Rewterz Threat Alert -WARZONE RAT ( aka Ave Maria RAT) Malware

Severity

Medium

Analysis Summary

Malspam WARZONE RAT (aka Ave_Maria Stealer aka Ave Maria RAT) malware has been spread through different phishing campaigns. Threat indicators are provided.

Indicators of Compromise

IP(s) / Hostname(s)

• 5.206.225[.]104
• 146.255.88[.]214

URLs

• warzonedns[.]com
• hxxp://5.206.225[.]104/dll/vcruntime140.dll
• hxxp://5.206.225[.]104/dll/softokn3.dll
• hxxp://5.206.225[.]104/dll/msvcp140.dll
• hxxp://5.206.225[.]104/dll/mozglue.dll
• hxxp://5.206.225[.]104/dll/freebl3.dll hxxp://5.206.225[.]104/dll/nss3.dll
• hxxp://5.206.225[.]104/dll/upnp.exe

Email Address

• manarnasr[@]madeinaudio[.]com
• tou013[@]efx.net[.]nz

Email Subject

• Important Process form Regarding fraud Adjustment Refund
• TD Bank Secure Mail
• Transaction receipt for eInvoice 4596
• ACH Credit Transaction

Malware Hash (MD5/SHA1/SH256)

• 4e56a44a29a1f6038f2f0c1909aa02846e61a3b9
• 8662cce96988085e2e35f80c0d9a3e7bb9022b22
• 708c6af4b82bd6913709fe6ed17c766e2585b3b4
• 1f8080cd046576290f28e1e22c2daf7843d72642
• b3892eef846c044a2b0785d54a432b3e93a968c8
• ffcdc87572815d4801094dd7fa7df5f5868d0b3e
• 153b601dd6780f1a532f68444f92aeed2c7971b58547aaf2b9d5165c0c14623d
• 27a855a5b954c4a2415b5f49cd798872a5bc6a08878ba5eea010b0a27718a987
• 49027f9a9bf07e48b40512aab3c06d5dcdf7a50bfd7019bf32182a1f2ffacf16
• cfe14dc4f408f1d1cbabf5b05cde303a8c8ff6a600d98b3ef4b12ab1d2f73ba0
• 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
• 0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9
• a2681b18b9e0d0a449cc9fd018d503cc
• 2cb663a749b8f07054e8ffc29564f78e
• 469209838a2ae561997998debabac084
• b74a28a008ea01c409392dbeb15a078a
• 461ade40b800ae80a40985594e1ac236
• ee03ca33712e4ee518cb7b046d0f64ec

Remediation

• Block the threat indicators at their respective controls.
• Always be suspicious of unsolicited email.
• Never click/ download any attachments sent from unrecognized senders.