MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b730bb13134ec777d56a12867d2bca49a1131a49393ab1fa23dcb27a1d3b3cd7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 17 File information Comments

SHA256 hash:	b730bb13134ec777d56a12867d2bca49a1131a49393ab1fa23dcb27a1d3b3cd7
SHA3-384 hash:	71b894a717899b30ce23047a17a22fa329240afeb2ba9b421f4655658dbf36ea414fedaccd75696c9533dcb411fb7b0d
SHA1 hash:	6be1dfae9a86a0fd7dcfefca2c0f52b17041b152
MD5 hash:	afbbc77f23451f4251297a09759ace85
humanhash:	seven-zebra-oven-wyoming
File name:	afbbc77f23451f4251297a09759ace85.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	2'747'479 bytes
First seen:	2021-04-15 15:51:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep	49152:jThLBhkUtOsohLzaJXfIpXTQo+WzFEn4xVWaSoly5PTCSMqvrt8c2KHrr:j9LBmUtOnaJXfIpXTQBneVWaSoM5eSMO
Threatray	792 similar samples on MalwareBazaar
TLSH	C6D512D1A8AF45DEC5684533C126B18652C5CA78D03170AA7F9CA24EDBE3DC291E81FF
Reporter	abuse_ch
Tags:	AveMariaRAT exe RAT

Intelligence

File Origin

# of uploads :

# of downloads :

106

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DrawingKit.exe

Verdict:

Malicious activity

Analysis date:

2021-04-13 21:00:04 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1480441a-cac2-4afe-b871-79a7490d7057

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.20495.15214.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Sending a UDP request

DNS request

Connection attempt

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

avemaria

Link:

https://mwdb.cert.pl/sample/b730bb13134ec777d56a12867d2bca49a1131a49393ab1fa23dcb27a1d3b3cd7/

Threat name:

Win32.Spyware.AveMaria

Status:

Malicious

First seen:

2021-04-13 15:02:58 UTC

AV detection:

15 of 28 (53.57%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=w4ylweytj3dxpvlkckdh2k6kjgqrggsjhe5ld6rd3szhuhj3htlq._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

26dad1e44b5d06bcee5cddb288e3cd623da7bfd1d44a68661e27796f32e3de70

AveMariaRAT

2a5bce88201c08a0bda97ea99db198b3a278b4f42c4ff7d0defb82b38b93d180

AveMariaRAT

2f4fc1a5a5dccb324dcfac0022a391260fec5b2f2620b52d884f2b853a9a4471

AveMariaRAT

73d7814c16c97737ef3c337788edbed7d6523a6ace4d429289e9b9b55a6bd072

AveMariaRAT

90f1d3cfeae9107f43fe98543d03950bc513ed6c3cfd3755b2e12faf50c1f7b5

AveMariaRAT

9108124a2fb48ab0edbdd04e6e7f2608d26c706f899f6b1966527cfaf91c1009

AveMariaRAT

b9b2c05c193a6df71266380c102c635199a45263722c6395a0b03de819a01ee1

AveMariaRAT

d4a027269ca7a78f578e980333ac22f8ab39d5f4ef71490b49af6cb884195321

AveMariaRAT

fd21ea0fe3b13bc6f4173e46304760631907bc61ce3250844f001c60c1011c05

AveMariaRAT

+ 782 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat infostealer rat

Link:

https://tria.ge/reports/210415-btjlm4tg7s/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Loads dropped DLL

Executes dropped EXE

Warzone RAT Payload

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

cfr.eur-import.com:6021

Unpacked files

SH256 hash:

c89e66bb9a545e692183cfc72af58055c2c671c4e3e8c07605ac14ef5d8e20f9

MD5 hash:

51d5a54e2931ce8b64defa87ca9c4b37

SHA1 hash:

b9af6ddcd6f110cc10766f2fab90aefa9fbc9712

Link:

https://www.unpac.me/results/fa1895fd-5aaf-4dd7-bdbe-e7aa6208245b/

SH256 hash:

7187f6e4bf7192d04debf742a1397025d6c4dbd6e40873b8b094fa1e4d292ef3

MD5 hash:

c9a9117d994686856237cee31b4c5bea

SHA1 hash:

9bcd0bb9cffb02a31e337a92b7c638931557d5f9

Link:

https://www.unpac.me/results/fa1895fd-5aaf-4dd7-bdbe-e7aa6208245b/

SH256 hash:

b730bb13134ec777d56a12867d2bca49a1131a49393ab1fa23dcb27a1d3b3cd7

MD5 hash:

afbbc77f23451f4251297a09759ace85

SHA1 hash:

6be1dfae9a86a0fd7dcfefca2c0f52b17041b152

Link:

https://www.unpac.me/results/fa1895fd-5aaf-4dd7-bdbe-e7aa6208245b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b730bb13134ec777d56a12867d2bca49a1131a49393ab1fa23dcb27a1d3b3cd7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AveMaria Create hunting rule
Author:	@bartblaze
Description:	Identifies AveMaria aka WarZone RAT.

Rule name:	AveMaria_WarZone Create hunting rule

Rule name:	ave_maria_warzone_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_WarzoneRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AveMaria/WarzoneRAT

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	RDPWrap Create hunting rule
Author:	@bartblaze
Description:	Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:	https://github.com/stascorp/rdpwrap

Rule name:	Stealer_word_in_memory Create hunting rule
Author:	James_inthe_box
Description:	The actual word stealer in memory

Rule name:	UAC_bypass_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	UAC bypass in files like avemaria

Rule name:	win_ave_maria_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

exe b730bb13134ec777d56a12867d2bca49a1131a49393ab1fa23dcb27a1d3b3cd7

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1110020/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample