499950d478b2d09491f335ecfaaa4e3d

AveMariaRAT

ac9a96be003388d497db4755c9ca68a2725c901fdec82b942b4fb84683490b01

AveMariaRAT

b59b27b89189fc7fd98bc8f8a70d7d500907439cba4303c1eb812532fa2bc96f

AveMariaRAT

f1b5c3f7c1ee438590757e114f1c379f6c3d5fc7b349cad583976106737beb61

AveMariaRAT

+ 980 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat infostealer rat spyware stealer

Link:

https://tria.ge/reports/210729-yj3rvjh28e/

Behaviour

Loads dropped DLL

Reads user/profile data of web browsers

Warzone RAT Payload

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

ch12345.hopto.org:5032

Unpacked files

SH256 hash:

d174ea83359cec0b0a35da88fa2a1791a1308e35a5e36e83f51a2723e48582a6

MD5 hash:

5c63077607b089e7045eb5e93d8324d9

SHA1 hash:

9ca12c4d6e4a97269d26fe6755aae441276bff42

Link:

https://www.unpac.me/results/039bc58d-22a6-4112-9a81-9130fa85b2ec/

SH256 hash:

3bcaf191db8de9ae0926e3cc6c1e64b20187b1acdda8498c7856ac569e125204

MD5 hash:

2679f8a6eb593ddccb40572888b59a3c

SHA1 hash:

4d6caff8489d88e76b3d08715cf107a5e3ebfa3d

Link:

https://www.unpac.me/results/039bc58d-22a6-4112-9a81-9130fa85b2ec/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/3bcaf191db8de9ae0926e3cc6c1e64b20187b1acdda8498c7856ac569e125204

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AveMaria Create hunting rule
Author:	@bartblaze
Description:	Identifies AveMaria aka WarZone RAT.

Rule name:	AveMaria_WarZone Create hunting rule

Rule name:	ave_maria_warzone_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_WarzoneRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AveMaria/WarzoneRAT

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	RDPWrap Create hunting rule
Author:	@bartblaze
Description:	Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:	https://github.com/stascorp/rdpwrap

Rule name:	win_ave_maria_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.ave_maria.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

exe 3bcaf191db8de9ae0926e3cc6c1e64b20187b1acdda8498c7856ac569e125204

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/174991/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample