MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00bb6fd18eb233e3b8dcd73015363ab7cef5efac776697c2126b8932ffd4d888. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00bb6fd18eb233e3b8dcd73015363ab7cef5efac776697c2126b8932ffd4d888
SHA3-384 hash: df63eb46121dfe6fc16f1584ee899ba3b992d0159c107759be10a5e9c104a0ff006a704dde2b1ad69c11da5b15a51198
SHA1 hash: 97d399d2ae793edc57f3fa655111f930bdf38be2
MD5 hash: 9aeaa503046d2cce7b355fd75f7d6420
humanhash: utah-crazy-eighteen-river
File name:Product Picturesjpg jpg jpg.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:481'280 bytes
First seen:2020-08-19 12:54:24 UTC
Last seen:2020-08-19 13:45:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:2MzE7aQCW3xdhmmYodeB2wNL41Tapf77FjJe7KGXeAyWr+61mxzOnu9jr:2Mg7ax2xdhmrnL0e17Fde7KGupWrMP
Threatray 780 similar samples on MalwareBazaar
TLSH 77A4D03232C09F24D27A5336CCDA520903F9FC077512DEEEBD99224C6921B964BA27D7
Reporter abuse_ch
Tags:AveMariaRAT exe RAT


Avatar
abuse_ch
AveMariaRAT C2:
198.12.84.39:5200

Intelligence

File Origin
# of uploads :
2
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48520/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Basic.6.Gen.26663.28602.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/438011
Signature
.NET source code contains potential unpacker
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides user accounts
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00bb6fd18eb233e3b8dcd73015363ab7cef5efac776697c2126b8932ffd4d888/
Threat name:
ByteCode-MSIL.Trojan.Sudloader
Create hunting rule
Status:
Malicious
First seen:
2020-08-19 12:56:06 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ac5w7umowiz6hog424ybknr2w7hpl35mo5tjpqqsnoetf76u3cea._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
147fd6db099fd3dc5df37edc08622878edd4b048e858e8c002db3f3511d922a6
AveMariaRAT
25bd8be2689477443c6a6b89c3195bd81b733853aa4502cfd14a6e25afc3798e
AveMariaRAT
37d250d71a687db0e2c094fd5932bd32a6198a94b86553580d495cbb592d0f96
AveMariaRAT
6fa521f676916e485cd1a3c2c38062c84248294d9ffdcaa5674c2d73df7c1e42
AveMariaRAT
847a17631eb77cdb667aadc9bebec75562fd1dfc4fd6206d2ec2636a11671cca
AveMariaRAT
996ede8d9cb8561481707de2768ca29bf7294c66ac1de666cb390417eb2d9d60
AveMariaRAT
b012e1f25d3642b743bab2be52eea91dccda4b34709bde39ab802247c0212af7
AveMariaRAT
be66827292b98575cb69b0898954699f52c491ddb0bc8c613a70d20fb3871657
AveMariaRAT
d045c6b114f25c29811bbb61864da2f464c9d5195b54d70008b7bbf91384b47f
AveMariaRAT
de25f269f4f7e5cc02f5e16e0c780ef25787df1d161f2fad276d88ddfce79f90
AveMariaRAT
+ 770 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence evasion spyware
Link:
https://tria.ge/reports/200819-qznsyelt7e/
Behaviour
Creates scheduled task(s)
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Program Files directory
Drops file in System32 directory
Modifies service
Suspicious use of SetThreadContext
Drops file in System32 directory
Modifies service
Suspicious use of SetThreadContext
JavaScript code in executable
Maps connected drives based on registry
Modifies WinLogon
JavaScript code in executable
Maps connected drives based on registry
Modifies WinLogon
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Sets DLL path for service in the registry
Looks for VMWare Tools registry key
Sets DLL path for service in the registry
Looks for VirtualBox Guest Additions in registry
Looks for VirtualBox Guest Additions in registry
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/00bb6fd18eb233e3b8dcd73015363ab7cef5efac776697c2126b8932ffd4d888

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 00bb6fd18eb233e3b8dcd73015363ab7cef5efac776697c2126b8932ffd4d888

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/48520/

Comments