MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef1ac3f12332198e1ef6f01698658258289a63e08ff17b1ddba89e229b8f19b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef1ac3f12332198e1ef6f01698658258289a63e08ff17b1ddba89e229b8f19b7
SHA3-384 hash: 5e3757f8dcb1e2cceaf07f8a18d308d6056e14ce095f384eec71fb742cffd9230f54e5276cb18af4fb733bea6f3d59e0
SHA1 hash: 724d8d16bb272d7a15197caed16aebea4fa8adcd
MD5 hash: b3c4df30fcb050cd2719916ca70b730d
humanhash: failed-cold-cold-lake
File name:IdDetails.ppam
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:15'199 bytes
First seen:2021-07-12 06:50:27 UTC
Last seen:Never
File type:PowerPoint file ppam
MIME type:application/vnd.openxmlformats-officedocument.presentationml.presentation
ssdeep 192:ZMA4bPRGrParxaz92BvG4tDh/2brgwN69JozhbC+Y75u/mtXHIHZ/OG0yP4AXITa:SbgrParxqeFh/8n8JozhjwNoHiVTa
TLSH T1C962C0D5D7D33614E371D3F49968B3A6E4E28AAC3B22734B7DC034EC060A9D816DB069
Reporter abuse_ch
Tags:AveMariaRAT ppam RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VB.Trojan.Valyria.4961.6862.23444.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/ef1ac3f12332198e1ef6f01698658258289a63e08ff17b1ddba89e229b8f19b7
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Macro with DLL Reference
Detected macro logic that will load additional functionality from Dynamically Linked Libraries (DLLs). While not explicitly malicious, this is a common tactic for accessing APIs that are not otherwised exposed via Visual Basic for Applications (VBA).
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/814561
Signature
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a scheduled task launching mshta.exe (likely to bypass HIPS)
Creates processes via WMI
Document exploit detected (process start blacklist hit)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious PowerShell Command Line
Sigma detected: WScript or CScript Dropper
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected MSILLoadEncryptedAssembly
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 446972 Sample: IdDetails.ppam Startdate: 12/07/2021 Architecture: WINDOWS Score: 100 79 normanaman.duckdns.org 2->79 81 ia801403.us.archive.org 2->81 83 ia601403.us.archive.org 2->83 125 Malicious sample detected (through community Yara rule) 2->125 127 Multi AV Scanner detection for submitted file 2->127 129 Yara detected Powershell download and execute 2->129 131 11 other signatures 2->131 9 POWERPNT.EXE 501 26 2->9         started        12 mshta.exe 2->12         started        16 mshta.exe 2->16         started        18 8 other processes 2->18 signatures3 process4 dnsIp5 71 C:\Users\user\Desktop\~$IdDetails.ppam, data 9->71 dropped 73 C:\Users\user\AppData\...\IdDetails.ppam.LNK, MS 9->73 dropped 20 mshta.exe 2 54 9->20         started        111 www.blogger.com 12->111 119 2 other IPs or domains 12->119 159 Creates a scheduled task launching mshta.exe (likely to bypass HIPS) 12->159 24 powershell.exe 12->24         started        26 schtasks.exe 12->26         started        113 192.168.2.1 unknown unknown 16->113 115 www.blogger.com 16->115 121 2 other IPs or domains 16->121 161 Writes or reads registry keys via WMI 16->161 163 Writes registry values via WMI 16->163 28 powershell.exe 16->28         started        31 powershell.exe 16->31         started        33 schtasks.exe 16->33         started        117 www.blogger.com 18->117 123 16 other IPs or domains 18->123 35 conhost.exe 18->35         started        37 conhost.exe 18->37         started        file6 signatures7 process8 dnsIp9 95 7 other IPs or domains 20->95 133 Uses schtasks.exe or at.exe to add and modify task schedules 20->133 135 Creates a scheduled task launching mshta.exe (likely to bypass HIPS) 20->135 137 Writes or reads registry keys via WMI 20->137 139 Writes registry values via WMI 20->139 39 powershell.exe 16 20->39         started        43 powershell.exe 15 14 20->43         started        46 schtasks.exe 1 20->46         started        85 ia601403.us.archive.org 24->85 141 Writes to foreign memory regions 24->141 143 Injects a PE file into a foreign processes 24->143 48 MSBuild.exe 24->48         started        50 conhost.exe 24->50         started        52 conhost.exe 26->52         started        87 archive.org 207.241.224.2, 443, 49757, 49764 INTERNET-ARCHIVEUS United States 28->87 89 ia601401.us.archive.org 207.241.227.121, 443, 49763 INTERNET-ARCHIVEUS United States 28->89 97 3 other IPs or domains 28->97 75 PowerShell_transcr....20210712085731.txt, UTF-8 28->75 dropped 77 C:\Users\Public\nolub.vbs, ASCII 28->77 dropped 58 2 other processes 28->58 91 ia801403.us.archive.org 207.241.228.143, 443, 49754, 49773 INTERNET-ARCHIVEUS United States 31->91 93 ia601403.us.archive.org 31->93 54 conhost.exe 31->54         started        56 conhost.exe 33->56         started        file10 signatures11 process12 dnsIp13 99 73cceb63-7ecd-45e2-9eab-f8d98aab177f.usrfiles.com 39->99 101 ia601509.us.archive.org 207.241.227.119, 443, 49783 INTERNET-ARCHIVEUS United States 39->101 109 6 other IPs or domains 39->109 69 PowerShell_transcr....20210712085714.txt, UTF-8 39->69 dropped 60 wscript.exe 39->60         started        63 conhost.exe 39->63         started        103 ia601403.us.archive.org 207.241.227.123, 443, 49809, 49813 INTERNET-ARCHIVEUS United States 43->103 105 ia801403.us.archive.org 43->105 145 Injects a PE file into a foreign processes 43->145 65 conhost.exe 43->65         started        67 conhost.exe 46->67         started        107 normanaman.duckdns.org 103.153.76.164, 3009, 49800, 49810 TWIDC-AS-APTWIDCLimitedHK unknown 48->107 147 Contains functionality to inject threads in other processes 48->147 149 Contains functionality to steal Chrome passwords or cookies 48->149 151 Contains functionality to steal e-mail passwords 48->151 155 2 other signatures 48->155 153 Creates processes via WMI 58->153 file14 signatures15 process16 signatures17 157 Creates processes via WMI 60->157
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef1ac3f12332198e1ef6f01698658258289a63e08ff17b1ddba89e229b8f19b7/
Threat name:
Script.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-07-10 23:13:15 UTC
AV detection:
9 of 29 (31.03%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=54nmh4jdgimy4hxw6aljqzmclaujuy7ar7yxwho3vcpcfg4pdg3q._file
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer rat
Link:
https://tria.ge/reports/210712-6328lmjcp6/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Process spawned suspicious child process
Blocklisted process makes network request
Process spawned unexpected child process
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
normanaman.duckdns.org:3009
Dropper Extraction:
https://ia801508.us.archive.org/34/items/Coxes/Coxes.txt
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ef1ac3f12332198e1ef6f01698658258289a63e08ff17b1ddba89e229b8f19b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AveMaria_WarZone
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_WarzoneRAT
Create hunting rule
Author:ditekSHen
Description:Detects AveMaria/WarzoneRAT
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.ave_maria.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

PowerPoint file ppam ef1ac3f12332198e1ef6f01698658258289a63e08ff17b1ddba89e229b8f19b7

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments