MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 501ac41bcfa5d205762496c20b2ffa52b4df885814b7ce6a453be09ad6a1abda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 501ac41bcfa5d205762496c20b2ffa52b4df885814b7ce6a453be09ad6a1abda
SHA3-384 hash: 13c167b458cf66c7c180c0baf6b00fc6a04a094f3295b362b1e8923399920fff871ed2d3a24939fed912faee019def19
SHA1 hash: d3722cd05bc9f9f9bd9168a6b0cd0e09a7846d8a
MD5 hash: e5cce59559e63beb43eddedb27dc7964
humanhash: cola-mike-romeo-alanine
File name:gunzipped
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'406'032 bytes
First seen:2021-03-04 07:25:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d219889eb62c908c0fa1513db83e881e (1 x RemcosRAT, 1 x AveMariaRAT)
ssdeep 12288:YrfuW+EGFR19bOzxRUv9tXNdTcrmurqu+reffSFamnUtsZAkxxKbSDalBFyXR49q:qGzFRDbOzLSt9d42YICsyJ8B4yNH3
Threatray 766 similar samples on MalwareBazaar
TLSH 5E552630A2F2C9F2C0553A34DDAB76F95821EE21E9156D4F3EA83D287A74341F83615E
Reporter abuse_ch
Tags:AveMariaRAT RAT


Avatar
abuse_ch
AveMariaRAT C2:
xchilogs.duckdns.org

Intelligence

File Origin
# of uploads :
1
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
gunzipped
Verdict:
Malicious activity
Analysis date:
2021-03-04 07:33:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c21ca509-7fab-4fb5-9ac2-2f0ff513e66c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/122185/
Detection(s):
Win.Dropper.Fareit-9838566-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
DNS request
Creating a file
Deleting a recently created file
Launching a process
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/628228
Signature
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide user accounts
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Detected potential unwanted application
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 363098 Sample: gunzipped Startdate: 04/03/2021 Architecture: WINDOWS Score: 100 30 xchilogs.duckdns.org 2->30 44 Malicious sample detected (through community Yara rule) 2->44 46 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 5 other signatures 2->50 7 gunzipped.exe 1 18 2->7         started        12 Wuhtutec.exe 2->12         started        14 Wuhtutec.exe 2->14         started        signatures3 process4 dnsIp5 32 cdn.discordapp.com 162.159.129.233, 443, 49709 CLOUDFLARENETUS United States 7->32 24 C:\Users\Public\Libraries\Wuhtutec.exe, PE32 7->24 dropped 52 Writes to foreign memory regions 7->52 54 Allocates memory in foreign processes 7->54 56 Creates a thread in another existing process (thread injection) 7->56 16 calc.exe 3 2 7->16         started        58 Multi AV Scanner detection for dropped file 12->58 60 Contains functionality to inject threads in other processes 12->60 62 Contains functionality to inject code into remote processes 12->62 20 SndVol.exe 2 12->20         started        64 Injects a PE file into a foreign processes 14->64 22 msiexec.exe 2 14->22         started        file6 signatures7 process8 dnsIp9 26 xchilogs.duckdns.org 184.75.221.195, 23489 AMANAHA-NEWCA Canada 16->26 34 System process connects to network (likely due to code injection or exploit) 16->34 36 Contains functionality to inject threads in other processes 16->36 38 Contains functionality to steal Chrome passwords or cookies 16->38 42 2 other signatures 16->42 28 192.168.2.1 unknown unknown 20->28 40 Contains functionality to steal e-mail passwords 20->40 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/501ac41bcfa5d205762496c20b2ffa52b4df885814b7ce6a453be09ad6a1abda/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-03-04 07:26:18 UTC
AV detection:
15 of 48 (31.25%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kanmig6puxjak5res3bawl72kk2n7ccycs3442sfhpqjvvvbvpna._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0629278e51106220eb8727f80f4c24cfb432e6344561e8518030b19b669bcc72
AveMariaRAT
52fe1131c196f9b05130872ebe9a2eca93eaa6fab493f3ad5f06770184ddf227
AveMariaRAT
5670742a4eff2e01af5d2d8c29f6613683368b5b5f57517e67c695db3771d18f
AveMariaRAT
5cbed2f8a5fdadbd99816c4c8792bd51a2db7479f80bf70409f0f257f942d0c9
AveMariaRAT
a458562e508b49f6195292bc432a95ce03b2d48926441aea5c077f010cd965c3
AveMariaRAT
af84cf642737e0b62537d9a78861cc129fbc0e68a34770cb70c6ccaa3f553687
AveMariaRAT
b98f29a897354964b324ad55f046ae324f4f43efe17abdfbbfd726792ec3c763
AveMariaRAT
d5dc65df9d699ffab0563963fa22ed0a1d833d451dfbd1d724f2a5b988494538
AveMariaRAT
da31c02c004f7e04408dea6429c362b4870c87a99fb2ae8ace1dac200a7fce5d
AveMariaRAT
f6878003c470e531787cd70fc0785bb01a5c64d6a39f0efec5aabc5ac3f5f889
AveMariaRAT
+ 756 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/210304-h5wxzy161n/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Warzone RAT Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
xchilogs.duckdns.org:23489
Unpacked files
SH256 hash:
8e47ba656f53e389bdfe0eccf127b76bccd5185b9b688ffe6d006a95e58df53d
MD5 hash:
9da0b40816088d61c0219c4d05c88ffa
SHA1 hash:
c8698e4c408beea03458d85dbae3ae0d75c2baa4
Link:
https://www.unpac.me/results/13c8397a-a2db-43b8-9a7a-933afd20df0b/
SH256 hash:
2b48ea4ee1fe9bca36ea2f3f27bd8fffa825b6a18d9678808c8e5496afa6f54f
MD5 hash:
a06bd5180c6e4ffd664adacef610581d
SHA1 hash:
60d74e5fe5d02abde727b12cd6173cd91a56376a
Link:
https://www.unpac.me/results/13c8397a-a2db-43b8-9a7a-933afd20df0b/
SH256 hash:
1adf567b40e4baab015e89879313443b5ad82798e59a56b8c8abcd570b8a9736
MD5 hash:
ca65d057219cb42287861951b2e3a0a0
SHA1 hash:
1670f84b1ca4ac833574079f2bbe40b3d8cb112e
Link:
https://www.unpac.me/results/13c8397a-a2db-43b8-9a7a-933afd20df0b/
SH256 hash:
501ac41bcfa5d205762496c20b2ffa52b4df885814b7ce6a453be09ad6a1abda
MD5 hash:
e5cce59559e63beb43eddedb27dc7964
SHA1 hash:
d3722cd05bc9f9f9bd9168a6b0cd0e09a7846d8a
Link:
https://www.unpac.me/results/13c8397a-a2db-43b8-9a7a-933afd20df0b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/501ac41bcfa5d205762496c20b2ffa52b4df885814b7ce6a453be09ad6a1abda

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AveMaria
Create hunting rule
Author:@bartblaze
Description:Identifies AveMaria aka WarZone RAT.
Rule name:AveMaria_WarZone
Create hunting rule
Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_KB_CERT_01ea62e443cb2250c870ff6bb13ba98e
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_WarzoneRAT
Create hunting rule
Author:ditekSHen
Description:Detects AveMaria/WarzoneRAT
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 501ac41bcfa5d205762496c20b2ffa52b4df885814b7ce6a453be09ad6a1abda

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/122185/

Comments