MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 949e65785ee74b4ee36a4ae53e734e8a59df3b0792213589fc17cc7fb48712da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 6 File information Comments

SHA256 hash:	949e65785ee74b4ee36a4ae53e734e8a59df3b0792213589fc17cc7fb48712da
SHA3-384 hash:	ba704e51a9cfc26eac596da04019d1e5110a147de7f8ef7c822ccc29630383b0df03902961a690f83cfc9cca78a6b7c1
SHA1 hash:	bcc1e7eb3039178af32d9f45341e3cb284e458ac
MD5 hash:	5a04e8ab195a8c2278f554825477e931
humanhash:	papa-pip-quebec-oklahoma
File name:	Revised DWG original copy for confirmation.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	311'296 bytes
First seen:	2020-07-29 07:48:14 UTC
Last seen:	2020-07-29 09:11:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:n25FwLir90hfwalNK8ty8aHGdKapp1ac8w63cf:n25e25G7KUNux3
Threatray	448 similar samples on MalwareBazaar
TLSH	EF6412726BE8C477CADE0EB7D49712904A7CE2021D13CC6F6844353C79263BD568AA7B
Reporter	abuse_ch
Tags:	AveMariaRAT exe nVpn RAT

abuse_ch

Malspam distributing unidentified malware:

HELO: mgrenewables.ge
Sending IP: 45.137.22.87
From: sales <lopota@mgrenewables.ge>
Subject: Revised DWG original copy for confirmation
Attachment: Revised DWG original copy for confirmation.cab (contains "Revised DWG original copy for confirmation.exe")

Unknown RAT C2:
bestgrace.mywire.org:2442 (185.165.153.203)

Pointing to nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacyfirst.sh'

inetnum: 185.165.153.0 - 185.165.153.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU2
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2020-07-28T20:37:37Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

WarzoneRAT

Link:

https://www.capesandbox.com/analysis/34602/

Detection(s):

SecuriteInfo.com.Trojan.Packed2.41837.32652.18614.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a window

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file in the %AppData% directory

Deleting a recently created file

Creating a file in the %temp% directory

Stealing user critical data

Enabling autorun

Result

Threat name:

AveMaria

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/402027

Signature

.NET source code contains potential unpacker

Contains functionality to hide user accounts

Creates an undocumented autostart registry key

Hides that the sample has been downloaded from the Internet (zone.identifier)

Increases the number of concurrent connection per server for Internet Explorer

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file access)

Yara detected AveMaria stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

avemaria

Link:

https://mwdb.cert.pl/sample/949e65785ee74b4ee36a4ae53e734e8a59df3b0792213589fc17cc7fb48712da/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-07-29 07:50:08 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sspgk6c645fu5y3kjlst442orjm56oyhsiqtlcp4c7gh7nehclna._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

4cffbdf1d3e2016475da67b15f0ab12a9658e0970f691cebe0bd161e2e1772b2

AveMariaRAT

4fa4af45c70295513c486589c0e36e7436be6abbf3c75e97b544db959e9dfcb5

AveMariaRAT

548bf8f685146ed7ee17c7a2aef0d62dba7be7aaed575712c5004aa26e83f1b3

AveMariaRAT

6142ce64bdf7d4373dedcadb54fb06efed10595a65713783f2930eb1ebb9f989

AveMariaRAT

8f787ad8df4ea3ee0c0940cf5170cccffa5c5783f065b89581de06c53a20b30c

AveMariaRAT

b2d2fb4b44455c19c6274c4c988e675a95ad9fc2f868b0abfeafba7a51426762

AveMariaRAT

b5279796301bec9d8b3de84dff29a98dfb7cfe9d549279fddfd624b61583960f

AveMariaRAT

c72cde3224e01da2283065c5a94d252f528c132019eb2f2656c86a7caa1006c2

AveMariaRAT

e7a5b30eb4ad9f5b7b53bd402756a623c67cfb8d46d1148b40d8bc2d4ea43594

AveMariaRAT

+ 438 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

persistence spyware

Link:

https://tria.ge/reports/200729-bpkbdzc87x/

Behaviour

Suspicious use of AdjustPrivilegeToken

JavaScript code in executable

Loads dropped DLL

Reads user/profile data of web browsers

Modifies WinLogon for persistence

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/949e65785ee74b4ee36a4ae53e734e8a59df3b0792213589fc17cc7fb48712da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	win_ave_maria_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator