MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5633b89bc09a7e0bfdb617572df279f2a08518ffe186ad3c372f2b53c210996. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5633b89bc09a7e0bfdb617572df279f2a08518ffe186ad3c372f2b53c210996
SHA3-384 hash: 94dea41400230dedee9bfe72d3fda30e97905e5e2b7f5404ba3b306ac93c8bcdb87143bed61b686f9987339d932bec06
SHA1 hash: 5a18f78cf60c527c60a8b6f67c9857bdf4426be8
MD5 hash: bc3c20b25e79e6ed82ba7ab84934067d
humanhash: music-ink-oklahoma-lactose
File name:feo.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:721'368 bytes
First seen:2021-05-28 15:34:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3e7272567bf6719a2a90dbca5f3a4b3a (1 x Loki, 1 x NetWire, 1 x BitRAT)
ssdeep 12288:wuxGeRhWzrlZe7q6OWA50P3TaD8vVKlWFn+yGMBNyi:wyHWzrsOWxjQfEbyi
Threatray 931 similar samples on MalwareBazaar
TLSH ACE49D72A2C144B2D15A5E389D1796259D64BE303D382C6677F56C0C6EBF3813C2EAE3
Reporter Anonymous
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
feo.exe
Verdict:
Malicious activity
Analysis date:
2021-05-27 13:36:48 UTC
Tags:
installer
Link:
https://app.any.run/tasks/436fe6c9-c056-496f-95d1-d0bdb508d986

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/163007/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.W32.Trojan2.QXAI.17581.18896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Deleting a recently created file
Reading critical registry keys
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/793938
Signature
Allocates memory in foreign processes
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 426339 Sample: feo.exe Startdate: 28/05/2021 Architecture: WINDOWS Score: 100 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected AveMaria stealer 2->43 45 3 other signatures 2->45 8 Fzeiwr.exe 13 2->8         started        12 feo.exe 1 23 2->12         started        15 Fzeiwr.exe 14 2->15         started        process3 dnsIp4 55 Multi AV Scanner detection for dropped file 8->55 57 Machine Learning detection for dropped file 8->57 59 Writes to foreign memory regions 8->59 17 dialer.exe 4 8->17         started        37 cdn.discordapp.com 162.159.134.233, 443, 49701, 49702 CLOUDFLARENETUS United States 12->37 33 C:\Users\Public\Fzeiwr\Fzeiwr.exe, PE32 12->33 dropped 61 Creates a thread in another existing process (thread injection) 12->61 63 Injects a PE file into a foreign processes 12->63 21 DpiScaling.exe 3 4 12->21         started        23 cmd.exe 1 12->23         started        65 Allocates memory in foreign processes 15->65 25 ieinstal.exe 4 15->25         started        file5 signatures6 process7 dnsIp8 35 adebaree.duckdns.org 173.44.55.155, 49722, 49728, 49729 ASN-QUADRANET-GLOBALUS United States 21->35 47 Tries to steal Mail credentials (via file access) 21->47 49 Increases the number of concurrent connection per server for Internet Explorer 21->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->51 27 cmd.exe 1 23->27         started        29 conhost.exe 23->29         started        53 Tries to harvest and steal browser information (history, passwords, etc) 25->53 signatures9 process10 process11 31 conhost.exe 27->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5633b89bc09a7e0bfdb617572df279f2a08518ffe186ad3c372f2b53c210996/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-05-27 21:42:08 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
122ef85900670d4776f3afdbe676d59c23c4cd9944b9d392eb9a446b3bb40dde
AveMariaRAT
1ec80487df001c0f6d41a90bbe2451242977a6f36a276d6eefa8aef0f593ab6b
AveMariaRAT
29c359a430263d1482f855d74d16a653f7bdcd6ab01abcb6090c1163a1568f71
AveMariaRAT
5cbed2f8a5fdadbd99816c4c8792bd51a2db7479f80bf70409f0f257f942d0c9
AveMariaRAT
5f0161e643adfaeca9dc6918e8cc29fc85ecdcf6727afd601649068f1e36a814
AveMariaRAT
688db922ed6771475dc6c379990567dc7e07ecaa848ada113472d1021eb02926
AveMariaRAT
803ed954a2fbfa36e1b154d7b1b6b270021eb72583d5a876e5aaedd728c39cc7
AveMariaRAT
9b342770fe4594e3a6d22b0b8d50269f8c749fb6d43c4f22d6ba48ddbff23bb4
AveMariaRAT
a67866e26c35be123728faf13ab166a05eb79ad7e8c6c79768ea059326d5cb60
AveMariaRAT
b59b27b89189fc7fd98bc8f8a70d7d500907439cba4303c1eb812532fa2bc96f
AveMariaRAT
+ 921 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/210528-z6y8fpynle/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Warzone RAT Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
adebaree.duckdns.org:9145
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b5633b89bc09a7e0bfdb617572df279f2a08518ffe186ad3c372f2b53c210996

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Word file docx 7666f3d19250bc9b6d75e1b081407ea6a71c81f22a2c027d85b6445a65a0f247

AveMariaRAT

Executable exe b5633b89bc09a7e0bfdb617572df279f2a08518ffe186ad3c372f2b53c210996

(this sample)

  
Dropped by
SHA256 7666f3d19250bc9b6d75e1b081407ea6a71c81f22a2c027d85b6445a65a0f247
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/163007/

Comments