MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4b14f0512858ecd957152f6f21d06070ad3f371206568871d0f92d5a41ecd83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AveMariaRAT


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments

SHA256 hash: b4b14f0512858ecd957152f6f21d06070ad3f371206568871d0f92d5a41ecd83
SHA3-384 hash: 7691559d7a926556b4265aa4310f636ca407d00d2756aefb8a83ab9cfeaae58e62338ab5fb3563dd9048f1978c8f53a6
SHA1 hash: 452b936847f131abd4b872815ab35c9b9bcd9cbb
MD5 hash: f0bec0deb10b8bc59a5b2d207b4cdeef
humanhash: nine-pennsylvania-washington-october
File name:cargo documents.pdf.exe
Download: download sample
Signature AveMariaRAT
File size:187'904 bytes
First seen:2022-06-06 07:41:09 UTC
Last seen:2022-06-07 11:39:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b89c0acb10e1bafbe56a95fb03ea7ddd (1 x AveMariaRAT)
ssdeep 3072:hFZRWMN2EyOdnHN/0f5B2gPcvTt728bZK3LyAw1HG7GMbcDK90XKgwcG2O5NCMLo:aMXHB0zlSTt728N5tuWXKVvPHq7
Threatray 3'756 similar samples on MalwareBazaar
TLSH T1620412BB653F798BCA1C53794A9ECE3285AE924B0CDE117CA450F68B3EC2CD84B55350
TrID 54.9% (.EXE) UPX compressed Win32 Executable (27066/9/6)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
4.1% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter @GovCERT_CH
Tags:AveMariaRAT exe WarzoneRAT

Intelligence


File Origin
# of uploads :
3
# of downloads :
296
Origin country :
DE DE
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
avemaria
ID:
1
File name:
cargo documents.pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-06-06 07:46:54 UTC
Tags:
trojan rat stealer avemaria

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
–°reating synchronization primitives
Creating a file
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Launching cmd.exe command interpreter
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
exploit packed shell32.dll wacatac
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria, UACMe
Detection:
malicious
Classification:
phis.troj.expl.evad
Score:
100 / 100
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 639646 Sample: cargo documents.pdf.exe Startdate: 06/06/2022 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic 2->38 40 Multi AV Scanner detection for domain / URL 2->40 42 Found malware configuration 2->42 44 13 other signatures 2->44 8 cargo documents.pdf.exe 5 6 2->8         started        12 images.exe 2 2->12         started        process3 file4 32 C:\ProgramData\images.exe, PE32 8->32 dropped 34 C:\ProgramData\images.exe:Zone.Identifier, ASCII 8->34 dropped 46 Adds a directory exclusion to Windows Defender 8->46 48 Increases the number of concurrent connection per server for Internet Explorer 8->48 50 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->50 14 images.exe 3 8->14         started        18 powershell.exe 25 8->18         started        20 conhost.exe 8->20         started        22 WerFault.exe 3 12 12->22         started        24 conhost.exe 12->24         started        signatures5 process6 dnsIp7 36 udooiuyt.dynamic-dns.net 45.137.22.163, 49757, 5200 ROOTLAYERNETNL Netherlands 14->36 52 Antivirus detection for dropped file 14->52 54 Multi AV Scanner detection for dropped file 14->54 56 Machine Learning detection for dropped file 14->56 58 4 other signatures 14->58 26 cmd.exe 1 14->26         started        28 powershell.exe 14->28         started        signatures8 process9 process10 30 conhost.exe 26->30         started       
Threat name:
Win32.Spyware.AveMaria
Status:
Malicious
First seen:
2022-06-06 07:43:38 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
24 of 41 (58.54%)
Threat level:
  2/5
Result
Malware family:
warzonerat
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat suricata upx
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
UPX packed file
Warzone RAT Payload
WarzoneRat, AveMaria
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
Malware Config
C2 Extraction:
udooiuyt.dynamic-dns.net:5200
Unpacked files
SH256 hash:
6dfda03b6f3006fd1b587ae285a6539f758568f98b34a8550b04299f3861a06c
MD5 hash:
fc084b4e992096a4e96c527da7cd4d1f
SHA1 hash:
b489088bf8209703fb3153a91b69e9a09124c0a0
SH256 hash:
a3fadd5bf167df641570b41546fc94aabe1f304aab82ad4fa1489acf4be77cc3
MD5 hash:
f84a719771405bad72af530b755ffebb
SHA1 hash:
c78fe944bc806011de9fa2bd279497f969fd1d30
Detections:
win_ave_maria_g0 win_ave_maria_auto
SH256 hash:
fc0c90044b94b080f307c16494369a0796ac1d4e74e7912ba79c15cca241801c
MD5 hash:
6b906764a35508a7fd266cdd512e46b1
SHA1 hash:
2a943b5868de4facf52d4f4c1b63f83eacd882a2
SH256 hash:
021d01fe3793879f57a2942664fc7c096710e94e87ad13dc21467c12edf61546
MD5 hash:
ad9fd1564dd1c6be54747e84444b8f55
SHA1 hash:
001495af4af443265200340a08b5e07dc2a32553
SH256 hash:
b4b14f0512858ecd957152f6f21d06070ad3f371206568871d0f92d5a41ecd83
MD5 hash:
f0bec0deb10b8bc59a5b2d207b4cdeef
SHA1 hash:
452b936847f131abd4b872815ab35c9b9bcd9cbb

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe b4b14f0512858ecd957152f6f21d06070ad3f371206568871d0f92d5a41ecd83

(this sample)

  
Dropped by
warzonerat
  
Delivery method
Distributed via e-mail attachment

Comments