MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fa4e7e851fd8997ceb6a4b87912523dd682387f70eb840afc01806e08c26c2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 6 File information Comments

SHA256 hash:	7fa4e7e851fd8997ceb6a4b87912523dd682387f70eb840afc01806e08c26c2f
SHA3-384 hash:	430106ec96f9a4b85bc519bfaa8e407a08d52dbf11862fbc8af99c2a8ecfccfb68f3c56e5c07638401acb6fe405b6dbb
SHA1 hash:	203a1af72a21fafcd06bd545c66a2d28318fdd89
MD5 hash:	a07b0a1e30a411eb7b2acff98a07312f
humanhash:	iowa-hydrogen-apart-nevada
File name:	AveMaria.bin
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	168'960 bytes
First seen:	2020-10-01 06:33:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	51a1d638436da72d7fa5fb524e02d427 (124 x AveMariaRAT, 1 x njrat)
ssdeep	1536:10jP7/L1B5rVmN8sxHv2M28ix8EUaJxWZoB4u0OVE01+t:O1VmhaH8EFvW+0OVE0Qt
Threatray	438 similar samples on MalwareBazaar
TLSH	A9F30613F2AD073CE3A692B035792B358AA9EF374164499EB3C5FC4E583241EA5253D3
Reporter	Anonymous
Tags:	avemaria AveMariaRAT

Intelligence

File Origin

# of uploads :

# of downloads :

115

Origin country :

n/a

Vendor Threat Intelligence

Detection:

WarzoneRAT

Link:

https://www.capesandbox.com/analysis/67321/

Detection(s):

Win.Malware.Zusy-8799014-0

Win.Malware.AveMaria-8799014-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching cmd.exe command interpreter

Sending a UDP request

DNS request

Connection attempt

Unauthorized injection to a system process

Result

Threat name:

AveMaria

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/479030

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Contains functionality to hide user accounts

Contains functionality to inject threads in other processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal e-mail passwords

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Increases the number of concurrent connection per server for Internet Explorer

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected AveMaria stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

avemaria

Link:

https://mwdb.cert.pl/sample/7fa4e7e851fd8997ceb6a4b87912523dd682387f70eb840afc01806e08c26c2f/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2020-10-01 06:35:06 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=p6sop2cr7wezptvwus4hsesshxlieod7odvyicx4agag4cgcnqxq._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

27f672cbea21c2a96f66db3d2e2e8b16f4f4fc06ed2abed9df62421c2800379c

AveMariaRAT

44631c28fe04318faf429139fae5d95554dc1a9c4fd47b2c2ab2e0fff7667271

AveMariaRAT

49f5e75f64b5a1620cc9a6cbd3870e87853aecb3ef4019ac1a42bdd8a0c499e7

AveMariaRAT

578df50c34d2f8f3146e5c4a457c4e9eac639070d3766ba202c84af6a790d4a7

AveMariaRAT

aec7bb752bfb4fb49d6d363db8393e84a05da72cd3b54a9b368bc43adcd3f08d

AveMariaRAT

b09ba0422073d096874e13104b4709f379468dd324eb85dcb84cd112a6609f1b

AveMariaRAT

d30b949fc05b15b611b3fe420b6883062c5bb2b270c769540c48f703a46cbbf3

AveMariaRAT

df6b12e28602092e6841be50355a76684b5333b236cf9b8441dd73fc1abbf4ae

AveMariaRAT

fc4b29f54e0b3ed0493ba85310a2665ab47e5143f3cb3ce09686f0560dd1ed04

AveMariaRAT

+ 428 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://tria.ge/reports/201001-z7rjbrmm9a/

Behaviour

Suspicious use of WriteProcessMemory

ServiceHost packer

Unpacked files

SH256 hash:

7fa4e7e851fd8997ceb6a4b87912523dd682387f70eb840afc01806e08c26c2f

MD5 hash:

a07b0a1e30a411eb7b2acff98a07312f

SHA1 hash:

203a1af72a21fafcd06bd545c66a2d28318fdd89

Detections:

win_ave_maria_g0

win_ave_maria_auto

Link:

https://www.unpac.me/results/1313c2d0-715f-4bd8-b49f-2db944205275/

Parent samples :

7fa4e7e851fd8997ceb6a4b87912523dd682387f70eb840afc01806e08c26c2f
18ec681c471f185edf3ab8e23b52b4ea2a87162f9957b4d5d10ac0e2bc008405

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	RDPWrap Create hunting rule
Author:	@bartblaze
Description:	Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:	https://github.com/stascorp/rdpwrap

Rule name:	win_ave_maria_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator