MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8c59da246fccfab27b1e04e4d2bae1f222e845c9573b7b0c5f01d90aa76a3a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 7 File information Comments

SHA256 hash:	e8c59da246fccfab27b1e04e4d2bae1f222e845c9573b7b0c5f01d90aa76a3a3
SHA3-384 hash:	3ec5447774f737c6d9aa4a10b0dbda951e58c02bf74104eca73b270b2cf41f94f5f836a522edba59825208666a1625fe
SHA1 hash:	7dd0300cf123743cea7620e97a767d707190c08e
MD5 hash:	6a0d38e42f95094a525a824ea5005766
humanhash:	social-violet-double-indigo
File name:	Resumen detallado del proveedor de 1302640 de solicitud de presupuesto.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	1'102'848 bytes
First seen:	2021-07-23 17:02:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	eeb274539f353457b7607137bc233150 (3 x RemcosRAT, 1 x AveMariaRAT)
ssdeep	12288:5IO9jQgjDHNQNDRHhjeg7NNuWVnTT4I0IVx9nm4vNOpRKaemjtzeVQ1D2X:SQjFDHNQNDR5ekNNbdTT4C7vvG2
Threatray	1'001 similar samples on MalwareBazaar
TLSH	T1E7352872A150D462D06131784D1B4EA8F464FD203DF45C8722A0FB3DEBBB6B1ED2AE56
dhash icon	72c28292b2a888e0 (7 x RemcosRAT, 1 x BitRAT, 1 x AveMariaRAT)
Reporter	abuse_ch
Tags:	AveMariaRAT exe RAT

Intelligence

File Origin

# of uploads :

# of downloads :

171

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Resumen detallado del proveedor de 1302640 de solicitud de presupuesto.exe

Verdict:

Suspicious activity

Analysis date:

2021-07-23 17:05:16 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/9360e3ba-c6f1-40ee-932d-07c69c06bde0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

WarzoneRAT

Link:

https://www.capesandbox.com/analysis/173727/

Detection(s):

SecuriteInfo.com.Variant.Zusy.394980.1981.8042.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/79b60325-3c08-479a-9aa0-4ae09dd319af

Result

Threat name:

AveMaria

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/820942

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Changes memory attributes in foreign processes to executable or writable

Contains functionality to hide user accounts

Contains functionality to inject threads in other processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal e-mail passwords

Creates a thread in another existing process (thread injection)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Increases the number of concurrent connection per server for Internet Explorer

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Malicious sample detected (through community Yara rule)

Modifies the prolog of user mode functions (user mode inline hooks)

Writes to foreign memory regions

Yara detected AveMaria stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e8c59da246fccfab27b1e04e4d2bae1f222e845c9573b7b0c5f01d90aa76a3a3/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2021-07-23 17:03:07 UTC

AV detection:

18 of 25 (72.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5dcz3isg7th2wj5r4bhe2k5od4rc5bc4svz3pmgf6aozbktwuorq._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

691c75376ade3956492197d79853cab8eb38dca6dc2a7c2be3d4f28f445a3d2b

AveMariaRAT

864b531c5f5a397b3fd2a8aa91c83f956d93300db9c986bfa7ae4744d7cb732f

AveMariaRAT

9cd6c84ba5aee64aca1a0e7d17839c3974b965efd4ab83cc0d1deb336793f590

AveMariaRAT

a2f8c191b7fb47cf9266a986aa47e6897d6615889b76a0050450fb68afc279f6

AveMariaRAT

dbdfbca2dcc01a530cd7c449500dc0f6b564c11f9ed9dc8d746709a235d6826f

AveMariaRAT

dd5107d7cc5b86ef5a650ea6e01b662066c34072859272fa886379e304e7df43

AveMariaRAT

e81c6b84f83b9ac8233102f31e21bfeeab4ffaa5aa4c02987ce910de908a83ed

AveMariaRAT

f9ca14fcdffeb48b11ea026812ac0a7dc941f27e0c1384dc8e9b83b18de4c2a7

AveMariaRAT

+ 991 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat infostealer rat

Link:

https://tria.ge/reports/210723-ljg9v7vxhn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Program crash

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

79.134.225.8:8654

Unpacked files

SH256 hash:

02461911c9e0dbee2bca1926aa9e4dc971a4224a33b3f41e4eee50e81cd2e693

MD5 hash:

174f696339d2bbad2957193462034842

SHA1 hash:

c2440df707b160fc9a3aadb5e5ecd6ba3238f0f7

Link:

https://www.unpac.me/results/9a92ec78-cf4a-4e0d-9f0f-dd1d416d316d/

SH256 hash:

d174ea83359cec0b0a35da88fa2a1791a1308e35a5e36e83f51a2723e48582a6

MD5 hash:

5c63077607b089e7045eb5e93d8324d9

SHA1 hash:

9ca12c4d6e4a97269d26fe6755aae441276bff42

Link:

https://www.unpac.me/results/9a92ec78-cf4a-4e0d-9f0f-dd1d416d316d/

SH256 hash:

e8c59da246fccfab27b1e04e4d2bae1f222e845c9573b7b0c5f01d90aa76a3a3

MD5 hash:

6a0d38e42f95094a525a824ea5005766

SHA1 hash:

7dd0300cf123743cea7620e97a767d707190c08e

Link:

https://www.unpac.me/results/9a92ec78-cf4a-4e0d-9f0f-dd1d416d316d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.84

Link:

https://yomi.yoroi.company/submissions/e8c59da246fccfab27b1e04e4d2bae1f222e845c9573b7b0c5f01d90aa76a3a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AveMaria_WarZone Create hunting rule

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_WarzoneRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AveMaria/WarzoneRAT

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	RDPWrap Create hunting rule
Author:	@bartblaze
Description:	Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:	https://github.com/stascorp/rdpwrap

Rule name:	win_ave_maria_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.ave_maria.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/173727/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample