MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a097de1f208326efba15c15db8abd10aae2cf392d90c5207c18aa79ec14255a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a097de1f208326efba15c15db8abd10aae2cf392d90c5207c18aa79ec14255a9
SHA3-384 hash: c42dd56fbbee48e66983b37f908fbe9e1db038fbda1d74c5a30bba1aef759605338d50a906546361658d244874573252
SHA1 hash: 884ce62e1db5c0b5039c4ced52eb5add92f05d0d
MD5 hash: 3eb2a050c7f884a01737ad1f05e6c4e4
humanhash: nineteen-xray-india-august
File name:Remittance.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'177'117 bytes
First seen:2021-11-10 15:21:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:XAOcZ1Bisjhip07TwNqQ0m+LxSPhmNNAn+1TpQ+ZJgi+nDKhF5p:p2lipjgS8k58owTPZJlpp
Threatray 2'524 similar samples on MalwareBazaar
TLSH T186451201B6C6C4B3D8762E32193B6B116ABD7C305E34EA4FE7D07969EA721406125BB3
File icon (PE):PE icon
dhash icon 141898dbdbbbe793 (1 x AveMariaRAT)
Reporter lowmal3
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RDPWrap
Create hunting rule
Link:
https://www.capesandbox.com/analysis/204764/
Detection(s):
SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/618be39c175442ca93aad3d0/reports/6c91cb6d-3802-46d0-89cf-ec3c41ba073b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ed7120b9-4894-4cb5-89b4-933aa0329c22
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/886838
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Drops PE files with a suspicious file extension
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a097de1f208326efba15c15db8abd10aae2cf392d90c5207c18aa79ec14255a9/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-11-10 15:22:05 UTC
AV detection:
14 of 45 (31.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ucl54hzaqmto7oqvyfo3rk6rbkxcz44s3egfeb6brktz5qkckwuq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
364aedff57905c2b2828c999f3d08db45d75854cd0beb44f3331dff02714e03c
AveMariaRAT
52e2c9a43a9de0685055f60bd590f2f893882ad710f3b7e8c451985eea69ec07
AveMariaRAT
649acc4a8ec45c2b3d6e217e3818db8174eb3a3bd923d8b907f6164fd42bb751
AveMariaRAT
85b125dd1a4f4b71bee8596b964c5b0d6e40c9f179fba745d0e10e2c637f7f64
AveMariaRAT
9454554ff02715a0e17bde7743b9fa2eb0795058d02c178b148d2c090396dfba
AveMariaRAT
995c82e7ea2a4f8882876f17fe0e3cacb47860744d48f250bdee6a7e9b01f0f7
AveMariaRAT
9e2a3d4464636baff78628d870f39d1a9f3ba23da71f8c50ead2576479077702
AveMariaRAT
f4d3d1d7abd51b08b3bad84d718cb3beaf9d0513422ce276ea2cc2617c3cf889
AveMariaRAT
+ 2'514 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat collection infostealer persistence rat spyware stealer
Link:
https://tria.ge/reports/211110-srwtqaeeap/
Behaviour
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
185.150.25.243:3543
Unpacked files
SH256 hash:
af4895b5a9b3f26625cd11defe3d2d7417fb72d74c623014a3898dd67bde24c9
MD5 hash:
e41a80d0ef54a7d0592b500bb783b084
SHA1 hash:
eea9a8db7582e978efd014e39988d6727665d0f5
Link:
https://www.unpac.me/results/74471950-b086-4381-9ea7-4e3045b7dded/
SH256 hash:
477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52
MD5 hash:
16a9ddc4b32981114fe4f069a4353105
SHA1 hash:
bf73849f57c150f9e2199c61427f631be2dfa595
Link:
https://www.unpac.me/results/74471950-b086-4381-9ea7-4e3045b7dded/
SH256 hash:
f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36
MD5 hash:
6c72218c48cd68cbcb654675053a0abb
SHA1 hash:
12207fa32070f99683648d87b44410e5d3cdf2de
Link:
https://www.unpac.me/results/74471950-b086-4381-9ea7-4e3045b7dded/
SH256 hash:
95f0245d74498649b69966d95081b2e79c11066d71779b50f63683d893371964
MD5 hash:
9cb7cad448e0bc6cb3452f9c7512a4f4
SHA1 hash:
c79cbf3a5edc9ee3d3b71c024d88f119b55630b7
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/74471950-b086-4381-9ea7-4e3045b7dded/
SH256 hash:
9295214f20bc1062b304df861c32959f73bb6d06b04ab7efc6bd8b275f97b8c3
MD5 hash:
53d397c51a0c2259d9a4e5c362fe789e
SHA1 hash:
e4552b6c2999502097937b57d8a2f24d348de104
Link:
https://www.unpac.me/results/74471950-b086-4381-9ea7-4e3045b7dded/
SH256 hash:
a097de1f208326efba15c15db8abd10aae2cf392d90c5207c18aa79ec14255a9
MD5 hash:
3eb2a050c7f884a01737ad1f05e6c4e4
SHA1 hash:
884ce62e1db5c0b5039c4ced52eb5add92f05d0d
Link:
https://www.unpac.me/results/74471950-b086-4381-9ea7-4e3045b7dded/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a097de1f2083/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a097de1f208326efba15c15db8abd10aae2cf392d90c5207c18aa79ec14255a9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe a097de1f208326efba15c15db8abd10aae2cf392d90c5207c18aa79ec14255a9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/204764/

Comments