MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 668566b73ffe0c42699030779e8704261bad9d095c56cac1206170c89c5fb698. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 668566b73ffe0c42699030779e8704261bad9d095c56cac1206170c89c5fb698
SHA3-384 hash: 2c1032a593279e57bda935746d30d777446fff70aa330f7de7a863321ab40b472e58a14d421c2dc7d1a4d5a0e36f6405
SHA1 hash: 690e72aeaa85252b2adb4f5386776c3a32968489
MD5 hash: 1c4581e11a19f423157ce8ce1b828e19
humanhash: rugby-maryland-cat-berlin
File name:doc.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:611'944 bytes
First seen:2020-07-16 07:55:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f24c32fbb9fcdef16773efcde23b409 (3 x AgentTesla, 2 x NanoCore, 1 x QuasarRAT)
ssdeep 12288:J1bl3SKiQ9X5M1EL6GgmV5hT82Hnb6tY1r1FCVT:zVoQ9EWe23Q0b6tYZ1FCB
Threatray 463 similar samples on MalwareBazaar
TLSH 9BD49E2EE2EC4477C17316789C3B97B8A836BE103D2859476BE55C4C6F39381396B287
Reporter abuse_ch
Tags:AveMariaRAT exe HostGator RAT


Avatar
abuse_ch
Malspam distributing AveMariaRAT:

HELO: gateway32.websitewelcome.com
Sending IP: 192.185.145.187
From: Income Tax Dept <info@leadersmedica.com>
Subject: Rs 96,310 Tax Payment was deducted From your account
Attachment: Tax Challan.xlsm

