MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d015c42aeec1560eb2cf33b77fab18293a23cf61a7621746bc923a9ad4cc64dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 5


Intelligence 5 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d015c42aeec1560eb2cf33b77fab18293a23cf61a7621746bc923a9ad4cc64dd
SHA3-384 hash: c9ffc528a5e27853816fdc3f876cd937cb1333cc74b2de0d9fecdb26803713b6736212793ded45a9adc7cc443e33e8d4
SHA1 hash: dbcb64e9147894cf82431b27db828812fa89aee6
MD5 hash: 81354be34b2c4872dc497d4c909e8808
humanhash: helium-burger-cat-dakota
File name:WWTAN_514A4DCF600B4DB5AA488EEF66D8026C.scr
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:796'160 bytes
First seen:2020-05-13 06:21:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f63caebe1e46d29542ea606034a7da47 (7 x AgentTesla, 4 x Loki, 3 x HawkEye)
ssdeep 12288:SJ5R1LHd4GYPKElaRQEYrvWwvStl1cCrYQqNaBLtgZoRa/hMMyhT75tYSYa6:SzfHZjEuYv0l1zrSQ4oRqhtKTESYT
Threatray 529 similar samples on MalwareBazaar
TLSH A905AF22F2D05F37C1B31A3C9D4B53A4983ABEF03A285A472BE51C4C5F397923925297
Reporter abuse_ch
Tags:AveMariaRAT RAT scr


Avatar
abuse_ch
Malspam distributing AveMariaRAT:

HELO: mail.genogan.ga
Sending IP: 89.36.212.88
From: Eileen Lin <Eileen.Lin@chrobinson.com> <admin@genogan.ga>
Subject: 5/15, S/O#2117,S/光國, Booking for --LOAD#322749557
Attachment: shipping.zip (contains "WWTAN_514A4DCF600B4DB5AA488EEF66D8026C.scr")

AveMariaRAT C2:
188.72.124.143:2855

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-05-13 06:43:17 UTC
File Type:
PE (Exe)
Extracted files:
294
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ak4ikxoyfla5mwpgo3x7kyyfe5cht3bu5rborv4si5jvvgmmtoq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
21c5dfaf16a6b6fb850af64a34db2eac7263835048a6041533967de282a42caf
AveMariaRAT
4fa4af45c70295513c486589c0e36e7436be6abbf3c75e97b544db959e9dfcb5
AveMariaRAT
5a7fde3d1fb47fc7426fa1039e41a601633de8fad80c9c52823382dfe01eac86
AveMariaRAT
5c7b6c75eee95614a740b733b6895346066ae6c893c7b7cc8885ffa425ca6c86
AveMariaRAT
8fbd0e656a1ee90b82591111e01fb0e8b7a3d3e711e0d5165d05a5d844b8c03f
AveMariaRAT
90d5792fd0a2ab859f120bef8f12a28c8f7e4119a43054c22db57e76c7b386a0
AveMariaRAT
9f05fc0d62bbb451cfeb45c29b08ba8c556fcbc0aabcb1b783c056cca004db6e
AveMariaRAT
a102c4a2dfca8c218f1e65cbb5050012da856c3deba018d8c238fa9b09dd3a2b
AveMariaRAT
ebddbf171d569ce4db44a0284ac1cbe390e075854749713aa9186276036cacd6
AveMariaRAT
ff5e08912950194b6be7e6102c3135bcd9554ac7378b1a8a78069ebb94042234
AveMariaRAT
+ 519 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/201109-xp4zjxjy9n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Warzone RAT Payload
ServiceHost packer
WarzoneRat, AveMaria
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_malumpos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

zip 9518aa444f3ba46ad38962fd3316456673770aa70f15e9176845bc30fd06e282

AveMariaRAT

Executable exe d015c42aeec1560eb2cf33b77fab18293a23cf61a7621746bc923a9ad4cc64dd

(this sample)

  
Dropped by
MD5 5465cb14a0e4dff80b3bde9f175bf7bf
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9518aa444f3ba46ad38962fd3316456673770aa70f15e9176845bc30fd06e282

Comments