MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4757d64431cbf911d9a6cc5b1cd96ee7f733dd0eb05c41f1fa100ba3d354d4a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4757d64431cbf911d9a6cc5b1cd96ee7f733dd0eb05c41f1fa100ba3d354d4a5
SHA3-384 hash: b3c78d642d3b4241aea93408cf4cf0c4ba727494e5c10c1c43b7a60a3168de8cc4138f0560384ab966faca3d5c078e65
SHA1 hash: 49dc65e895ca6553c8ac6f98adae426582d18d52
MD5 hash: f037acb1b049f26a865e27398d12bc38
humanhash: mockingbird-one-football-purple
File name:proforma invoice.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:541'696 bytes
First seen:2021-07-15 13:45:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 013a60ab1248e2b43a2c84244ec5f60f (3 x RemcosRAT, 2 x AveMariaRAT, 1 x BitRAT)
ssdeep 12288:8cfO13yo3bFglRkdJTo7ZaNaUhqOeAh8:8iOTbFcVP
Threatray 1'147 similar samples on MalwareBazaar
TLSH T142B48E22B6E28437C2B36D3C8D5B76668E26BF507E24A98D2BE41C4C5B797C13931353
Reporter abuse_ch
Tags:AveMariaRAT exe RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
proforma invoice.exe
Verdict:
Malicious activity
Analysis date:
2021-07-15 13:49:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4e4f02b4-86a7-4728-bc01-bf26485b6bcd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172001/
Detection(s):
PUA.Win.Packer.Pequake-4
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.W32.AIDetect.malware1.20355.18848.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
AveMaria UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816943
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 449354 Sample: proforma invoice.exe Startdate: 15/07/2021 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 6 other signatures 2->57 6 proforma invoice.exe 1 19 2->6         started        11 Pxpjdzm.exe 16 2->11         started        13 Pxpjdzm.exe 15 2->13         started        process3 dnsIp4 25 wpxyya.dm.files.1drv.com 6->25 27 onedrive.live.com 6->27 29 dm-files.fe.1drv.com 6->29 23 C:\Users\Public\Libraries\...\Pxpjdzm.exe, PE32 6->23 dropped 59 Writes to foreign memory regions 6->59 61 Allocates memory in foreign processes 6->61 63 Creates a thread in another existing process (thread injection) 6->63 15 secinit.exe 3 4 6->15         started        31 wpxyya.dm.files.1drv.com 11->31 35 2 other IPs or domains 11->35 65 Injects a PE file into a foreign processes 11->65 19 DpiScaling.exe 4 11->19         started        33 wpxyya.dm.files.1drv.com 13->33 37 2 other IPs or domains 13->37 67 Multi AV Scanner detection for dropped file 13->67 69 Machine Learning detection for dropped file 13->69 21 secinit.exe 1 13->21         started        file5 signatures6 process7 dnsIp8 39 ugo123.hopto.org 136.144.41.126, 49744, 49768, 5032 WORLDSTREAMNL Netherlands 15->39 43 Tries to steal Mail credentials (via file access) 15->43 45 Increases the number of concurrent connection per server for Internet Explorer 15->45 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->47 41 192.168.2.1 unknown unknown 19->41 49 Tries to harvest and steal browser information (history, passwords, etc) 19->49 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4757d64431cbf911d9a6cc5b1cd96ee7f733dd0eb05c41f1fa100ba3d354d4a5/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-15 13:04:30 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i5l5mrbrzp4rdwngzrnrzwlo473thxiowboed4p2caf2hu2u2ssq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0823e54b076d1359145b0060fe0d0f80b73220ddec8cc23d4901bd1e448e6ad6
AveMariaRAT
0ff6edaf3533a3627afc5e2d74446e0c315087afe958b5fb2cc0a7ccb793d501
AveMariaRAT
122ef85900670d4776f3afdbe676d59c23c4cd9944b9d392eb9a446b3bb40dde
AveMariaRAT
1ec80487df001c0f6d41a90bbe2451242977a6f36a276d6eefa8aef0f593ab6b
AveMariaRAT
5cbed2f8a5fdadbd99816c4c8792bd51a2db7479f80bf70409f0f257f942d0c9
AveMariaRAT
5f0161e643adfaeca9dc6918e8cc29fc85ecdcf6727afd601649068f1e36a814
AveMariaRAT
803ed954a2fbfa36e1b154d7b1b6b270021eb72583d5a876e5aaedd728c39cc7
AveMariaRAT
9b342770fe4594e3a6d22b0b8d50269f8c749fb6d43c4f22d6ba48ddbff23bb4
AveMariaRAT
b5633b89bc09a7e0bfdb617572df279f2a08518ffe186ad3c372f2b53c210996
AveMariaRAT
b59b27b89189fc7fd98bc8f8a70d7d500907439cba4303c1eb812532fa2bc96f
AveMariaRAT
+ 1'137 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/210715-9brz89smp2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Loads dropped DLL
Warzone RAT Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
ugo123.hopto.org:5032
Unpacked files
SH256 hash:
e272c0a0a325c65ccef3ca6b6007ed2b6884db28a0fce296b2b40fe3c7cf2933
MD5 hash:
b62ad7037b77e52237da75f8417f1640
SHA1 hash:
8937647b24d11e7511ab6f8feac842f17628aed4
Link:
https://www.unpac.me/results/23d988c5-362e-415e-b3a6-96d66c38d2f8/
SH256 hash:
7977cf08b9e8faccde39a1620281265292b634c592dd532d8dad755d28b95d24
MD5 hash:
1c6dbe1008826c5a02e7504cab86ba14
SHA1 hash:
6a21b266b8e8fb84b11b6e798e052b729fdb1094
Link:
https://www.unpac.me/results/23d988c5-362e-415e-b3a6-96d66c38d2f8/
SH256 hash:
4757d64431cbf911d9a6cc5b1cd96ee7f733dd0eb05c41f1fa100ba3d354d4a5
MD5 hash:
f037acb1b049f26a865e27398d12bc38
SHA1 hash:
49dc65e895ca6553c8ac6f98adae426582d18d52
Link:
https://www.unpac.me/results/23d988c5-362e-415e-b3a6-96d66c38d2f8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4757d64431cbf911d9a6cc5b1cd96ee7f733dd0eb05c41f1fa100ba3d354d4a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AveMaria
Create hunting rule
Author:@bartblaze
Description:Identifies AveMaria aka WarZone RAT.
Rule name:AveMaria_WarZone
Create hunting rule
Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_WarzoneRAT
Create hunting rule
Author:ditekSHen
Description:Detects AveMaria/WarzoneRAT
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.ave_maria.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 4757d64431cbf911d9a6cc5b1cd96ee7f733dd0eb05c41f1fa100ba3d354d4a5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/172001/

Comments