MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ad1ee75b0e6ad7140aed361cc0000ff540f01fc4e63591a64ccbeedc31dcaa8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ad1ee75b0e6ad7140aed361cc0000ff540f01fc4e63591a64ccbeedc31dcaa8
SHA3-384 hash: e01709d54c5ce8af978ba3fd024dbbdc5e548066988314ca0474d03784e11b2e814e0300b1054aa94a07b1b5960a2137
SHA1 hash: ef2d3361edba3da14a33795a27872ccb0c91f54a
MD5 hash: 8f28453a1e07da3f8e04aa4fdf0f7495
humanhash: florida-kansas-six-five
File name:PO.20210704_quick shipment.com
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:814'592 bytes
First seen:2021-04-07 15:43:53 UTC
Last seen:2021-04-07 17:04:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:ToHcBYPym0UWHxysNRW/fosoI5wIpbikyqFU:To8BYK1UWHxnW/gI51pByq
Threatray 789 similar samples on MalwareBazaar
TLSH 7305E07023A85B59E2BE97BA0060A15017F7B14AE732D70C3CB8519E5D72B81DB33B57
Reporter abuse_ch
Tags:AveMariaRAT com


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: regular1.263xmail.com
Sending IP: 211.150.70.197
From: Rodriguez <billy.feng@asweets.com>
Subject: PO.20210704_quick shipment_Peru
Attachment: PO.20210704_quick shipment.com

Intelligence

File Origin
# of uploads :
2
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO.20210704_quick shipment.com
Verdict:
Malicious activity
Analysis date:
2021-04-07 15:47:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/08ea1085-ce07-4907-a210-9ecb040d9998

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132884/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.7277.26199.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/668898
Signature
Allocates memory in foreign processes
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8ad1ee75b0e6ad7140aed361cc0000ff540f01fc4e63591a64ccbeedc31dcaa8/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 15:44:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
23 of 48 (47.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rli645nq42wxcqfo2nq4yaaa75ka6ap4jzrvsgtezs7o3qy5zkua._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0dc8b267631d1894fbc6644468e5a9d9b9543257e0a85c271af230c757831496
AveMariaRAT
23d488d19e07e94e8aba4bbad7b9b85b6a0a7b19a264d0fe55323aada1ec721b
AveMariaRAT
411a7c0f381354be120c25158756008260b2ba2f3b2a83e4a514602ab09edbea
AveMariaRAT
5ba2e4021682f2700ca05c93eb32efb3c93d7bebd816842bdcca6cc768771cbe
AveMariaRAT
757d6be9f53d159e382e9b82a4baa567d4a8173b30ccd788234f4afb5db16eba
AveMariaRAT
7ee0c62e76613b5cdf12f2fa8d408ba952d9ac828e97d65411f8e9f8619cfc6b
AveMariaRAT
8870e414ae7cec6f996da728f1366eb10940a81823abbfd13fbd0f97da1585bb
AveMariaRAT
a5c4e0a33316630d870175895153a056499950d478b2d09491f335ecfaaa4e3d
AveMariaRAT
be783c2bd964fe9b8cc8a49b0312a6125ca2981ab1abe3d2d2b42c32395368fd
AveMariaRAT
d22b5f0952081bb59e1e1d6f2cb2ff88376461813414622f0c534855fc43039c
AveMariaRAT
+ 779 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer rat spyware stealer
Link:
https://tria.ge/reports/210407-b72twzcjej/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Warzone RAT Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
185.140.53.69:4080
Unpacked files
SH256 hash:
6590b9ec4fa84e44c372fda26f47d6d58859d74869621c6bdd4086e6ae411379
MD5 hash:
95dfa1a9015a17a1d49b4faa3f3d999d
SHA1 hash:
427b72727b28436554d0443d797f19b2ea37cc16
Link:
https://www.unpac.me/results/af5092b1-0cca-468a-afbc-15a34296f76a/
SH256 hash:
8ad1ee75b0e6ad7140aed361cc0000ff540f01fc4e63591a64ccbeedc31dcaa8
MD5 hash:
8f28453a1e07da3f8e04aa4fdf0f7495
SHA1 hash:
ef2d3361edba3da14a33795a27872ccb0c91f54a
Link:
https://www.unpac.me/results/af5092b1-0cca-468a-afbc-15a34296f76a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/8ad1ee75b0e6ad7140aed361cc0000ff540f01fc4e63591a64ccbeedc31dcaa8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 8ad1ee75b0e6ad7140aed361cc0000ff540f01fc4e63591a64ccbeedc31dcaa8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/132884/

Comments