MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88cd6b3cae21bbdf028d5fee94c3552ecc427043b70b8407e9f936857c637ee5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88cd6b3cae21bbdf028d5fee94c3552ecc427043b70b8407e9f936857c637ee5
SHA3-384 hash: 4785f7af4b290c29dde9de08701eaf5bd06da2a612871a3f5163a5ccc55c35f0c1575b7f1484fb388c5ca3a005ad9ae2
SHA1 hash: e759c0c4cc5bd2ab962b6a3765f984441d9120c9
MD5 hash: 9d806e69205f73a455806ca69e753fdb
humanhash: wolfram-batman-mango-coffee
File name:94039330.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'214'144 bytes
First seen:2020-11-28 09:27:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 23de31c260a4b45c8d1ef99329fb5969 (2 x RemcosRAT, 1 x ModiLoader, 1 x AveMariaRAT)
ssdeep 24576:DLHLdu/OaH5JS1H6OkN5HYybB68gKmX9hIbEIKF:DLrd08kN5HYYRgKAh
Threatray 629 similar samples on MalwareBazaar
TLSH 9A45D023B1B28436C16269BD9E1B81ED6E75BD717478750E3BD0A90CCF36AC17D250A3
Reporter abuse_ch
Tags:AveMariaRAT exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: smtp.super.net.pk
Sending IP: 203.130.9.9
From: DAN VIET TRADING CO<skyways@super.net.pk>
Reply-To: <Amazoncarpar@126.com>
Subject: Re : Additional Order
Attachment: 94039330.rar (contains "94039330.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105882/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/549948
Signature
Allocates memory in foreign processes
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 324084 Sample: 94039330.exe Startdate: 28/11/2020 Architecture: WINDOWS Score: 100 28 g.msn.com 2->28 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected AveMaria stealer 2->50 52 5 other signatures 2->52 7 Tzchdrv.exe 2->7         started        11 Tzchdrv.exe 2->11         started        13 94039330.exe 1 2 2->13         started        signatures3 process4 dnsIp5 30 192.168.2.1 unknown unknown 7->30 54 Writes to foreign memory regions 7->54 56 Allocates memory in foreign processes 7->56 58 Injects a PE file into a foreign processes 7->58 16 ieinstal.exe 3 4 7->16         started        32 162.159.137.232, 443, 49724 CLOUDFLARENETUS United States 11->32 60 Multi AV Scanner detection for dropped file 11->60 20 ieinstal.exe 11->20         started        34 discord.com 162.159.128.233, 443, 49719, 49728 CLOUDFLARENETUS United States 13->34 36 cdn.discordapp.com 162.159.134.233, 443, 49720, 49725 CLOUDFLARENETUS United States 13->36 24 C:\Users\user\AppData\Local\...\Tzchdrv.exe, PE32 13->24 dropped 22 ieinstal.exe 13->22         started        file6 signatures7 process8 dnsIp9 26 williamz20.ddns.net 194.33.45.171, 3920, 49730 CLOUVIDERClouvider-GlobalASNGB United Kingdom 16->26 38 Tries to steal Mail credentials (via file access) 16->38 40 Tries to harvest and steal browser information (history, passwords, etc) 16->40 42 Increases the number of concurrent connection per server for Internet Explorer 16->42 44 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->44 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88cd6b3cae21bbdf028d5fee94c3552ecc427043b70b8407e9f936857c637ee5/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-11-26 20:37:53 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rdgwwpfoeg556aunl7xjjq2vf3gee4cdw4fyib7j7e3ik7ddp3sq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0629278e51106220eb8727f80f4c24cfb432e6344561e8518030b19b669bcc72
AveMariaRAT
2cc5a802aaf99da12f98c79d28f14a2e850b9a9afc4c0f682430a425643d8cda
AveMariaRAT
4e420c5efeb26330ec4eb618426d859222b791798df3ae65c59fc20ef2f2889a
AveMariaRAT
97b34cb713e879fb7cfe158a3180b73d1c71b71446368f242a0c004d0c3462dd
AveMariaRAT
9f5afe868a8dd23926e807303d8896b239b802a3c366e448f4c59a103540019f
AveMariaRAT
af84cf642737e0b62537d9a78861cc129fbc0e68a34770cb70c6ccaa3f553687
AveMariaRAT
b50f9caa6df41cf34a52f45f989dc38ba037fd68535f6d7015fe602c826b0c1c
AveMariaRAT
de966245d2120df80add0bc610965487383a27ca6434abb2a41d3fb6447ee0cf
AveMariaRAT
e0e3ae47b7e48c3c81724d0a63f5f6f8033bb516d97c538ea52349a102a0e1b6
AveMariaRAT
f6878003c470e531787cd70fc0785bb01a5c64d6a39f0efec5aabc5ac3f5f889
AveMariaRAT
+ 619 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat infostealer persistence rat spyware trojan
Link:
https://tria.ge/reports/201128-jgjyr5e3gj/
Behaviour
Script User-Agent
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
JavaScript code in executable
Loads dropped DLL
Reads user/profile data of web browsers
Warzone RAT Payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
88cd6b3cae21bbdf028d5fee94c3552ecc427043b70b8407e9f936857c637ee5
MD5 hash:
9d806e69205f73a455806ca69e753fdb
SHA1 hash:
e759c0c4cc5bd2ab962b6a3765f984441d9120c9
Link:
https://www.unpac.me/results/7e93109f-bc22-4085-af77-245f85642975/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

rar 6b0da465579604b1c7234201479d75e97368eac7c62fbdc9dc3c8882ce234a23

AveMariaRAT

Executable exe 88cd6b3cae21bbdf028d5fee94c3552ecc427043b70b8407e9f936857c637ee5

(this sample)

  
Dropped by
MD5 be729520132bb0cdb11174b8f6d4c07e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/105882/
  
Dropped by
SHA256 6b0da465579604b1c7234201479d75e97368eac7c62fbdc9dc3c8882ce234a23

Comments