MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aae06c61ea30fd920db8caa7e32eefe1b74842affe3fa6d53ce6765f49783ed5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aae06c61ea30fd920db8caa7e32eefe1b74842affe3fa6d53ce6765f49783ed5
SHA3-384 hash: 127d1689653bc0af88572e110d87a0d30a69c77cf60f4114ef9f1a898ee02201f03c86698c10e6e170ac1539bd84ed1e
SHA1 hash: 6885d4569ca59b6ffdefbb78503745b36f551784
MD5 hash: e1726ebde2d09435b5709a6b7a1d1d16
humanhash: west-bulldog-nuts-cold
File name:Documentos internos de transferencia de dinero Banco Santader.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:134'080 bytes
First seen:2020-10-27 16:42:20 UTC
Last seen:2020-10-27 18:37:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 1536:qnIYU4jHMvcDYj/Q+wdsV0QvJj8D/JV4oHWXNd9xToVodxMvvikq8djyOAUfV:qndm1f0QvJj8D/vD29d9WyOJ
Threatray 527 similar samples on MalwareBazaar
TLSH 47D342027281F617D3F68A3018E2C8852EF5F5F21830C55DE9D46BCDC9895B93EA6DCA
Reporter abuse_ch
Tags:AveMariaRAT ESP exe geo RAT Santander


Avatar
abuse_ch
Malspam distributing AveMariaRAT:

HELO: h22.megalink.com
Sending IP: 200.75.160.22
From: Banco Santander S.A <xavier.m@caixabank.es>
Subject: SV:Transferencia de pago
Attachment: Documentos internos de transferencia de dinero Banco Santader.arj (contains "Documentos internos de transferencia de dinero Banco Santader.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Dtloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/80039/
Detection(s):
SecuriteInfo.com.ArtemisE1726EBDE2D0.3389.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Adding an access-denied ACE
Launching the default Windows debugger (dwwin.exe)
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Unauthorized injection to a system process
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/514049
Signature
Allocates memory in foreign processes
Contains functionality to hide a thread from the debugger
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 306138 Sample: Documentos internos de tran... Startdate: 27/10/2020 Architecture: WINDOWS Score: 100 60 Malicious sample detected (through community Yara rule) 2->60 62 Yara detected AntiVM_3 2->62 64 Yara detected AveMaria stealer 2->64 66 6 other signatures 2->66 7 Documentos internos de transferencia de dinero Banco Santader.exe 18 4 2->7         started        12 Documentos internos de transferencia de dinero Banco Santader.exe 2 2->12         started        14 Documentos internos de transferencia de dinero Banco Santader.exe 2 2->14         started        16 3 other processes 2->16 process3 dnsIp4 56 www.google.it 172.217.168.67 GOOGLEUS United States 7->56 58 ahgwqrq.xyz 172.67.142.40, 443, 49725, 49741 CLOUDFLARENETUS United States 7->58 50 Documentos interno... Banco Santader.exe, PE32 7->50 dropped 76 Creates an undocumented autostart registry key 7->76 78 Writes to foreign memory regions 7->78 80 Allocates memory in foreign processes 7->80 18 aspnet_state.exe 3 2 7->18         started        22 WerFault.exe 23 9 7->22         started        24 timeout.exe 1 7->24         started        82 Hides threads from debuggers 12->82 84 Injects a PE file into a foreign processes 12->84 26 timeout.exe 1 12->26         started        34 2 other processes 12->34 28 timeout.exe 14->28         started        30 aspnet_state.exe 14->30         started        86 Creates autostart registry keys with suspicious names 16->86 88 Creates multiple autostart registry keys 16->88 32 timeout.exe 16->32         started        36 2 other processes 16->36 file5 signatures6 process7 dnsIp8 52 178.170.138.163, 4554, 49735 ETOP-ASPL Netherlands 18->52 68 Contains functionality to inject threads in other processes 18->68 70 Contains functionality to steal Chrome passwords or cookies 18->70 72 Contains functionality to steal e-mail passwords 18->72 74 2 other signatures 18->74 54 192.168.2.1 unknown unknown 22->54 38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        42 conhost.exe 28->42         started        44 conhost.exe 32->44         started        46 conhost.exe 36->46         started        48 conhost.exe 36->48         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aae06c61ea30fd920db8caa7e32eefe1b74842affe3fa6d53ce6765f49783ed5/
Threat name:
ByteCode-MSIL.Trojan.AveMariaRAT
Create hunting rule
Status:
Malicious
First seen:
2020-10-27 14:58:52 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vlqgyypkgd6zednyzkt6glxp4g3uqqvp7y72nvj44z3f6slyh3kq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
047cc8e0672ffab0edff9ab97852667517b5d2ad28048037c126d06e3e28b8af
AveMariaRAT
18ec681c471f185edf3ab8e23b52b4ea2a87162f9957b4d5d10ac0e2bc008405
AveMariaRAT
2850ddcebc7ed468cb0db271e54956468f0c93dd57a233665646d28cb1139373
AveMariaRAT
285f4e79ae946ef179e45319caf11bf0c1cdaa376924b83bfbf82ed39361911b
AveMariaRAT
5b92d7f869973b50de0c707ce58afacd6f1202364283c7dffa6ffd79a41a93eb
AveMariaRAT
c805a81435618323cd34e9729b058df78e9c496d1d6c752cc3e5c7cb30f26613
AveMariaRAT
c838da7346e7f3373f9f1a84a073c248f785e82be48db979cdb339460402de06
AveMariaRAT
e9ef69bd0b38ec9381f02d44dd893c75ac6c1e6a96f4e320416636860d05d398
AveMariaRAT
ebbc6c8a9394818874d649441f0644f42f52fd0aac5090212a9908b4b8889d6e
AveMariaRAT
fc4b29f54e0b3ed0493ba85310a2665ab47e5143f3cb3ce09686f0560dd1ed04
AveMariaRAT
+ 517 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/201027-lm648nblk2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Warzone RAT Payload
Modifies WinLogon for persistence
WarzoneRat, AveMaria
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aae06c61ea30fd920db8caa7e32eefe1b74842affe3fa6d53ce6765f49783ed5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

arj 2a5a181ecc172751200fac657f9cb4cd93480a983996804579df187ddbde657b

AveMariaRAT

Executable exe aae06c61ea30fd920db8caa7e32eefe1b74842affe3fa6d53ce6765f49783ed5

(this sample)

  
Dropped by
MD5 e065d2f829bb38d2f6a6d5a072f88042
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/80039/
  
Dropped by
SHA256 2a5a181ecc172751200fac657f9cb4cd93480a983996804579df187ddbde657b

Comments