MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2f8c191b7fb47cf9266a986aa47e6897d6615889b76a0050450fb68afc279f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 7 File information Comments

SHA256 hash:	a2f8c191b7fb47cf9266a986aa47e6897d6615889b76a0050450fb68afc279f6
SHA3-384 hash:	d951862a971db0f7f4af2f45b1fcfcdf2e4040f5fd7f65acf2e16dd5084e2bff769cd850a747fa9217b720810f81425b
SHA1 hash:	f450f340626bb0e9c89d04d0bb2ec97dcc9d4628
MD5 hash:	0e01d4a19afa5c98b4ea02e90d1452bc
humanhash:	solar-happy-solar-charlie
File name:	Orden de compra.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	827'392 bytes
First seen:	2021-07-20 18:39:23 UTC
Last seen:	2021-07-20 20:15:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	25123f7d748b46edefb4a7db9e8db89d (3 x RemcosRAT, 1 x AveMariaRAT, 1 x BitRAT)
ssdeep	12288:4szqT1gEnXaAbWRBOQW/xgYwRTtIvsECmW6l4l1G2YaNlRSsm7/Ssdpk6dz:4sOOSaAbWPOQWZ6ltIvy2AfS7764z
Threatray	987 similar samples on MalwareBazaar
TLSH	T19105AE25F3816833DA332E394D0B637A492B7E323D0575CBA7E95D484FAC652783724A
Reporter	abuse_ch
Tags:	AveMariaRAT exe RAT

Intelligence

File Origin

# of uploads :

# of downloads :

170

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Orden de compra.exe

Verdict:

Suspicious activity

Analysis date:

2021-07-20 18:44:36 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d7f173dd-84b0-4234-b41a-9fb1ec93e878

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

WarzoneRAT

Link:

https://www.capesandbox.com/analysis/172878/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.6389.8569.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AVE_MARIA

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/52f33cf4-9383-496a-909f-6ecf69f4a26d

Result

Threat name:

AveMaria

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/819174

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Changes memory attributes in foreign processes to executable or writable

Contains functionality to hide user accounts

Creates a thread in another existing process (thread injection)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Increases the number of concurrent connection per server for Internet Explorer

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Malicious sample detected (through community Yara rule)

Modifies the prolog of user mode functions (user mode inline hooks)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected AveMaria stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a2f8c191b7fb47cf9266a986aa47e6897d6615889b76a0050450fb68afc279f6/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2021-07-20 18:40:05 UTC

AV detection:

5 of 28 (17.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ul4mdenx7nd47etgvgdkur7grf6wmfmitn3kabiekd5wrl6cph3a._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

622c48a052fbbc1859678ec8a5f604ff9a1a368df282758e60b766c96c2555fb

AveMariaRAT

88cd6b3cae21bbdf028d5fee94c3552ecc427043b70b8407e9f936857c637ee5

AveMariaRAT

9b342770fe4594e3a6d22b0b8d50269f8c749fb6d43c4f22d6ba48ddbff23bb4

AveMariaRAT

9cd6c84ba5aee64aca1a0e7d17839c3974b965efd4ab83cc0d1deb336793f590

AveMariaRAT

9fdbaeded04f2af7ee146dc2dc2fdf91b9a6ba7202148bad21efd2398ea1f7ae

AveMariaRAT

b09ba0422073d096874e13104b4709f379468dd324eb85dcb84cd112a6609f1b

AveMariaRAT

d7a9047d6d19050866c5b5c7d08f4b45208d9b2a2a4f4179cadaf37ea92cfa89

AveMariaRAT

dbdfbca2dcc01a530cd7c449500dc0f6b564c11f9ed9dc8d746709a235d6826f

AveMariaRAT

f9ca14fcdffeb48b11ea026812ac0a7dc941f27e0c1384dc8e9b83b18de4c2a7

AveMariaRAT

+ 977 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat infostealer rat spyware stealer

Link:

https://tria.ge/reports/210720-pdegckttdx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Program crash

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

juner234.ddns.net:5793

Unpacked files

SH256 hash:

3c89381eb5d9bc9b2cc8835190944650d0fab08f3f5bd80e7d60c805c34f85a3

MD5 hash:

046256d9fc63f3f656d8a381e787ccdd

SHA1 hash:

d60bbe23be14e9acd5d9f718ce5686dbcf65e518

Link:

https://www.unpac.me/results/6db6b34b-5baf-475c-a52c-1f35142774bd/

SH256 hash:

a2f8c191b7fb47cf9266a986aa47e6897d6615889b76a0050450fb68afc279f6

MD5 hash:

0e01d4a19afa5c98b4ea02e90d1452bc

SHA1 hash:

f450f340626bb0e9c89d04d0bb2ec97dcc9d4628

Link:

https://www.unpac.me/results/6db6b34b-5baf-475c-a52c-1f35142774bd/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.84

Link:

https://yomi.yoroi.company/submissions/a2f8c191b7fb47cf9266a986aa47e6897d6615889b76a0050450fb68afc279f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AveMaria_WarZone Create hunting rule

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_WarzoneRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AveMaria/WarzoneRAT

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	RDPWrap Create hunting rule
Author:	@bartblaze
Description:	Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:	https://github.com/stascorp/rdpwrap

Rule name:	win_ave_maria_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.ave_maria.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/172878/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample