MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eac82f49d357168a280ac56430bdf64cf0345110f53af6f1ec9ceebee6423ee3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eac82f49d357168a280ac56430bdf64cf0345110f53af6f1ec9ceebee6423ee3
SHA3-384 hash: 72281c8835de984b1a4214240953d0f7f3c7ada4e5ad1af48173fa84820971dd2be101463e5d43d87babbfb20afe0842
SHA1 hash: 985f881c21144953c6e123b2a1c1f9158eb95adc
MD5 hash: 33543c5c5c2077da52387868299a4f2b
humanhash: helium-purple-fourteen-happy
File name:Cont_IMG_60712133_1247066872129983_2152132284377989120.pdf.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'140'744 bytes
First seen:2021-03-01 08:37:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b4043a309d0347d03a7fb07fb4b5acc1 (2 x AveMariaRAT, 1 x RemcosRAT, 1 x BitRAT)
ssdeep 24576:VhTP85JKIq20xIQ40TMt7zVT6lVINogZi4:vTPAvTzVT6lKNoL4
Threatray 770 similar samples on MalwareBazaar
TLSH 0B358E22A1834CF2D0221A775D3B4275D8A57E30B9385D4636EC6D68BFEF2913C1F982
Reporter abuse_ch
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Cont_IMG_60712133_1247066872129983_2152132284377989120.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-03-01 08:41:09 UTC
Tags:
trojan stealer rat avemaria
Link:
https://app.any.run/tasks/4ef2b166-1f38-4d7d-bc5a-65b1a0895873

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/120184/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.20015.3732.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Launching a process
Creating a file in the %AppData% directory
Reading critical registry keys
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Connection attempt to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621899
Signature
Allocates memory in foreign processes
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359944 Sample: Cont_IMG_60712133_124706687... Startdate: 01/03/2021 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for domain / URL 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 6 other signatures 2->47 6 Zdjwwtec.exe 2->6         started        9 Cont_IMG_60712133_1247066872129983_2152132284377989120.pdf.exe 1 18 2->9         started        13 Zdjwwtec.exe 2->13         started        process3 dnsIp4 49 Multi AV Scanner detection for dropped file 6->49 51 Machine Learning detection for dropped file 6->51 53 Writes to foreign memory regions 6->53 15 eventvwr.exe 5 6->15         started        25 godocs.cam 162.212.152.3, 443, 49732 TZULOUS United States 9->25 23 C:\Users\Public\Libraries\Zdjwwtec.exe, PE32 9->23 dropped 55 Allocates memory in foreign processes 9->55 57 Creates a thread in another existing process (thread injection) 9->57 59 Injects a PE file into a foreign processes 9->59 19 DpiScaling.exe 3 5 9->19         started        21 logagent.exe 5 13->21         started        file5 signatures6 process7 dnsIp8 29 Tries to steal Mail credentials (via file access) 15->29 31 Contains functionality to inject threads in other processes 15->31 33 Contains functionality to steal Chrome passwords or cookies 15->33 35 Contains functionality to steal e-mail passwords 15->35 27 warzone05b.duckdns.org 194.5.98.154, 25820, 49740, 49749 DANILENKODE Netherlands 19->27 37 Increases the number of concurrent connection per server for Internet Explorer 19->37 39 Tries to harvest and steal browser information (history, passwords, etc) 21->39 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eac82f49d357168a280ac56430bdf64cf0345110f53af6f1ec9ceebee6423ee3/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-03-01 08:38:10 UTC
AV detection:
19 of 49 (38.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5lec6sotk4liukakyvsdbppwjtydiuiq6u5pn4pmttxl5zsch3rq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
196789782f6dcb856fb75cc2f08f70fa7643ce5183ebba9b677253d86cac9b41
AveMariaRAT
2002e2506e59be859c12de94b1d9ddbfeeee31373684ce15f4e5b952da036a69
AveMariaRAT
2a73b5bcf40617742a535178183021aa1f0ed55f85a431e1535a0b65030b6867
AveMariaRAT
33a76af55237d9ba192ee8496fd6c4adc489593705e81c663a890b39e1c92a8e
AveMariaRAT
4fe45a8e07fc28eb30222f08219ca2bb8832220a97ff56333193bd422a876f0c
AveMariaRAT
62a9e0bc56c03b9ad7ff3ff1242415b95c29b10c2699a55c4d8940338e18887e
AveMariaRAT
7b7b7e7ad9b106a5508583f1b60e3a3d7385bf0d6592ca816839f6633f5e8045
AveMariaRAT
8fbd0e656a1ee90b82591111e01fb0e8b7a3d3e711e0d5165d05a5d844b8c03f
AveMariaRAT
ed21e9b47bc6e3343b98a6a69795c35c0b9ed34d9963a65e5df0afdcfdad9820
AveMariaRAT
f58206c0e3f90670105f3d92f49e4f3e4dd36970697f24de762862f24ea130cf
AveMariaRAT
+ 760 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/210301-qcyp47e8ja/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Adds Run key to start application
Warzone RAT Payload
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
5bcde4d165f66f58ce0446462a038b7ae84e2fd2275885f61f68287547aac66d
MD5 hash:
34cb499bbd566c24dcf888e9bab46083
SHA1 hash:
3bb97e3103868691e57e7cf3be88a7ff30f46ea1
Link:
https://www.unpac.me/results/9b062b9d-92f2-4783-8d45-8708c1114c4d/
SH256 hash:
eac82f49d357168a280ac56430bdf64cf0345110f53af6f1ec9ceebee6423ee3
MD5 hash:
33543c5c5c2077da52387868299a4f2b
SHA1 hash:
985f881c21144953c6e123b2a1c1f9158eb95adc
Link:
https://www.unpac.me/results/9b062b9d-92f2-4783-8d45-8708c1114c4d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eac82f49d357168a280ac56430bdf64cf0345110f53af6f1ec9ceebee6423ee3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe eac82f49d357168a280ac56430bdf64cf0345110f53af6f1ec9ceebee6423ee3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/120184/

Comments