MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b14a843c73a4020a9564492611f8a028ad6437d38e71624ba41f597122933ca4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b14a843c73a4020a9564492611f8a028ad6437d38e71624ba41f597122933ca4
SHA3-384 hash: ac45e1b8561030706bf955cc317946737bbe18c54a68cf8989961eee643ce1e659519a40b3e696f911a586f1af5806c2
SHA1 hash: 5ac7cdb250814e9e09e2631e16e218027fe705a0
MD5 hash: 5d85f3bce243ee18cc50c2eb43191b1c
humanhash: nineteen-zulu-xray-robert
File name:Descrição da oferta do produto 873564635640rden2020.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:124'792 bytes
First seen:2020-10-14 15:15:23 UTC
Last seen:2020-10-14 15:57:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 1536:W7nFvFLFYF+FLFyxDx4kHncMERv01w4lW21mNz4ch691YKcl26/lSntlgnKdUl5i:kFvFLFYF+FLFyXH+O2
Threatray 5 similar samples on MalwareBazaar
TLSH EAC39D49A681CD00DC3907F1F6AAC8F615A63CABE830D95F2F89BDE876B31D1352254D
Reporter abuse_ch
Tags:AveMariaRAT exe geo PRT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: s65.100h.pt
Sending IP: 195.200.252.65
From: geral@cm-arruda.pt
Subject: Precio de oferta
Attachment: Descrição da oferta do produto 873564635640rden2020.arj (contains "Descrição da oferta do produto 873564635640rden2020.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70862/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader34.61971.29148.13720.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Sending a UDP request
DNS request
Adding an access-denied ACE
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Enabling autorun by creating a file
Enabling autorun
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/491250
Signature
Allocates memory in foreign processes
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 298162 Sample: Descri#U00e7#U00e3o da ofer... Startdate: 14/10/2020 Architecture: WINDOWS Score: 100 64 Malicious sample detected (through community Yara rule) 2->64 66 Multi AV Scanner detection for dropped file 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 9 other signatures 2->70 7 Descri#U00e7#U00e3o da oferta do produto 873564635640rden2020.exe 18 4 2->7         started        12 Descri#U00e7#U00e3o da oferta do produto 873564635640rden2020.exe 2 2->12         started        14 Descri#U00e7#U00e3o da oferta do produto 873564635640rden2020.exe 2 2->14         started        16 3 other processes 2->16 process3 dnsIp4 56 hastebin.com 104.24.127.89, 443, 49749, 49767 CLOUDFLARENETUS United States 7->56 50 Descri#U00e7#U00e3...4635640rden2020.exe, PE32 7->50 dropped 52 Descri#U00e7#U00e3...exe:Zone.Identifier, ASCII 7->52 dropped 80 Creates an undocumented autostart registry key 7->80 82 Creates autostart registry keys with suspicious names 7->82 84 Creates multiple autostart registry keys 7->84 18 aspnet_state.exe 3 2 7->18         started        22 timeout.exe 1 7->22         started        24 WerFault.exe 23 9 7->24         started        86 Writes to foreign memory regions 12->86 88 Allocates memory in foreign processes 12->88 90 Hides threads from debuggers 12->90 26 timeout.exe 1 12->26         started        32 2 other processes 12->32 92 Injects a PE file into a foreign processes 14->92 28 timeout.exe 14->28         started        34 2 other processes 14->34 58 104.24.126.89, 443, 49772 CLOUDFLARENETUS United States 16->58 60 172.67.143.180, 443, 49773 CLOUDFLARENETUS United States 16->60 62 192.168.2.1 unknown unknown 16->62 30 timeout.exe 16->30         started        36 2 other processes 16->36 file5 signatures6 process7 dnsIp8 54 178.170.138.163, 4554 ETOP-ASPL Netherlands 18->54 72 Contains functionality to inject threads in other processes 18->72 74 Contains functionality to steal Chrome passwords or cookies 18->74 76 Contains functionality to steal e-mail passwords 18->76 78 2 other signatures 18->78 38 conhost.exe 22->38         started        40 conhost.exe 26->40         started        42 conhost.exe 28->42         started        44 conhost.exe 30->44         started        46 conhost.exe 36->46         started        48 conhost.exe 36->48         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b14a843c73a4020a9564492611f8a028ad6437d38e71624ba41f597122933ca4/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-14 09:41:45 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wffiipdtuqbavflejetbd6fafcwwin6trzywes5ed5mxciuthssa._file
Verdict:
unknown
Similar samples:
15d52fd28534185ea7113b9006d708baee62a09f9544e69989166398328364fa
AveMariaRAT
2bf089ca557a9f45614b8c69d1e99c2865ccce16d5623d43f058421ddd16e3e4
AveMariaRAT
5b8359668a34cfe71ccad1e1864a36c27a2174bd3ffe39216ae0e5e04031c1c1
AveMariaRAT
62a3f96dbc53b59dc32cac8f2627992d4152cbd6735e488c4ae86f089dc97aa8
AveMariaRAT
c1fa48c0b9c81541dc2ba39db3fc1c410f6231e8df9aa69c02bdd1c8549b453a
AveMariaRAT
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
rat persistence infostealer family:warzonerat
Link:
https://tria.ge/reports/201014-rjggtgdg16/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Warzone RAT Payload
Modifies WinLogon for persistence
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
b14a843c73a4020a9564492611f8a028ad6437d38e71624ba41f597122933ca4
MD5 hash:
5d85f3bce243ee18cc50c2eb43191b1c
SHA1 hash:
5ac7cdb250814e9e09e2631e16e218027fe705a0
Link:
https://www.unpac.me/results/1e297579-1893-4898-9ebb-f90538426721/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/b14a843c73a4020a9564492611f8a028ad6437d38e71624ba41f597122933ca4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

arj 9b4d123f648ed922dda3dabaa0a43d19beefb7cd54812aee0b47ad454be040f4

AveMariaRAT

Executable exe b14a843c73a4020a9564492611f8a028ad6437d38e71624ba41f597122933ca4

(this sample)

  
Dropped by
MD5 6eeb04a6c94ab7a769408efedee39404
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70862/
  
Dropped by
SHA256 9b4d123f648ed922dda3dabaa0a43d19beefb7cd54812aee0b47ad454be040f4

Comments