MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4cb4b3c28208b5f92691ffa076e7926b70f7c2f03911c5772f3db84f0994807. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4cb4b3c28208b5f92691ffa076e7926b70f7c2f03911c5772f3db84f0994807
SHA3-384 hash: c88f1b0f4ac92c5fa41ebb433c20180bff4926c5ce8ab7640630460a791358bafc44a1251bc89dc3b7e1a63d9acf4b45
SHA1 hash: 018c1f8bd691209c9f48e419b0ce2c99248d8a7e
MD5 hash: 389c4fa866982f6c3d37c2f9af82569f
humanhash: shade-cola-delta-wisconsin
File name:ES00415Q0123854MDESPN.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:478'208 bytes
First seen:2020-10-08 14:03:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6b95e48f7f3354eb8a9cb9025609bd42 (1 x AveMariaRAT)
ssdeep 12288:2RiyiDdk/dkMaumZfF/gv0ZtzrIZvY8yb6AY5:IiyMgiu0WZAr6
Threatray 462 similar samples on MalwareBazaar
TLSH 16A423C6314BF17CCBCBF8FCBEB5845EE73C6864498601996B84458AFD8BE9182048C7
Reporter abuse_ch
Tags:AveMariaRAT exe RAT


Avatar
abuse_ch
Malspam distributing AveMariaRAT:

HELO: dts.alphajetservices.com
Sending IP: 185.78.220.36
From: cliente@bbva.com
Subject: BBVA: Instrucción de Depósito a tu Cuenta
Attachment: ES00415Q0123854MDESPN.Gz (contains "ES00415Q0123854MDESPN.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69279/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Creating a file
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Connection attempt
Creating a file in the %AppData% directory
Deleting a recently created file
Reading critical registry keys
Creating a file in the %temp% directory
Stealing user critical data
Enabling autorun by creating a file
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/485604
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to create processes via WMI
Creates files in alternative data streams (ADS)
Creates processes via WMI
Drops script or batch files to the startup folder
Increases the number of concurrent connection per server for Internet Explorer
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a4cb4b3c28208b5f92691ffa076e7926b70f7c2f03911c5772f3db84f0994807/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 13:31:43 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=utfuwpbiecfv7etjd75ao3tze23q67bpaoiryv3s6pnyj4ezjadq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
4159a61a7c0571bee10a33f8d05ef51de606960476f66a00efcced87680be615
AveMariaRAT
622c48a052fbbc1859678ec8a5f604ff9a1a368df282758e60b766c96c2555fb
AveMariaRAT
880a8ee4e17767269813cd357c07c5453bc9cff047a2c201d6477d4b27c016c4
AveMariaRAT
b09ba0422073d096874e13104b4709f379468dd324eb85dcb84cd112a6609f1b
AveMariaRAT
c2f08787396a9dd02b4294818f0919695771ad8689b40b050fe65ebef18aa5ca
AveMariaRAT
d30b949fc05b15b611b3fe420b6883062c5bb2b270c769540c48f703a46cbbf3
AveMariaRAT
d7a9047d6d19050866c5b5c7d08f4b45208d9b2a2a4f4179cadaf37ea92cfa89
AveMariaRAT
de966245d2120df80add0bc610965487383a27ca6434abb2a41d3fb6447ee0cf
AveMariaRAT
e0e3ae47b7e48c3c81724d0a63f5f6f8033bb516d97c538ea52349a102a0e1b6
AveMariaRAT
fe7dc35391c88f2001b6637186c2fa677bb5f1a08cfdafcfc95a1e1fc2f026a9
AveMariaRAT
+ 452 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/201008-sblr1l27fj/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
JavaScript code in executable
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
a4cb4b3c28208b5f92691ffa076e7926b70f7c2f03911c5772f3db84f0994807
MD5 hash:
389c4fa866982f6c3d37c2f9af82569f
SHA1 hash:
018c1f8bd691209c9f48e419b0ce2c99248d8a7e
Link:
https://www.unpac.me/results/f9937926-73b0-4e35-9506-9c357ef3896b/
SH256 hash:
6efa7523d09237abc79b7031cc4935f7e11db4c9d0d6c30068aeae2e94d48475
MD5 hash:
8b7c1a303bf41b1e0045fc0956056d61
SHA1 hash:
f1babafb19c25e1f5e67026cdbbc61bae845ad0a
Detections:
win_rektloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/f9937926-73b0-4e35-9506-9c357ef3896b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a4cb4b3c28208b5f92691ffa076e7926b70f7c2f03911c5772f3db84f0994807

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_rektloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

gz 9300a25b2fbf67143b9d82689a509766aec5b0e35a001dfa40b8563723254fd1

AveMariaRAT

Executable exe a4cb4b3c28208b5f92691ffa076e7926b70f7c2f03911c5772f3db84f0994807

(this sample)

  
Dropped by
MD5 f1edb1849942b789580765542421ac17
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69279/
  
Dropped by
SHA256 9300a25b2fbf67143b9d82689a509766aec5b0e35a001dfa40b8563723254fd1

Comments