MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c63d0166ebe40cb15a0754ed2902a9f076c81a0f5c7deafe74d9916d3d7a28a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c63d0166ebe40cb15a0754ed2902a9f076c81a0f5c7deafe74d9916d3d7a28a
SHA3-384 hash: 7dc2f3c0bcfef9c914ce9032e4af34802679101c33cb26b4feaf8b6c89de954951072817e57633ddde1d77096a9b522f
SHA1 hash: e7674c2711f848964410acc1367ac9884376939b
MD5 hash: a3e78d050b5ed25bf34d56339e6608ed
humanhash: illinois-lima-arkansas-arkansas
File name:Order-Poland.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'311'424 bytes
First seen:2020-11-28 09:18:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c7f986b767e22dea5696886cb4d7da70 (5 x ModiLoader, 2 x RemcosRAT, 1 x AveMariaRAT)
ssdeep 24576:FiLDfJXRq+fowpGG7By3Z72mwt8gKmX9hIbEIKn:FiLr5By3Z7NbgKAj
Threatray 635 similar samples on MalwareBazaar
TLSH F055C02371A28439C121A97D9E0780FE2F75FD767958F50E3BD0A90C8E3AA81F9151DB
Reporter abuse_ch
Tags:AveMariaRAT exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: portex.kylos.pl
Sending IP: 193.107.88.86
From: biuro@colver.pl
Reply-To: account@atlanticnavigation.com
Subject: Request For Quotation
Attachment: Order-Poland.zip (contains "Order-Poland.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Warzonerat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/105873/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Connection attempt to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/549954
Signature
Allocates memory in foreign processes
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 324087 Sample: Order-Poland.exe Startdate: 28/11/2020 Architecture: WINDOWS Score: 100 35 Multi AV Scanner detection for domain / URL 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 8 other signatures 2->41 6 Ncfxdrv.exe 2->6         started        10 Ncfxdrv.exe 2->10         started        12 Order-Poland.exe 1 2 2->12         started        process3 dnsIp4 43 Writes to foreign memory regions 6->43 45 Allocates memory in foreign processes 6->45 47 Injects a PE file into a foreign processes 6->47 15 ieinstal.exe 3 2 6->15         started        49 Multi AV Scanner detection for dropped file 10->49 51 Machine Learning detection for dropped file 10->51 19 ieinstal.exe 10->19         started        25 cdn.discordapp.com 162.159.134.233, 443, 49738, 49749 CLOUDFLARENETUS United States 12->25 27 discord.com 162.159.137.232, 443, 49737, 49748 CLOUDFLARENETUS United States 12->27 23 C:\Users\user\AppData\Local\...23cfxdrv.exe, PE32 12->23 dropped 21 ieinstal.exe 12->21         started        file5 signatures6 process7 dnsIp8 29 efiigbo9.duckdns.org 79.134.225.76, 49771, 49772, 49773 FINK-TELECOM-SERVICESCH Switzerland 15->29 31 Increases the number of concurrent connection per server for Internet Explorer 15->31 33 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->33 signatures9
Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9c63d0166ebe40cb15a0754ed2902a9f076c81a0f5c7deafe74d9916d3d7a28a/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-11-27 10:00:16 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=trr5aftoxzamwfnaovhnfebkt4dwzana6xd55l7hjwmrnu6xukfa._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
122ef85900670d4776f3afdbe676d59c23c4cd9944b9d392eb9a446b3bb40dde
AveMariaRAT
5cbed2f8a5fdadbd99816c4c8792bd51a2db7479f80bf70409f0f257f942d0c9
AveMariaRAT
6c483817d7c95cd3ac3be070d84f1647b938ad3341f7b4854924a77892507af8
AveMariaRAT
803ed954a2fbfa36e1b154d7b1b6b270021eb72583d5a876e5aaedd728c39cc7
AveMariaRAT
a0792945510f126714a42e9b4cef8b7e8d7aab504772b076c6df0a4e96f08e89
AveMariaRAT
af84cf642737e0b62537d9a78861cc129fbc0e68a34770cb70c6ccaa3f553687
AveMariaRAT
b50f9caa6df41cf34a52f45f989dc38ba037fd68535f6d7015fe602c826b0c1c
AveMariaRAT
e4769506e482cbdbaeae35eb657e75cfb941ab66253770896493666b023851a5
AveMariaRAT
f69faea7165ab34da776a4afaeb59a46c6061f58d431bc231bbab76db9e2ec4c
AveMariaRAT
ffa217c445af7f07f0c9fbdcc488db8e06ecfdb43906c6c5e7a11f7ac04b4bf4
AveMariaRAT
+ 625 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat infostealer persistence rat trojan
Link:
https://tria.ge/reports/201128-1tvgynftye/
Behaviour
Script User-Agent
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader First Stage
Warzone RAT Payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
9c63d0166ebe40cb15a0754ed2902a9f076c81a0f5c7deafe74d9916d3d7a28a
MD5 hash:
a3e78d050b5ed25bf34d56339e6608ed
SHA1 hash:
e7674c2711f848964410acc1367ac9884376939b
Link:
https://www.unpac.me/results/81da7bed-84ed-42f6-9358-ea711d7a5dcc/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

zip f97d91041fc4c99516281771d2cde789b814a8fb8dceda5d59c40b32749d63e9

AveMariaRAT

Executable exe 9c63d0166ebe40cb15a0754ed2902a9f076c81a0f5c7deafe74d9916d3d7a28a

(this sample)

  
Dropped by
MD5 25b16a3e550080de8f7b762994164642
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f97d91041fc4c99516281771d2cde789b814a8fb8dceda5d59c40b32749d63e9
Cape
Cape
https://www.capesandbox.com/analysis/105873/

Comments