MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a458562e508b49f6195292bc432a95ce03b2d48926441aea5c077f010cd965c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a458562e508b49f6195292bc432a95ce03b2d48926441aea5c077f010cd965c3
SHA3-384 hash: e4771401a5a736c4f1705904c635c367973743bd82739e7670a5f56ea6b472a97614fa43839f71379c3d41c27fb2b111
SHA1 hash: 9edd648a7b263ee30ae981c652b6dcfcd8ffa959
MD5 hash: 8a219fc362244cc6d03a474d796ee04d
humanhash: timing-grey-low-green
File name:LOBIQ Project Phase ii Procurement.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:802'400 bytes
First seen:2021-01-14 06:15:52 UTC
Last seen:2021-01-14 08:19:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a846e0e5a50a721e6f501c5c4cf92e0f (1 x AveMariaRAT, 1 x AZORult)
ssdeep 6144:caeZ1PfSMah0XvpQm4HzH7oa8S/kY6xJrFUL+D8p4AswQMsZVW2AAZC+Elyr3Ytu:teZVS9hieBSbrFiM8EbZkW7Kyr3YzQ
Threatray 698 similar samples on MalwareBazaar
TLSH 9D05A135A1F9C6F2C1A63938EC0BB2F85825EE50E9249C4F3DD83E49BA34651F43525E
Reporter abuse_ch
Tags:AveMariaRAT exe RAT Yahoo


Avatar
abuse_ch
Malspam distributing AveMariaRAT:

HELO: sonic303-4.consmr.mail.sg3.yahoo.com
Sending IP: 106.10.242.181
From: SAPLING TECHNOMATICS <saplingtechnomatics@yahoo.com>
Subject: LOBIQ Project Phase ii Procurement
Attachment: LOBIQ Project Phase ii Procurement.img (contains "LOBIQ Project Phase ii Procurement.exe")

AveMariaRAT C2:
xchilogs.duckdns.org:5893 (96.9.210.108)

