MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f829c803836b4d3e8e161bba4d1f18ee3ad2a2a9ad025ae64cade4060ed9f7e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	f829c803836b4d3e8e161bba4d1f18ee3ad2a2a9ad025ae64cade4060ed9f7e6
SHA3-384 hash:	824784e4aa7c3b127df288d8d9b6845542c588b7009a06eac0bf28229c17a6df77ce8395bd177e1fb24e2af7390a65a3
SHA1 hash:	194ce7fb11cfeb855bb0be568889a56946a0b574
MD5 hash:	ad292e478f0d331b1f9c87ffeccae847
humanhash:	maine-nitrogen-virginia-sierra
File name:	Shipping Docs.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	194'560 bytes
First seen:	2021-09-08 13:01:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	80fe8927c93ee92e853990881e3b78f8 (2 x Formbook, 1 x SnakeKeylogger, 1 x AgentTesla)
ssdeep	1536:v2usd49rPKEBolfp6jCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCXCCC5:v2up5PbolfYpmRZtB
Threatray	1'228 similar samples on MalwareBazaar
TLSH	T1D31477DE02F1105FE11945B4AD9AEFE01961ECB8BB52C215BD41FCCEBE723E154622E2
dhash icon	c4bada9ae8cca4c8 (13 x Formbook, 6 x AgentTesla, 5 x AveMariaRAT)
Reporter	malwarelabnet
Tags:	AveMariaRAT exe WarzoneRAT

Intelligence

File Origin

# of uploads :

# of downloads :

132

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Shipping Docs.exe

Verdict:

Malicious activity

Analysis date:

2021-09-08 13:03:57 UTC

Tags:

trojan stealer rat avemaria

Link:

https://app.any.run/tasks/f3818856-8ed3-48e2-ad2a-8bb01e54b101

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/186351/

Detection(s):

Win.Trojan.Remcos-9846521-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %temp% directory

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Setting a keyboard event handler

Creating a file in the %AppData% directory

Deleting a recently created file

Reading critical registry keys

Sending a UDP request

Stealing user critical data

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/40c2c4e9-9b52-4244-b163-72ab38a37958

Result

Threat name:

AveMaria

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/847403

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to hide user accounts

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Increases the number of concurrent connection per server for Internet Explorer

Installs a global keyboard hook

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AveMaria stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f829c803836b4d3e8e161bba4d1f18ee3ad2a2a9ad025ae64cade4060ed9f7e6/

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2021-09-08 13:02:13 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

53f3667f28ccf0d21ba05eb659a6138ae1a6bc24348d2750f16261bb5b6b2121

AveMariaRAT

5b91df85affd5ae567a565e3dca83bc8a014acddcf7bd743782b7b6cb2f93754

AveMariaRAT

74e572bc38bba5ae10cb950fb8002199c50479a1e7ad3e5f7f8b8507eb506c8d

AveMariaRAT

90c579c57ac202ad7230581299a82c3aba896fc61673efdb0e64fbd719a237f8

AveMariaRAT

bb5a0392440036d9c4e7cda8ac95ca0dcd26218ac173790a1ba2b59238c1afb2

AveMariaRAT

+ 1'218 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat infostealer rat spyware stealer

Link:

https://tria.ge/reports/210908-p9vslaeeb3/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Loads dropped DLL

Reads user/profile data of web browsers

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

45.144.225.112:5207

Unpacked files

SH256 hash:

f829c803836b4d3e8e161bba4d1f18ee3ad2a2a9ad025ae64cade4060ed9f7e6

MD5 hash:

ad292e478f0d331b1f9c87ffeccae847

SHA1 hash:

194ce7fb11cfeb855bb0be568889a56946a0b574

Link:

https://www.unpac.me/results/5c6fee0a-8bcf-45fc-906e-5e780a3b2654/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/f829c803836b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.61

Link:

https://yomi.yoroi.company/submissions/f829c803836b4d3e8e161bba4d1f18ee3ad2a2a9ad025ae64cade4060ed9f7e6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/186351/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample