MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6d76a6dd8898fcd223678eec6835de53da6b2af1fc84c90dc502082eb6d8729. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 18 File information Comments

SHA256 hash:	b6d76a6dd8898fcd223678eec6835de53da6b2af1fc84c90dc502082eb6d8729
SHA3-384 hash:	fb6cd5a07e5440a7cd672285afb0fe8daad8e9b7456d6950b5af4377b6c652201e8339ad029bcb69b3e8e4ac905b31c6
SHA1 hash:	ab9b5572188b37c10eed0b76163667494fb4cc57
MD5 hash:	883f037f8db0d45f1dab5dbd539326d2
humanhash:	lake-magazine-mississippi-apart
File name:	PO#11-17012021,pdf.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	324'608 bytes
First seen:	2021-01-18 09:07:23 UTC
Last seen:	2021-01-18 10:42:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3fa489abaee814a61ce0966e1954db55 (12 x Loki, 7 x RemcosRAT, 3 x SnakeKeylogger)
ssdeep	6144:WXzz4bs4TQEvq2Tomx93zXAipWu+SYalcdVMwRyeitvDuC+AXAC2s4A:I4b7TQEvxo8zv+R+cdewR76DLF34A
Threatray	726 similar samples on MalwareBazaar
TLSH	CE64CF3475D5C032C25321354BA5CBB18EBAB8726A75B49B7BDA0DBD5F202D2932870E
Reporter	abuse_ch
Tags:	AveMariaRAT exe

abuse_ch

Malspam distributing unidentified malware:

HELO: cloudhost-2060988.uk-south-2.nxcli.net
Sending IP: 165.84.218.167
From: Chen <sales@mitsui.com.ph>
Subject: PO#11-18012021
Attachment: PO#11-17012021,pdf.rar (contains "PO#11-17012021,pdf.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

136

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO#11-17012021,pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-01-18 09:28:57 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d673a6ab-67d9-4ead-ae97-dc09f97dfedb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Warzonerat

Link:

https://www.capesandbox.com/analysis/112520/

Detection(s):

PUA.Win.Downloader.Firseria-6804617-0

Result

Verdict:

Malware

Maliciousness:

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AveMaria

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/583546

Signature

Antivirus detection for dropped file

Contains functionality to hide user accounts

Contains functionality to inject threads in other processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal e-mail passwords

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AveMaria stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

avemaria

Link:

https://mwdb.cert.pl/sample/b6d76a6dd8898fcd223678eec6835de53da6b2af1fc84c90dc502082eb6d8729/

Threat name:

Win32.Trojan.MortyStealer

Status:

Malicious

First seen:

2021-01-18 08:39:11 UTC

AV detection:

23 of 45 (51.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=w3lwu3oyrgh42irwpdxmna254u62nmvpd7eezeg4kaqif23nq4uq._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

46520e8955eff183518aa7ad908eff5e9d0c7094be0d9821f037a11a25ff4b3e

AveMariaRAT

4e420c5efeb26330ec4eb618426d859222b791798df3ae65c59fc20ef2f2889a

AveMariaRAT

838bd3c3ce0091704b836352a4e5d489b8e172e8ef6a7dc18462ce3042c6d716

AveMariaRAT

88cd6b3cae21bbdf028d5fee94c3552ecc427043b70b8407e9f936857c637ee5

AveMariaRAT

a0792945510f126714a42e9b4cef8b7e8d7aab504772b076c6df0a4e96f08e89

AveMariaRAT

a97528499bee868023a6898c85da34f9ed73a5a12b8a3a01817a88d82a8c5641

AveMariaRAT

da31c02c004f7e04408dea6429c362b4870c87a99fb2ae8ace1dac200a7fce5d

AveMariaRAT

e05ae83047c3026873ff147e2b6e6a71ab396d23ee8c9346b2755c16a776774b

AveMariaRAT

ffa217c445af7f07f0c9fbdcc488db8e06ecfdb43906c6c5e7a11f7ac04b4bf4

AveMariaRAT

+ 716 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat infostealer rat

Link:

https://tria.ge/reports/210118-v29bbmr2rj/

Behaviour

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Warzone RAT Payload

WarzoneRat, AveMaria

Unpacked files

SH256 hash:

b6d76a6dd8898fcd223678eec6835de53da6b2af1fc84c90dc502082eb6d8729

MD5 hash:

883f037f8db0d45f1dab5dbd539326d2

SHA1 hash:

ab9b5572188b37c10eed0b76163667494fb4cc57

Link:

https://www.unpac.me/results/8363fcc1-7767-46b6-9e74-f9a31cb1571f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b6d76a6dd8898fcd223678eec6835de53da6b2af1fc84c90dc502082eb6d8729

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AveMaria Create hunting rule
Author:	@bartblaze
Description:	Identifies AveMaria aka WarZone RAT.

Rule name:	AveMaria_WarZone Create hunting rule

Rule name:	ave_maria_warzone_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_WarzoneRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AveMaria/WarzoneRAT

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	RDPWrap Create hunting rule
Author:	@bartblaze
Description:	Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:	https://github.com/stascorp/rdpwrap

Rule name:	Stealer_word_in_memory Create hunting rule
Author:	James_inthe_box
Description:	The actual word stealer in memory

Rule name:	UAC_bypass_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	UAC bypass in files like avemaria

Rule name:	win_ave_maria_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator