MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff5c1829e2ad044ec148a71766e4cd62ca12a528062e7da001c787cfb37be27d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff5c1829e2ad044ec148a71766e4cd62ca12a528062e7da001c787cfb37be27d
SHA3-384 hash: f44e5105d8ed6df624cad7a88819311c9f8ff38b932dd35c2cead89fadc2f3fdbf056801735b324ffba6496100034c99
SHA1 hash: 8bea8d60dc0137ea3720e1caa5c369d8dc98f349
MD5 hash: 937e78726308b2076df4b8be19a4d151
humanhash: nebraska-berlin-nuts-tango
File name:SMSS ORDER 5676884767638,pdf.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:831'488 bytes
First seen:2021-09-16 14:04:27 UTC
Last seen:2021-09-16 14:59:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ff0bb68e944131943365efbe4d5b9737 (4 x RemcosRAT, 1 x AveMariaRAT, 1 x OskiStealer)
ssdeep 24576:DMvnUyU3fec2QPesT3GIZHrIzvlZwXI7Dyj3SaH+MJF:DqUjes
Threatray 597 similar samples on MalwareBazaar
TLSH T10A053965A1545F75D12FB4B82C81A3C8982BBC803D9DDFE815B8ED363B267813D1A05F
dhash icon 0cb23272b98ce6d1 (6 x RemcosRAT, 5 x Formbook, 2 x DBatLoader)
Reporter abuse_ch
Tags:AveMariaRAT exe RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SMSS ORDER 5676884767638,pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-09-16 14:05:36 UTC
Tags:
installer
Link:
https://app.any.run/tasks/e25606db-bafd-4a1b-afad-353b932ead72

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/188447/
Detection(s):
SecuriteInfo.com.W32.Injector.TUO.15320.32191.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/61752316a9d585e6d5371134/reports/8d70fe67-bdca-40c6-b115-5146edc7a385/overview
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cfb7a110-f49a-4b0c-bbf8-5cd7e0bf92a6
Result
Threat name:
AveMaria UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/852122
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 484551 Sample: SMSS ORDER 5676884767638,pdf.exe Startdate: 16/09/2021 Architecture: WINDOWS Score: 100 44 blessthychild.ddns.net 2->44 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 6 other signatures 2->68 9 SMSS ORDER 5676884767638,pdf.exe 1 21 2->9         started        14 Dmvzpur.exe 15 2->14         started        16 Dmvzpur.exe 15 2->16         started        signatures3 process4 dnsIp5 48 onedrive.live.com 9->48 50 dzp63w.db.files.1drv.com 9->50 52 db-files.fe.1drv.com 9->52 42 C:\Users\Public\Libraries\Dmvzpur.exe, PE32 9->42 dropped 78 Writes to foreign memory regions 9->78 80 Allocates memory in foreign processes 9->80 82 Creates a thread in another existing process (thread injection) 9->82 18 DpiScaling.exe 3 2 9->18         started        22 cmd.exe 1 9->22         started        24 cmd.exe 1 9->24         started        54 onedrive.live.com 14->54 58 2 other IPs or domains 14->58 84 Injects a PE file into a foreign processes 14->84 26 logagent.exe 2 14->26         started        56 onedrive.live.com 16->56 60 2 other IPs or domains 16->60 28 DpiScaling.exe 1 16->28         started        file6 signatures7 process8 dnsIp9 46 blessthychild.ddns.net 194.147.140.9, 49742, 49747, 49752 PTPEU unknown 18->46 70 Contains functionality to inject threads in other processes 18->70 72 Contains functionality to steal Chrome passwords or cookies 18->72 74 Contains functionality to steal e-mail passwords 18->74 76 2 other signatures 18->76 30 reg.exe 1 22->30         started        32 conhost.exe 22->32         started        34 cmd.exe 1 24->34         started        36 conhost.exe 24->36         started        signatures10 process11 process12 38 conhost.exe 30->38         started        40 conhost.exe 34->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff5c1829e2ad044ec148a71766e4cd62ca12a528062e7da001c787cfb37be27d/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-09-16 14:05:05 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=75obqkpcvuce5qkiu4lwnzgnmlfbfjjiayxh3iaby6d47m334j6q._file
Verdict:
malicious
Similar samples:
07915b1a44803fc9bd86d2d9ddad19434440b3d73f5c77f3400c84a935dd0255
AveMariaRAT
0840ac6a8ee445eed007f29220dad3dd03e59cf161524623c831596673c7e8d0
AveMariaRAT
3e167fe206a19097cd08d00335fc45f98a75cdb4697b3c530773c8803d50d0f9
AveMariaRAT
4611b180e4173882dba3e08aaa44ae28ce14d2f2709b2017082d57bcdecfb352
AveMariaRAT
5d0970ca455fd58945e13f996aaf77a66a7468d0927a3cfd41cbd22b20d13cdc
AveMariaRAT
6780919c60b1e4b3f1ef9cfb03bdd492f51ebc505ccddbd47be023d66d429eaf
AveMariaRAT
687fac8ea1cfe53efd98ae25b17da41e88603a8c8a3ada71fad837acd97a6533
AveMariaRAT
6a96d22dec9171b154bb1a94c68fa02dda51713709dad161681a759f64cc3014
AveMariaRAT
c6efb11667620971bfa2b783b75762c69c1bf3fe2cee9bd4ddc51164e8ba8563
AveMariaRAT
e3d62ea202f60dcb69703dcba7c59b2bf552c5ce2e951dfab0f1808af9e096a2
AveMariaRAT
+ 587 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/210916-rdtxjagdem/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Warzone RAT Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
blessthychild.ddns.net:6014
Unpacked files
SH256 hash:
519197f521aa39b7a7ab34b4500a304a7329d967115c2e48fe1b6eb201e39af1
MD5 hash:
3da921c9355d01d335cf03159a950030
SHA1 hash:
3be3f4ea8f289a123dcd1f6ac97c6f34a503c9cf
Link:
https://www.unpac.me/results/0b471148-2fe7-43ae-be62-ca2d7c104f65/
SH256 hash:
ff5c1829e2ad044ec148a71766e4cd62ca12a528062e7da001c787cfb37be27d
MD5 hash:
937e78726308b2076df4b8be19a4d151
SHA1 hash:
8bea8d60dc0137ea3720e1caa5c369d8dc98f349
Link:
https://www.unpac.me/results/0b471148-2fe7-43ae-be62-ca2d7c104f65/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ff5c1829e2ad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/ff5c1829e2ad044ec148a71766e4cd62ca12a528062e7da001c787cfb37be27d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AveMaria
Create hunting rule
Author:@bartblaze
Description:Identifies AveMaria aka WarZone RAT.
Rule name:AveMaria_WarZone
Create hunting rule
Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_1_RID2C2D
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2_RID2C2E
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding command execution via IExecuteCommand COM object
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_WarzoneRAT
Create hunting rule
Author:ditekSHen
Description:Detects AveMaria/WarzoneRAT
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.ave_maria.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe ff5c1829e2ad044ec148a71766e4cd62ca12a528062e7da001c787cfb37be27d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/188447/

Comments