MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a664c1f202138b90577612d248c93071f58a5b41a7db4c0c8f241df927bf6c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a664c1f202138b90577612d248c93071f58a5b41a7db4c0c8f241df927bf6c0
SHA3-384 hash: a3f86a5ef53370c8c4f6e23aa508187fed40e3738910ff8f96a6c67663ca1673b097300e1d8749aaf205e57131ecd532
SHA1 hash: 42ab7067d1ba7e966abb876888f7dd60ab64ffed
MD5 hash: 2344684309d996745143e20098ef39cb
humanhash: three-alanine-finch-lithium
File name:Remittance_Advice_20210826.vbs
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:897 bytes
First seen:2021-08-26 12:18:27 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12:tatyE7AfwVIJrwFWNbkXNodnAbOJk8/fecG2bwELP/dg3Nfd+WVaiTC:0tyRfwVYwFWNbkXyn55G2UE7/kNEKC
Threatray 1'144 similar samples on MalwareBazaar
TLSH T1FF11280A4C159CDA9315E14101C36DDDC250A7537FD039792477794BDCAED3E5C8D98B
Reporter abuse_ch
Tags:AveMariaRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182612/
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/839721
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates an undocumented autostart registry key
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Obfuscated command line found
Sigma detected: Suspicious PowerShell Command Line
Sigma detected: Suspicious PowerShell Keywords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AveMaria stealer
Yara detected MSILLoadEncryptedAssembly
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a664c1f202138b90577612d248c93071f58a5b41a7db4c0c8f241df927bf6c0/
Threat name:
Script.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-08-26 12:19:26 UTC
AV detection:
2 of 41 (4.88%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=njteyhzaee4lsblxmewsjdeta4pvrjnudj63jqgi6ja57et363aa._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
2a6c590409a79f9e6146796235bd97e7c5080ae9cfbd3af4f89cd0127ffa29da
AveMariaRAT
36c35b4364b62c4d1ff2be1e1a043a10bc587625ad383dd2b4dacde157a952e4
AveMariaRAT
38a7b50472d2fbc4d4d76ef0936ceafa31606153a36e7afa3d7952539dfa0c2f
AveMariaRAT
4ae3522e80d4dbf4e6e50053d3104e327309ed478bf50040ba14a615b1da3d56
AveMariaRAT
52e2c9a43a9de0685055f60bd590f2f893882ad710f3b7e8c451985eea69ec07
AveMariaRAT
94fd8c7b7935c64a7ed46794b3b5597800ae02715d5d0d95df19b208dc0d98fb
AveMariaRAT
9e2a3d4464636baff78628d870f39d1a9f3ba23da71f8c50ead2576479077702
AveMariaRAT
a9321317116649103debb8a03f5b36ee8b015fa48fc7da5c2b5eb5192dac8233
AveMariaRAT
d9740755673a2b1025f0a9ea9a579657b0d22d7c00a049d113f84326d37b66bb
AveMariaRAT
f4d3d1d7abd51b08b3bad84d718cb3beaf9d0513422ce276ea2cc2617c3cf889
AveMariaRAT
+ 1'134 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer rat
Link:
https://tria.ge/reports/210826-cmqdkxs64e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Blocklisted process makes network request
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
84.38.129.119:3543
Dropper Extraction:
https://transfer.sh/17VfkkC/bypass.txt
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6a664c1f202138b90577612d248c93071f58a5b41a7db4c0c8f241df927bf6c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PowerShell_Case_Anomaly
Create hunting rule
Author:Florian Roth
Description:Detects obfuscated PowerShell hacktools
Reference:https://twitter.com/danielhbohannon/status/905096106924761088

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Visual Basic Script (vbs) vbs 6a664c1f202138b90577612d248c93071f58a5b41a7db4c0c8f241df927bf6c0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/182612/

Comments