MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a607cec440113a15857e5af97900685979bc307112628b6667a8a231f6559145. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 5


Intelligence 5 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a607cec440113a15857e5af97900685979bc307112628b6667a8a231f6559145
SHA3-384 hash: f3bec2ee5bd57beb2824933e3a5dd44fb8a7134a86308862354af398d549d06689278c2826a7d3c4449f5ead08df0de6
SHA1 hash: 4271e782225898db376804badf81dbe786378a6d
MD5 hash: 54b2af75874aab5451c12853c6564bd5
humanhash: stream-bacon-bluebird-comet
File name:scan002.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'057'792 bytes
First seen:2020-05-19 06:03:22 UTC
Last seen:2020-05-19 07:13:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 507b40b2dc63c889d0c41f7b024904c8 (2 x AveMariaRAT)
ssdeep 12288:1JW8DozxJ2YyaQiiguujW4kdb/B+OlAso1vxFMNIs1BTNdAL0++59m:JozX2YzOlA3N0pNuLI9
Threatray 516 similar samples on MalwareBazaar
TLSH 02255A64B762D018F9FB2AF642EE217D847EBBD40B29A0C711D019EE1526AE4FC31753
Reporter abuse_ch
Tags:AveMariaRAT exe RAT


Avatar
abuse_ch
Malspam distributing AveMariaRAT:

HELO: standfordgroups.com
Sending IP: 62.173.142.172
From: Ali Omar <ali.omar@gmail.com>
Subject: Fwd: Fw: Re: Re: Order Confirmation for advance payment
Attachment: scan002.zip (contains "scan002.exe")

AveMariaRAT C2:
216.38.2.212:5200

Intelligence

File Origin
# of uploads :
2
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Maria.4.3079.15537.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-19 06:36:59 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uyd45rcace5blbl6ll4xsadilf43ymdrcjriwzthvcrdd5svsfcq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
049a3258d1222a41415a8099d2b79c88ac64400543b9e8d83e450ca592593faf
AveMariaRAT
0ca6d24907152bf5a6dd6a35cf7ab3e7712ebfa0a2245f2bdfc8a17ebed71bc4
AveMariaRAT
1b13660c52adcccc1cef45f137a3373f5615500a609c61a9872e5ed4336e629a
AveMariaRAT
3a5943219f8400531a411b909b666337ba4f232d19e003a0128e0d699106f04f
AveMariaRAT
7c186a7edf751a516c70679dd03e248eabb14a56497c064c16d43b1133b9b86a
AveMariaRAT
8e2a4af633ffda92d8508e04274bad284ba57cddcdc2ee2c933a68ec6da5d4cd
AveMariaRAT
a6c22328747eaee0b88ce02ad48e8d2860cb275bc2494248a173ccc8bf891563
AveMariaRAT
b5b64f85cdeb5432018e22087fce4b6dc1e56593e8416335f471d4eac1e2b8cf
AveMariaRAT
da7d4b75bfe7b58a32a24ddc9f97e8b479933a515a20945c81d279dc29206bd8
AveMariaRAT
fe1fd26713b3290eb083f29aad553453ad78a6efd99c9b351bf405cfd45de4c3
AveMariaRAT
+ 506 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/201109-ess63qxrzs/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Warzone RAT Payload
ServiceHost packer
WarzoneRat, AveMaria
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_malumpos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

zip 54f2dec814ce02f4f29ab32e4e3e4328acca9864d54f8e23e39bd0daa9ec1af5

AveMariaRAT

Executable exe a607cec440113a15857e5af97900685979bc307112628b6667a8a231f6559145

(this sample)

  
Dropped by
MD5 25cf4831f44b1349380c5627586ad7db
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 54f2dec814ce02f4f29ab32e4e3e4328acca9864d54f8e23e39bd0daa9ec1af5

Comments