MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7406e77d7cbbc5344697900906c5a5930330dcdfba382b22181b41494ace670e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7406e77d7cbbc5344697900906c5a5930330dcdfba382b22181b41494ace670e
SHA3-384 hash: 98d660da4149f25eb1f4e79dfcabc38f523078f79ef25c12e69b5d66f8b0ab713a2e23a32b66745b5973643623284e8a
SHA1 hash: 0445c1df394239e55eb2662efce8ed7673d86907
MD5 hash: 2e570f632f1fb4a5a018df104caa1692
humanhash: thirteen-rugby-robin-undress
File name:PP-9822.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:134'416 bytes
First seen:2020-10-27 16:45:19 UTC
Last seen:2020-10-27 18:37:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 1536:IsYsYsYiGaV89FXvgsYsYsYicsYsYsYihPIsYsYsYiEsYsYsYirsYsYsYiG5Zss9:A9tl6w0NCUHXJV44Jre1YV6
Threatray 527 similar samples on MalwareBazaar
TLSH A1D3BB4A300BB833EBDA02F0044FDE50F3B5D2BD4961D53999E61E5CCA7A55A3C1B6CA
Reporter abuse_ch
Tags:AveMariaRAT exe geo POL


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: h22.megalink.com
Sending IP: 200.75.160.22
From: Poczta Polska <liamchua@poczta-polska.pl>
Subject: Twoja przesyłka od pana Kowalskiego dotarła
Attachment: PP-9822.iso (contains "PP-9822.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Dtloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/80047/
Detection(s):
SecuriteInfo.com.Generic.mg.2e570f632f1fb4a5.15208.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a window
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Enabling autorun by creating a file
Enabling autorun
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/514039
Signature
Contains functionality to hide a thread from the debugger
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 306132 Sample: PP-9822.exe Startdate: 27/10/2020 Architecture: WINDOWS Score: 100 53 efiigbo9.duckdns.org 2->53 65 Malicious sample detected (through community Yara rule) 2->65 67 Yara detected AveMaria stealer 2->67 69 Contains functionality to hide user accounts 2->69 71 2 other signatures 2->71 8 PP-9822.exe 18 4 2->8         started        13 PP-9822.exe 2->13         started        15 PP-9822.exe 2 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 57 www.google.it 172.217.168.67 GOOGLEUS United States 8->57 59 ahgwqrq.xyz 172.67.142.40, 443, 49714, 49721 CLOUDFLARENETUS United States 8->59 61 192.168.2.1 unknown unknown 8->61 51 C:\Users\user\AppData\Roaming\...\PP-9822.exe, PE32 8->51 dropped 77 Creates an undocumented autostart registry key 8->77 79 Contains functionality to inject threads in other processes 8->79 81 Contains functionality to steal Chrome passwords or cookies 8->81 91 3 other signatures 8->91 19 PP-9822.exe 3 2 8->19         started        23 timeout.exe 1 8->23         started        25 WerFault.exe 20 9 8->25         started        63 104.27.180.69, 443, 49731 CLOUDFLARENETUS United States 13->63 83 Creates autostart registry keys with suspicious names 13->83 85 Creates multiple autostart registry keys 13->85 87 Hides threads from debuggers 13->87 27 timeout.exe 13->27         started        89 Injects a PE file into a foreign processes 15->89 29 timeout.exe 1 15->29         started        35 2 other processes 15->35 31 timeout.exe 17->31         started        33 timeout.exe 17->33         started        37 7 other processes 17->37 file6 signatures7 process8 dnsIp9 55 efiigbo9.duckdns.org 185.140.53.130, 49718, 49720, 49722 DAVID_CRAIGGG Sweden 19->55 73 Increases the number of concurrent connection per server for Internet Explorer 19->73 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->75 39 conhost.exe 23->39         started        41 conhost.exe 27->41         started        43 conhost.exe 29->43         started        45 conhost.exe 31->45         started        47 conhost.exe 33->47         started        49 conhost.exe 37->49         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7406e77d7cbbc5344697900906c5a5930330dcdfba382b22181b41494ace670e/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-27 14:45:54 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oqdoo7l4xpctiruxsaeqnrnfsmbtbxg7xi4cwiqydnausswom4ha._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
047cc8e0672ffab0edff9ab97852667517b5d2ad28048037c126d06e3e28b8af
AveMariaRAT
1b73a2e9bb46a4af54c4c42608e75b729ffa44a432d48aed81b2cf9599c2c7f5
AveMariaRAT
210907c63a822466ef533403076830467ea49fd5fad67af25528ab558eeb9415
AveMariaRAT
455ea8ac576f3d44ecb310e3068e3ff759c8d6bc43344a1ad11ea5762b85d201
AveMariaRAT
82b070a42d50b8e37b551543e041933140f3823138b0997fccd4ad926df8183b
AveMariaRAT
838bd3c3ce0091704b836352a4e5d489b8e172e8ef6a7dc18462ce3042c6d716
AveMariaRAT
913171727a31831be646f7712f8adc3c310affe7897e9556cf1099d743b12913
AveMariaRAT
a21a0d414080476ea51f99a3d207c12e1e9b15646b39338e989ed817a91429f6
AveMariaRAT
aae06c61ea30fd920db8caa7e32eefe1b74842affe3fa6d53ce6765f49783ed5
AveMariaRAT
fbe762c8c464730d016cd2ef76955fe726f74abd031cea612d6a08bce2383a3e
AveMariaRAT
+ 517 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/201027-5ds82vyq9s/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Warzone RAT Payload
Modifies WinLogon for persistence
WarzoneRat, AveMaria
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/7406e77d7cbbc5344697900906c5a5930330dcdfba382b22181b41494ace670e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

iso 603c9e1506e6e044917519f8a3be1d5f0f2a438968ba80f6caf511fc7072ad25

AveMariaRAT

Executable exe 7406e77d7cbbc5344697900906c5a5930330dcdfba382b22181b41494ace670e

(this sample)

  
Dropped by
MD5 d1e8c718fa49b7926fe362b018ee9033
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 603c9e1506e6e044917519f8a3be1d5f0f2a438968ba80f6caf511fc7072ad25
Cape
Cape
https://www.capesandbox.com/analysis/80047/

Comments