MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e97d4cbbbb923b04cee8f87235ad15ab83a7cba51984422cdfdcfefa7e81d457. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e97d4cbbbb923b04cee8f87235ad15ab83a7cba51984422cdfdcfefa7e81d457
SHA3-384 hash: fa0185465d87c0b1e2c244985dfbd95b34cee9d15263eced9630f725cff0031acd3d4177e9872dba21f633e8623eb25a
SHA1 hash: 9c5e9b604848d9c8e9bc2dac40ad4ec1a6f94edc
MD5 hash: b5b596310b5c18bf814c910eba8bef36
humanhash: lake-mike-river-lithium
File name:New Purchase Sample Drawing 2020.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:403'968 bytes
First seen:2020-07-30 07:06:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:IyAvKPiERMnMS8se6BN40FvAL2Ba3u2K3jd:PPFMnh8lm
Threatray 431 similar samples on MalwareBazaar
TLSH 1F84AE5C3250B69FC427C9368E645D24AA34B47BA70BE303B45726AD9D0D69BCF062F3
Reporter abuse_ch
Tags:AveMariaRAT exe RAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: www.fsc-netcom.biz
Sending IP: 211.16.211.187
From: sherina.fang@xingyimetal.com
Subject: PO Sample drawing
Attachment: New Purchase Sample Drawing 2020.rar (contains "New Purchase Sample Drawing 2020.exe")

Unknown RAT C2:
war3785host.ddns.net:40951 (185.19.85.138)

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/35321/
Detection(s):
SecuriteInfo.com.CIL.HeapOverride.Heur.30922.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Reading critical registry keys
Deleting a recently created file
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/403224
Signature
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 253839 Sample: New Purchase Sample Drawing... Startdate: 30/07/2020 Architecture: WINDOWS Score: 100 29 g.msn.com 2->29 39 Malicious sample detected (through community Yara rule) 2->39 41 Yara detected AveMaria stealer 2->41 43 Contains functionality to hide user accounts 2->43 45 5 other signatures 2->45 7 New Purchase Sample Drawing 2020.exe 1 4 2->7         started        10 wzimage.exe 2 2->10         started        13 wzimage.exe 2 2->13         started        signatures3 process4 file5 25 C:\Users\user\AppData\Roaming\wzimage.exe, PE32 7->25 dropped 27 C:\Users\user\...\wzimage.exe:Zone.Identifier, ASCII 7->27 dropped 15 New Purchase Sample Drawing 2020.exe 3 2 7->15         started        47 Machine Learning detection for dropped file 10->47 49 Contains functionality to inject threads in other processes 10->49 51 Contains functionality to steal Chrome passwords or cookies 10->51 53 Contains functionality to steal e-mail passwords 10->53 19 wzimage.exe 1 10->19         started        21 wzimage.exe 10->21         started        23 wzimage.exe 1 13->23         started        signatures6 process7 dnsIp8 31 war3785host.ddns.net 185.19.85.138, 40951, 49730 DATAWIRE-ASCH Switzerland 15->31 33 Tries to steal Mail credentials (via file access) 15->33 35 Increases the number of concurrent connection per server for Internet Explorer 15->35 37 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->37 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e97d4cbbbb923b04cee8f87235ad15ab83a7cba51984422cdfdcfefa7e81d457/
Threat name:
Win32.Trojan.CryptInject
Create hunting rule
Status:
Malicious
First seen:
2020-07-30 07:08:08 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5f6uzo53si5qjtxi7bzdllivvob2ps5fdgceelg73t7pu7ub2rlq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
19fa55d64a5d0900b5f8604bb765ab9196e07b2716f1248e0a8c6245e12e2119
AveMariaRAT
2de3ea2a1d7df0bdc1abf7e84609dd5e423e81dbd8542fc29866cfbad3b54152
AveMariaRAT
37d250d71a687db0e2c094fd5932bd32a6198a94b86553580d495cbb592d0f96
AveMariaRAT
8a75c0e55378f9dc85aa262a1133a3d7b4c37d38502ac87a8f4bea0fc273e55f
AveMariaRAT
99938664e2162f06313d017b275c7da25b45d578177911808a986f416377e15d
AveMariaRAT
9d3c04431db8d2630361ac69def49189101a5bf017627be2f147bcd66f3c8d29
AveMariaRAT
b612173e75cc939bb718725850a57a1487095d863db268758b5ee0bf2463f89d
AveMariaRAT
da103e7998ff3ffd61f85d819dc90514d910c30a0d2e9ee6c071001f9137161a
AveMariaRAT
e6d6cda38ec798c76fb5727c7af199c496408484c68f3d7c0d34d6be09900ca0
AveMariaRAT
fa925870975e7c53ec50032872d0c8f7aa23d7832658def21887419f288cbd18
AveMariaRAT
+ 421 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200730-tly414m4mn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
JavaScript code in executable
Adds Run key to start application
JavaScript code in executable
Adds Run key to start application
Reads user/profile data of web browsers
Loads dropped DLL
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e97d4cbbbb923b04cee8f87235ad15ab83a7cba51984422cdfdcfefa7e81d457

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_ave_maria_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

rar fe1f0193205e0a343090afe60a4d2e0911d0db8b6eb55a1ef6417e2136aa6420

AveMariaRAT

Executable exe e97d4cbbbb923b04cee8f87235ad15ab83a7cba51984422cdfdcfefa7e81d457

(this sample)

  
Dropped by
MD5 cb0ce354dd9997432bad920db22047b1
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/35321/
  
Dropped by
SHA256 fe1f0193205e0a343090afe60a4d2e0911d0db8b6eb55a1ef6417e2136aa6420

Comments