AveMariaRAT payload URL:
http://jurec.mx/doc.exe

AveMariaRAT C2:
103.149.13.48:5200

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26478/
Detection(s):
Win.Malware.Daqc-6598201-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Creating a process with a hidden window
Creating a process from a recently created file
Deleting a recently created file
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Setting a keyboard event handler
Creating a file in the Program Files subdirectories
Creating a file in the system32 directory
Launching a service
Loading a system driver
Creating a file in the system32 subdirectories
Creating a service
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun for a service
Forced shutdown of a system process
Unauthorized injection to a system process
Enabling autorun with Startup directory
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/389411
Signature
Allocates memory in foreign processes
Contains functionality to create processes via WMI
Contains functionality to detect sleep reduction / modifications
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Creates files in alternative data streams (ADS)
Creates processes via WMI
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops script or batch files to the startup folder
Drops VBS files to the startup folder
Hides user accounts
Increases the number of concurrent connection per server for Internet Explorer
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 246887 Sample: doc.exe Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 92 Malicious sample detected (through community Yara rule) 2->92 94 Multi AV Scanner detection for dropped file 2->94 96 Multi AV Scanner detection for submitted file 2->96 98 4 other signatures 2->98 10 doc.exe 2->10         started        13 wscript.exe 2->13         started        15 cmd.exe 2->15         started        process3 signatures4 122 Detected unpacking (changes PE section rights) 10->122 124 Detected unpacking (overwrites its own PE header) 10->124 126 Drops script or batch files to the startup folder 10->126 128 8 other signatures 10->128 17 doc.exe 4 8 10->17         started        21 doc.exe 10->21         started        23 notepad.exe 1 10->23         started        25 doc.exe 13->25         started        27 WMIC.exe 15->27         started        29 conhost.exe 15->29         started        process5 file6 80 C:\ProgramData\images.exe, PE32 17->80 dropped 82 C:\ProgramData:ApplicationData, PE32 17->82 dropped 84 C:\Users\user\AppData\...\programs.bat:start, ASCII 17->84 dropped 86 2 other malicious files 17->86 dropped 100 Creates files in alternative data streams (ADS) 17->100 102 Increases the number of concurrent connection per server for Internet Explorer 17->102 31 images.exe 17->31         started        34 powershell.exe 25 17->34         started        36 doc.exe 21->36         started        104 Drops VBS files to the startup folder 23->104 106 Delayed program exit found 23->106 108 Writes to foreign memory regions 25->108 110 Allocates memory in foreign processes 25->110 112 Maps a DLL or memory area into another process 25->112 38 doc.exe 25->38         started        40 notepad.exe 25->40         started        42 doc.exe 25->42         started        114 Creates processes via WMI 27->114 signatures7 process8 signatures9 146 Multi AV Scanner detection for dropped file 31->146 148 Detected unpacking (changes PE section rights) 31->148 150 Detected unpacking (overwrites its own PE header) 31->150 152 Contains functionality to detect sleep reduction / modifications 31->152 44 images.exe 1 6 31->44         started        48 images.exe 31->48         started        50 notepad.exe 1 31->50         started        52 conhost.exe 34->52         started        154 Writes to foreign memory regions 36->154 156 Allocates memory in foreign processes 36->156 158 Maps a DLL or memory area into another process 36->158 54 doc.exe 36->54         started        56 notepad.exe 1 36->56         started        58 doc.exe 36->58         started        60 doc.exe 38->60         started        process10 dnsIp11 90 103.149.13.48, 49737, 5200 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN unknown 44->90 130 Hides user accounts 44->130 132 Tries to steal Mail credentials (via file access) 44->132 134 Tries to harvest and steal browser information (history, passwords, etc) 44->134 144 2 other signatures 44->144 62 powershell.exe 24 44->62         started        64 cmd.exe 44->64         started        66 doc.exe 54->66         started        136 Writes to foreign memory regions 60->136 138 Allocates memory in foreign processes 60->138 140 Maps a DLL or memory area into another process 60->140 142 Sample uses process hollowing technique 60->142 signatures12 process13 signatures14 69 conhost.exe 62->69         started        71 conhost.exe 64->71         started        116 Writes to foreign memory regions 66->116 118 Allocates memory in foreign processes 66->118 120 Maps a DLL or memory area into another process 66->120 73 notepad.exe 66->73         started        76 doc.exe 66->76         started        78 doc.exe 66->78         started        process15 file16 88 C:\Users\user\AppData\Roaming\...\pdf.vbs, ASCII 73->88 dropped
Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/668566b73ffe0c42699030779e8704261bad9d095c56cac1206170c89c5fb698/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-16 07:57:04 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=m2cwnnz77ygee2mqgb3z5byeeyn23hijlrlmvqjamfymrhc7w2ma._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
220d9dee8512451f79c4ea016e9ed065ca3f378f3f1b29531cee3c686a100cce
AveMariaRAT
3db0da97119509327c8a494c8a5beca070c6dc51c0fe9569de478cc41917ea5e
AveMariaRAT
4159a61a7c0571bee10a33f8d05ef51de606960476f66a00efcced87680be615
AveMariaRAT
664dafe5521c5a437960398fb265536760d2128e569237a3479107ac9ce76e35
AveMariaRAT
9d36d90f9c2899d43c70a09d23e06ac6d151f738f83cd69d590c76d4bb9b6c9e
AveMariaRAT
9f05fc0d62bbb451cfeb45c29b08ba8c556fcbc0aabcb1b783c056cca004db6e
AveMariaRAT
b1de8cf2d588ceb071c2549d61bec4724abffc886a42042268fdbfa9215a774b
AveMariaRAT
b4d3bccc58e0a1222261fc91cf6c0b56db9116302c9aaf9d4ddf9273706d571f
AveMariaRAT
b58c0db88d6026043bc0db1b5072cd2be7b0ceabf750a9d7275794d69fc04fe1
AveMariaRAT
bfea5a7839b0a45d3e0074b6e3882ada8f6aa913cf7e0d08ba290a49af855596
AveMariaRAT
+ 453 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200716-v57r5ha612/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
NTFS ADS
Program crash
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run key to start application
JavaScript code in executable
Adds Run key to start application
JavaScript code in executable
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Loads dropped DLL
Drops startup file
Executes dropped EXE
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_ave_maria_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Excel file xlsm 5f005ef79f2a337aa3e3537f304316bdb931dffa3cecacadc1cd094c1414bf4f

AveMariaRAT

Executable exe 668566b73ffe0c42699030779e8704261bad9d095c56cac1206170c89c5fb698

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/413546/
  
Dropped by
MD5 8927ad6be7ff24a708641467b7f699d5
  
Dropped by
SHA256 5f005ef79f2a337aa3e3537f304316bdb931dffa3cecacadc1cd094c1414bf4f
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/26478/

Comments