MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a102c4a2dfca8c218f1e65cbb5050012da856c3deba018d8c238fa9b09dd3a2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 5


Intelligence 5 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a102c4a2dfca8c218f1e65cbb5050012da856c3deba018d8c238fa9b09dd3a2b
SHA3-384 hash: 7f3bd14b5fa803c668f23cae126e3f8a2085dc4d4d7ad8583c60d190b464f7efc5e5aab93a6fbafada0aa67d23a0d1a8
SHA1 hash: 1d4602c4a30ad28faffb1c49476fa57418c8f317
MD5 hash: 928c2e9a5a0a7b0aeaae84c01e507780
humanhash: louisiana-nitrogen-maryland-hot
File name:Invoice.pdf.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'680'896 bytes
First seen:2020-06-05 06:43:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1d6c7d67ac44ed3784afd4dc61a1cbb8 (1 x AveMariaRAT)
ssdeep 6144:cnDD4IwaK4wCq8ryvXhQE8hvmBT81fzAOOnN/PjxU8B:cDD4Iu4wCq8ryvXamN8ZwNPjxU8B
Threatray 510 similar samples on MalwareBazaar
TLSH 30755C0339C1ED6AC1FA00B0C9B3DFA3395AFE659E104177C3A63B5A0D75298663C9D9
Reporter cocaman
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6649/
Gathering data
Threat name:
Win32.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2020-06-05 06:52:31 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uebmjiw7zkgcddy6mxf3kbiaclnik3b55oqbrwgchd5jwco5hivq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
1b13660c52adcccc1cef45f137a3373f5615500a609c61a9872e5ed4336e629a
AveMariaRAT
3a5943219f8400531a411b909b666337ba4f232d19e003a0128e0d699106f04f
AveMariaRAT
40503a4df817599fdf0125c5b99076700718e3eb50bbb759d139aa95a8d18d59
AveMariaRAT
5c7b6c75eee95614a740b733b6895346066ae6c893c7b7cc8885ffa425ca6c86
AveMariaRAT
6aa3f7b3a95e622895833b668d7613bfa4329b9b932fe73e596778f1afb81868
AveMariaRAT
7dff88b3b51db9f32b155133aba7bff719133a881082bbffd5dad02f7acf79e6
AveMariaRAT
a5c337beb2e41e7d67b1059947b120be8634c3365eff2e9e8b03a6a5d518c5de
AveMariaRAT
b0a07341a4c0e316a7b8ebc2b0fafa04439bd033002d653d3be2a024dfd93150
AveMariaRAT
ebddbf171d569ce4db44a0284ac1cbe390e075854749713aa9186276036cacd6
AveMariaRAT
f6992d6684eb90b504ae13c3a5159e336005a415c7e50ed2dc7f1420ffa488b1
AveMariaRAT
+ 500 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer rat
Link:
https://tria.ge/reports/201109-b89p52kp52/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops startup file
Warzone RAT Payload
ServiceHost packer
WarzoneRat, AveMaria
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

z 98331ea1f366740dc86fc25565d4a145c2b0e1c8151f7a6eaa5fc7ec1568c1f6

AveMariaRAT

Executable exe a102c4a2dfca8c218f1e65cbb5050012da856c3deba018d8c238fa9b09dd3a2b

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 98331ea1f366740dc86fc25565d4a145c2b0e1c8151f7a6eaa5fc7ec1568c1f6
Cape
Cape
https://www.capesandbox.com/analysis/6649/

Comments