Rewterz Threat Alert -WARZONE RAT ( aka Ave Maria RAT) Malware

Wednesday, February 27, 2019

Severity

Medium

Analysis Summary

Malspam WARZONE RAT (aka Ave_Maria Stealer aka Ave Maria RAT) malware has been spread through different phishing campaigns. Threat indicators are provided.

Indicators of Compromise

IP(s) / Hostname(s)

  • 5.206.225[.]104
  • 146.255.88[.]214

URLs

  • warzonedns[.]com
  • hxxp://5.206.225[.]104/dll/vcruntime140.dll
  • hxxp://5.206.225[.]104/dll/softokn3.dll
  • hxxp://5.206.225[.]104/dll/msvcp140.dll
  • hxxp://5.206.225[.]104/dll/mozglue.dll
  • hxxp://5.206.225[.]104/dll/freebl3.dll hxxp://5.206.225[.]104/dll/nss3.dll
  • hxxp://5.206.225[.]104/dll/upnp.exe

Email Address

  • manarnasr[@]madeinaudio[.]com
  • tou013[@]efx.net[.]nz

Email Subject

  • Important Process form Regarding fraud Adjustment Refund
  • TD Bank Secure Mail
  • Transaction receipt for eInvoice 4596
  • ACH Credit Transaction

Malware Hash (MD5/SHA1/SH256)

  • 4e56a44a29a1f6038f2f0c1909aa02846e61a3b9
  • 8662cce96988085e2e35f80c0d9a3e7bb9022b22
  • 708c6af4b82bd6913709fe6ed17c766e2585b3b4
  • 1f8080cd046576290f28e1e22c2daf7843d72642
  • b3892eef846c044a2b0785d54a432b3e93a968c8
  • ffcdc87572815d4801094dd7fa7df5f5868d0b3e
  • 153b601dd6780f1a532f68444f92aeed2c7971b58547aaf2b9d5165c0c14623d
  • 27a855a5b954c4a2415b5f49cd798872a5bc6a08878ba5eea010b0a27718a987
  • 49027f9a9bf07e48b40512aab3c06d5dcdf7a50bfd7019bf32182a1f2ffacf16
  • cfe14dc4f408f1d1cbabf5b05cde303a8c8ff6a600d98b3ef4b12ab1d2f73ba0
  • 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
  • 0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9
  • a2681b18b9e0d0a449cc9fd018d503cc
  • 2cb663a749b8f07054e8ffc29564f78e
  • 469209838a2ae561997998debabac084
  • b74a28a008ea01c409392dbeb15a078a
  • 461ade40b800ae80a40985594e1ac236
  • ee03ca33712e4ee518cb7b046d0f64ec

Remediation

  • Block the threat indicators at their respective controls.
  • Always be suspicious of unsolicited email.
  • Never click/ download any attachments sent from unrecognized senders.

Data Sheets

Corporate Brochure


Our Story


Services


Solutions


Managed Security


Upcoming Rewterz Trainings/Events

Rewterz News

  • 17, February 2020 Rewterz Threat Alert – Satan ransomware rebrands as 5ss5c ransomware
  • 20, January 2020 Rewterz Threat Alert – Iranian APT Group “MuddyWater” Resurfaces
  • 20, January 2020 Rewterz Threat Alert – STOP (djvu) Ransomware Actively Spread
  • 20, January 2020 Rewterz Threat Advisory – Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

Copyright © Rewterz. All rights reserved.