MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63cd6fa89880cc5dadc8995b2ec904afe0cb3685c65c80569ce0d0942b14e4ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63cd6fa89880cc5dadc8995b2ec904afe0cb3685c65c80569ce0d0942b14e4ad
SHA3-384 hash: 801830213c5e72a87a0509c57a642285eed39ee497987120bac1e5bb45e4e7e59d78ebafa2cb6cc9075788167f34293c
SHA1 hash: 5096e7707c3470d02e29d49777a9c892d4a84c0c
MD5 hash: 1318f9fe79e0c1d31ef1a04cbc5a3078
humanhash: timing-venus-steak-foxtrot
File name:CamScanner_PO#22070_Ref_389462,PO#22088_Ref_80411927.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:932'352 bytes
First seen:2021-07-24 10:07:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 81b44cc9bb38ca599d2bb46a023cd8f4 (2 x Formbook, 1 x RemcosRAT, 1 x BitRAT)
ssdeep 12288:4XjVVvgR6lgIdw67J0/BVEULCi/FKGI9isgfDe1yL7qOeA:4XjfrR+6dwJLxsr9isgfKKY
Threatray 993 similar samples on MalwareBazaar
TLSH T14A158D2BE313C8F5DEB327B99D6237826F25FC101968589965C4C87DDF382D26A26343
dhash icon 64e0d4c4c4d4d4d4 (2 x AveMariaRAT, 1 x AgentTesla, 1 x ModiLoader)
Reporter Racco42
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173877/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Backdoor.BitRAT.51.9945.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a41cadce-4494-47b9-b67e-10ad64a4840f
Result
Threat name:
AveMaria UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/821204
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 453615 Sample: CamScanner_PO#22070_Ref_389... Startdate: 24/07/2021 Architecture: WINDOWS Score: 100 59 Multi AV Scanner detection for domain / URL 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 7 other signatures 2->65 8 CamScanner_PO#22070_Ref_389462,PO#22088_Ref_80411927.exe 1 24 2->8         started        13 Yfgbhqp.exe 16 2->13         started        15 Yfgbhqp.exe 16 2->15         started        process3 dnsIp4 45 onedrive.live.com 8->45 53 2 other IPs or domains 8->53 41 C:\Users\Public\Libraries\...\Yfgbhqp.exe, PE32 8->41 dropped 75 Writes to foreign memory regions 8->75 77 Allocates memory in foreign processes 8->77 79 Creates a thread in another existing process (thread injection) 8->79 17 DpiScaling.exe 3 4 8->17         started        21 cmd.exe 1 8->21         started        23 cmd.exe 1 8->23         started        47 192.168.2.1 unknown unknown 13->47 49 onedrive.live.com 13->49 55 2 other IPs or domains 13->55 81 Multi AV Scanner detection for dropped file 13->81 83 Injects a PE file into a foreign processes 13->83 25 secinit.exe 4 13->25         started        51 onedrive.live.com 15->51 57 2 other IPs or domains 15->57 27 dialer.exe 4 15->27         started        file5 signatures6 process7 dnsIp8 43 xchilogs.duckdns.org 51.222.98.71, 23411, 49734, 49759 OVHFR France 17->43 67 Tries to steal Mail credentials (via file access) 17->67 69 Increases the number of concurrent connection per server for Internet Explorer 17->69 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->71 29 reg.exe 1 21->29         started        31 conhost.exe 21->31         started        33 cmd.exe 1 23->33         started        35 conhost.exe 23->35         started        73 Tries to harvest and steal browser information (history, passwords, etc) 27->73 signatures9 process10 process11 37 conhost.exe 29->37         started        39 conhost.exe 33->39         started       
Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/63cd6fa89880cc5dadc8995b2ec904afe0cb3685c65c80569ce0d0942b14e4ad/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2021-07-17 04:16:00 UTC
AV detection:
20 of 27 (74.07%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mpgw7keyqdgf3loitfns5siev7qmwnufyzoiavu44dijikyu4swq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0ff6edaf3533a3627afc5e2d74446e0c315087afe958b5fb2cc0a7ccb793d501
AveMariaRAT
122ef85900670d4776f3afdbe676d59c23c4cd9944b9d392eb9a446b3bb40dde
AveMariaRAT
1ec80487df001c0f6d41a90bbe2451242977a6f36a276d6eefa8aef0f593ab6b
AveMariaRAT
4757d64431cbf911d9a6cc5b1cd96ee7f733dd0eb05c41f1fa100ba3d354d4a5
AveMariaRAT
5cbed2f8a5fdadbd99816c4c8792bd51a2db7479f80bf70409f0f257f942d0c9
AveMariaRAT
5f0161e643adfaeca9dc6918e8cc29fc85ecdcf6727afd601649068f1e36a814
AveMariaRAT
803ed954a2fbfa36e1b154d7b1b6b270021eb72583d5a876e5aaedd728c39cc7
AveMariaRAT
9b342770fe4594e3a6d22b0b8d50269f8c749fb6d43c4f22d6ba48ddbff23bb4
AveMariaRAT
b5633b89bc09a7e0bfdb617572df279f2a08518ffe186ad3c372f2b53c210996
AveMariaRAT
b59b27b89189fc7fd98bc8f8a70d7d500907439cba4303c1eb812532fa2bc96f
AveMariaRAT
+ 983 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/210724-8dkdw1dp8e/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Warzone RAT Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
xchilogs.duckdns.org:23411
Unpacked files
SH256 hash:
7470d7a49c6e61e406c0e1cfb17ad86221ea7af972abb3da166c1ba1e9a1a7ed
MD5 hash:
9a495f6dc375d601c8aa5015c8a14a17
SHA1 hash:
0f167fabe37b1a5a44a9cbb40e84abb4303230a6
Link:
https://www.unpac.me/results/7537884b-0171-4761-a363-d66477a09d53/
SH256 hash:
63cd6fa89880cc5dadc8995b2ec904afe0cb3685c65c80569ce0d0942b14e4ad
MD5 hash:
1318f9fe79e0c1d31ef1a04cbc5a3078
SHA1 hash:
5096e7707c3470d02e29d49777a9c892d4a84c0c
Link:
https://www.unpac.me/results/7537884b-0171-4761-a363-d66477a09d53/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63cd6fa89880cc5dadc8995b2ec904afe0cb3685c65c80569ce0d0942b14e4ad

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 63cd6fa89880cc5dadc8995b2ec904afe0cb3685c65c80569ce0d0942b14e4ad

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/173877/

Comments