MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6072185720cbcf2add1e2ada668484a4d55c601fcb2840ca6b7fbf9dfacdefb8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6072185720cbcf2add1e2ada668484a4d55c601fcb2840ca6b7fbf9dfacdefb8
SHA3-384 hash: b069f4cd215eae1f95226bee6fbf83348ba87e14341d828c55d10c35f875ba4b0ffc697e96853921310af5207e1c830e
SHA1 hash: e0fd6e42295538f9793f55dadac40319176f28f4
MD5 hash: 78e0265f9bc8991dbb309aa52612eb46
humanhash: georgia-washington-november-green
File name:Tender SN980018277 & SN9901827 Signed Copy.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:832'000 bytes
First seen:2021-12-02 11:14:29 UTC
Last seen:2021-12-02 13:03:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bbc9c0e1dd018627fbe5726a5fc2ba6c (4 x Formbook, 1 x AveMariaRAT)
ssdeep 12288:8IEpAb3iVUYfqUe+L7JMlbv7BRggB8BcFcePyaW:8I8G3DYfq9+hMNTkO8Cbm
TLSH T1AA053A6D7B9C5C32F89A7A7C99C6B96854233D202DC4686531ECF8C8CA34F4166F6C4B
File icon (PE):PE icon
dhash icon 34f0c4c4c4c4c0d4 (1 x AveMariaRAT, 1 x RemcosRAT)
Reporter c_APT_ure
Tags:avemaria AveMariaRAT exe


Avatar
c_APT_ure
AveMaria stealer
MD5: 78e0265f9bc8991dbb309aa52612eb46
C2: pentester01[.]duckdns[.]org : 60977

Intelligence

File Origin
# of uploads :
2
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TenderXSN980018277XXXSN99018277XSoberanoXSourcingXGmbH.xz
Verdict:
Malicious activity
Analysis date:
2021-12-02 08:48:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/af165fff-7fe4-4afe-800b-d783a836c59e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RDPWrap
Create hunting rule
Link:
https://www.capesandbox.com/analysis/210665/
Detection(s):
SecuriteInfo.com.Trojan.Win32.BestaFera.7c.7325.4767.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  0/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/527/overview
Behaviour
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
keylogger
Link:
https://www.filescan.io/uploads/61a8aab986bf67e7121fa81b/reports/48bcbc9c-6825-4f57-b55e-d328ae07a192/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/feb5cbb4-b258-432d-97c4-bd1c872252f9
Result
Threat name:
AveMaria UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/900068
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Drops PE files to the user root directory
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 532546 Sample: Tender SN980018277 & SN9901... Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 68 Multi AV Scanner detection for domain / URL 2->68 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 8 other signatures 2->74 8 Tender SN980018277 & SN9901827 Signed Copy.exe 1 20 2->8         started        13 Jrnenbsz.exe 13 2->13         started        15 Jrnenbsz.exe 13 2->15         started        process3 dnsIp4 44 royalkitchen-co.com 69.16.216.42, 443, 49776, 49777 LIQUIDWEBUS United States 8->44 46 www.royalkitchen-co.com 8->46 40 C:\Users\user\Jrnenbsz.exe, PE32 8->40 dropped 76 Writes to foreign memory regions 8->76 78 Allocates memory in foreign processes 8->78 80 Creates a thread in another existing process (thread injection) 8->80 17 cmd.exe 1 8->17         started        20 DpiScaling.exe 3 4 8->20         started        48 www.royalkitchen-co.com 13->48 82 Multi AV Scanner detection for dropped file 13->82 84 Machine Learning detection for dropped file 13->84 86 Injects a PE file into a foreign processes 13->86 23 logagent.exe 4 13->23         started        50 www.royalkitchen-co.com 15->50 25 logagent.exe 1 15->25         started        file5 signatures6 process7 dnsIp8 52 Uses cmd line tools excessively to alter registry or file data 17->52 54 Uses schtasks.exe or at.exe to add and modify task schedules 17->54 27 cmd.exe 1 17->27         started        30 conhost.exe 17->30         started        42 pentester01.duckdns.org 51.161.104.181, 49780, 49824, 60977 OVHFR Canada 20->42 56 Increases the number of concurrent connection per server for Internet Explorer 20->56 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->58 60 Tries to steal Mail credentials (via file / registry access) 23->60 62 Contains functionality to inject threads in other processes 23->62 64 Contains functionality to steal Chrome passwords or cookies 23->64 66 2 other signatures 23->66 signatures9 process10 signatures11 88 Uses cmd line tools excessively to alter registry or file data 27->88 32 conhost.exe 27->32         started        34 reg.exe 1 1 27->34         started        36 schtasks.exe 1 27->36         started        38 2 other processes 27->38 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6072185720cbcf2add1e2ada668484a4d55c601fcb2840ca6b7fbf9dfacdefb8/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-12-02 11:15:16 UTC
File Type:
PE (Exe)
Extracted files:
116
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/211202-nckqpafcan/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Warzone RAT Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
pentester01.duckdns.org:60977
Unpacked files
SH256 hash:
68ae5ffe5ad2069a531d80461d6f5ad6c210d0a19075a193894b95392827bec3
MD5 hash:
2cdfa8240841b03c9e440fbecf1ab6a8
SHA1 hash:
5f11ffeb002745eab78b1432e49adf6caf76286a
Detections:
win_temple_loader_w0
Create hunting rule
Link:
https://www.unpac.me/results/30d6374d-0cb4-4129-bdaf-9ab5bf811c4a/
Parent samples :
6072185720cbcf2add1e2ada668484a4d55c601fcb2840ca6b7fbf9dfacdefb8
7ef8b67819945bc8f480ca064b5e3f5a330b6744d47d24b5d1c0214ca65724a3
d6b4f7ba99b492e9b2382b51f6c49b32e86cc81b7fc6c93313f5962de4b910bd
7195589ba87f4b77bc10af665070180cf807ff7d2f8198743248edda2e85b6a5
b8aa3a9c721eae2745f1671b70869a8e3fe847a16e769d69c40727857ba54b44
897d218b958ece913adb5670a36e54f96f7d5279174c21f11cef92e31876a772
1a77fe43c21c77b47c1ea009c8a7c082eb11abcfb48ff4375cce7edc0925e9c6
a6a14f198c4aecd3c93a2e2dbecefb7f56643c231fc6eb685c5006eb825c591d
SH256 hash:
6072185720cbcf2add1e2ada668484a4d55c601fcb2840ca6b7fbf9dfacdefb8
MD5 hash:
78e0265f9bc8991dbb309aa52612eb46
SHA1 hash:
e0fd6e42295538f9793f55dadac40319176f28f4
Link:
https://www.unpac.me/results/30d6374d-0cb4-4129-bdaf-9ab5bf811c4a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6072185720cb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6072185720cbcf2add1e2ada668484a4d55c601fcb2840ca6b7fbf9dfacdefb8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

lzh 86fdfd47a9bb9fa65ec33a95cf4b3cfc246f182f68000809b3fdad7fef26c4c8

AveMariaRAT

Executable exe 6072185720cbcf2add1e2ada668484a4d55c601fcb2840ca6b7fbf9dfacdefb8

(this sample)

  
Dropped by
MD5 3b7654dc26f2edbfa598cf6441c1d509
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/210665/
  
Dropped by
SHA256 86fdfd47a9bb9fa65ec33a95cf4b3cfc246f182f68000809b3fdad7fef26c4c8

Comments