MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f91dac6b3f959138295d2a16c4ff1ea413dd37c221ce0bd3cec5c680c00548a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f91dac6b3f959138295d2a16c4ff1ea413dd37c221ce0bd3cec5c680c00548a3
SHA3-384 hash: d72819ab10da004984580659786248dadd31b00247307626f5ccaec0eb8f358d24aff297ad1435e457ac50779399d4e6
SHA1 hash: 51db609e4b9b636f21d3f72c4ac13cb568f4097a
MD5 hash: e61dddeaf34056f67a5f9ce8e426bc95
humanhash: cardinal-sixteen-aspen-india
File name:HSBC-ALPHA.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'220'096 bytes
First seen:2020-11-05 09:20:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eb7f24d623823df7a34ad95dfb8bfd95 (15 x ModiLoader, 1 x AveMariaRAT, 1 x Loki)
ssdeep 24576:Q0S5Bo6taFaaRKDZAI89d6yzEJR4qpQSMAVHfo:QpjExRbzEJuqpRMA
Threatray 557 similar samples on MalwareBazaar
TLSH CA455B72FA40D431E42229755D1BC6FCA43ABD702D24940A7BE9EF5C2E362D3B936247
Reporter abuse_ch
Tags:AveMariaRAT exe geo GRC HSBC


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.otcf.pl
Sending IP: 83.238.62.214
From: Alpha Bank <notification@alpha.gr>
Subject: Ειδοποίηση εισερχόμενης πληρωμής - HSBC
Attachment: HSBC-ALPHA.iso (contains "HSBC-ALPHA.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/83143/
Detection(s):
SecuriteInfo.com.Fareit-FZO82C53D0CF1F4.16975.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria ModiLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/521148
Signature
Allocates memory in foreign processes
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected ModiLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 309672 Sample: HSBC-ALPHA.exe Startdate: 05/11/2020 Architecture: WINDOWS Score: 100 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected ModiLoader 2->47 49 6 other signatures 2->49 8 HSBC-ALPHA.exe 1 16 2->8         started        13 Bndpdrv.exe 14 2->13         started        15 Bndpdrv.exe 13 2->15         started        process3 dnsIp4 39 cdn.discordapp.com 162.159.130.233, 443, 49722 CLOUDFLARENETUS United States 8->39 35 C:\Users\user\AppData\Local\...\Bndpdrv.exe, PE32 8->35 dropped 55 Writes to foreign memory regions 8->55 57 Allocates memory in foreign processes 8->57 59 Creates a thread in another existing process (thread injection) 8->59 17 ieinstal.exe 3 2 8->17         started        21 notepad.exe 4 8->21         started        41 162.159.135.233, 443, 49734, 49741 CLOUDFLARENETUS United States 13->41 61 Multi AV Scanner detection for dropped file 13->61 63 Injects a PE file into a foreign processes 13->63 23 ieinstal.exe 1 13->23         started        25 ieinstal.exe 1 15->25         started        file5 signatures6 process7 dnsIp8 37 efiigbo9.duckdns.org 185.140.53.130, 49728, 8800 DAVID_CRAIGGG Sweden 17->37 51 Increases the number of concurrent connection per server for Internet Explorer 17->51 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->53 27 cmd.exe 1 21->27         started        29 cmd.exe 1 21->29         started        signatures9 process10 process11 31 conhost.exe 27->31         started        33 conhost.exe 29->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f91dac6b3f959138295d2a16c4ff1ea413dd37c221ce0bd3cec5c680c00548a3/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-11-04 10:02:50 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7eo2y2z7switqkk5filmj7y6uqj52n6cehhaxu6oyxdibqafjcrq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
210907c63a822466ef533403076830467ea49fd5fad67af25528ab558eeb9415
AveMariaRAT
3f6c0a695ed2c971594738b378b21b3bb936d424e4516216f34b4dff8aa063dc
AveMariaRAT
455ea8ac576f3d44ecb310e3068e3ff759c8d6bc43344a1ad11ea5762b85d201
AveMariaRAT
4d322ecc6fcc290df5cad72839e39862e84be629b7debc71474f5760e4430019
AveMariaRAT
52fe1131c196f9b05130872ebe9a2eca93eaa6fab493f3ad5f06770184ddf227
AveMariaRAT
97b34cb713e879fb7cfe158a3180b73d1c71b71446368f242a0c004d0c3462dd
AveMariaRAT
af84cf642737e0b62537d9a78861cc129fbc0e68a34770cb70c6ccaa3f553687
AveMariaRAT
d0bac6ada2cd0b49ac66bdaa4265e6cb61df1a4339f50cc7b7bdaade9029337e
AveMariaRAT
d5dc65df9d699ffab0563963fa22ed0a1d833d451dfbd1d724f2a5b988494538
AveMariaRAT
e4769506e482cbdbaeae35eb657e75cfb941ab66253770896493666b023851a5
AveMariaRAT
+ 547 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat infostealer persistence rat trojan
Link:
https://tria.ge/reports/201105-wzy6en8sz6/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader Second Stage
Warzone RAT Payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
f91dac6b3f959138295d2a16c4ff1ea413dd37c221ce0bd3cec5c680c00548a3
MD5 hash:
e61dddeaf34056f67a5f9ce8e426bc95
SHA1 hash:
51db609e4b9b636f21d3f72c4ac13cb568f4097a
Link:
https://www.unpac.me/results/dc99a943-5d95-4f4b-a43d-424bd638c9a1/
SH256 hash:
b45ef2d0f2d95c46951bbd1f2aaa4c62d1dbbec336b977e086b11b2128a31550
MD5 hash:
d17ff23ee17c8da32e7c3e2caa03fb65
SHA1 hash:
47f786b0e6aa2cde2e4bd0dac8e362d076a09c07
Link:
https://www.unpac.me/results/dc99a943-5d95-4f4b-a43d-424bd638c9a1/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

b1e821d2f5a0b7289597efd6af070b34

AveMariaRAT

Executable exe f91dac6b3f959138295d2a16c4ff1ea413dd37c221ce0bd3cec5c680c00548a3

(this sample)

  
Dropped by
MD5 b1e821d2f5a0b7289597efd6af070b34
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/83143/

Comments