Intelligence

File Origin
# of uploads :
2
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
LOBIQ Project Phase ii Procurement.exe
Verdict:
Malicious activity
Analysis date:
2021-01-14 06:19:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3bd6c440-1fac-4235-853d-670686d73bd4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111912/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Deleting a recently created file
Reading critical registry keys
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Stealing user critical data
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/580867
Signature
Allocates memory in foreign processes
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 339468 Sample: LOBIQ Project Phase ii Proc... Startdate: 14/01/2021 Architecture: WINDOWS Score: 100 45 cdn.onenote.net 2->45 73 Malicious sample detected (through community Yara rule) 2->73 75 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 4 other signatures 2->79 8 LOBIQ Project Phase ii Procurement.exe 1 21 2->8         started        13 mshta.exe 19 2->13         started        15 mshta.exe 19 2->15         started        signatures3 process4 dnsIp5 47 1drv.ws 168.235.93.122, 443, 49723, 49727 RAMNODEUS United States 8->47 49 s9w4ug.bl.files.1drv.com 8->49 51 bl-files.fe.1drv.com 8->51 29 C:\Users\user\AppData\Local\...\Qgiqines.exe, PE32 8->29 dropped 81 Writes to foreign memory regions 8->81 83 Allocates memory in foreign processes 8->83 85 Creates a thread in another existing process (thread injection) 8->85 87 Injects a PE file into a foreign processes 8->87 17 ieinstal.exe 3 4 8->17         started        21 Qgiqines.exe 17 13->21         started        23 Qgiqines.exe 16 15->23         started        file6 signatures7 process8 dnsIp9 31 xchilogs.duckdns.org 96.9.210.108, 49735, 5893 NEWMEDIAEXPRESS-AS-APNewMediaExpressPteLtdSG United States 17->31 53 Tries to steal Mail credentials (via file access) 17->53 55 Tries to harvest and steal browser information (history, passwords, etc) 17->55 57 Increases the number of concurrent connection per server for Internet Explorer 17->57 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->59 33 s9w4ug.bl.files.1drv.com 21->33 35 bl-files.fe.1drv.com 21->35 37 1drv.ws 21->37 61 Multi AV Scanner detection for dropped file 21->61 63 Machine Learning detection for dropped file 21->63 65 Writes to foreign memory regions 21->65 25 ieinstal.exe 1 21->25         started        39 s9w4ug.bl.files.1drv.com 23->39 41 bl-files.fe.1drv.com 23->41 43 1drv.ws 23->43 67 Allocates memory in foreign processes 23->67 69 Creates a thread in another existing process (thread injection) 23->69 71 Injects a PE file into a foreign processes 23->71 27 ieinstal.exe 1 23->27         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a458562e508b49f6195292bc432a95ce03b2d48926441aea5c077f010cd965c3/
Threat name:
Win32.Infostealer.BestaFera
Create hunting rule
Status:
Malicious
First seen:
2021-01-14 06:16:08 UTC
AV detection:
13 of 46 (28.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=urmfmlsqrne7mgkssk6egkuvzyb3fvejezcbv2s4a57qcdgzmxbq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0629278e51106220eb8727f80f4c24cfb432e6344561e8518030b19b669bcc72
AveMariaRAT
281c044f76037c63cb0cdb9da800b0e4320f6c8ddfe0509e7d8451a155d7e731
AveMariaRAT
46520e8955eff183518aa7ad908eff5e9d0c7094be0d9821f037a11a25ff4b3e
AveMariaRAT
5d393a34a6faf41a81f32a8866ef2468cedf9912b9df8fab2970361b030da87a
AveMariaRAT
88cd6b3cae21bbdf028d5fee94c3552ecc427043b70b8407e9f936857c637ee5
AveMariaRAT
97b34cb713e879fb7cfe158a3180b73d1c71b71446368f242a0c004d0c3462dd
AveMariaRAT
9f5afe868a8dd23926e807303d8896b239b802a3c366e448f4c59a103540019f
AveMariaRAT
af84cf642737e0b62537d9a78861cc129fbc0e68a34770cb70c6ccaa3f553687
AveMariaRAT
b98f29a897354964b324ad55f046ae324f4f43efe17abdfbbfd726792ec3c763
AveMariaRAT
f6878003c470e531787cd70fc0785bb01a5c64d6a39f0efec5aabc5ac3f5f889
AveMariaRAT
+ 688 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/210114-vktd7dgmdn/
Behaviour
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
JavaScript code in executable
Loads dropped DLL
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
a458562e508b49f6195292bc432a95ce03b2d48926441aea5c077f010cd965c3
MD5 hash:
8a219fc362244cc6d03a474d796ee04d
SHA1 hash:
9edd648a7b263ee30ae981c652b6dcfcd8ffa959
Link:
https://www.unpac.me/results/9b832e2b-6afd-420f-9777-934c52c8e613/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a458562e508b49f6195292bc432a95ce03b2d48926441aea5c077f010cd965c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AveMaria
Create hunting rule
Author:@bartblaze
Description:Identifies AveMaria aka WarZone RAT.
Rule name:AveMaria_WarZone
Create hunting rule
Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_WarzoneRAT
Create hunting rule
Author:ditekSHen
Description:Detects AveMaria/WarzoneRAT
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

img cee5001a70a53b791a91da4e9d5a9d374e6327f72486fc4fbace5ea10931b2ba

AveMariaRAT

Executable exe a458562e508b49f6195292bc432a95ce03b2d48926441aea5c077f010cd965c3

(this sample)

  
Dropped by
MD5 c408c96d699d5dd26a08e8fb9b080def
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 cee5001a70a53b791a91da4e9d5a9d374e6327f72486fc4fbace5ea10931b2ba
Cape
Cape
https://www.capesandbox.com/analysis/111912/

Comments