MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c666978e3d3fbfa2fe40db4b7de89d5e4e9d4caeacc33b54ba0311aff72a23b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 7 File information Comments

SHA256 hash:	0c666978e3d3fbfa2fe40db4b7de89d5e4e9d4caeacc33b54ba0311aff72a23b
SHA3-384 hash:	07c48d3d0a3858b9b5e0fe59f3e0d1c00ff95f51bfb95e52b9e97312e58641e6632ff34747e864582e42528468f60c92
SHA1 hash:	088c5034d956d9b453c6856469b26d70d2147e90
MD5 hash:	8d34431b7dc479085081d123e86356cb
humanhash:	florida-five-princess-steak
File name:	Confirmed PO# JM19152.pdf.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	398'336 bytes
First seen:	2020-08-19 06:55:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	3072:1YHtFB/qunldSb0ivl/ZIQlYZfDRD+ITwaAEez3d2qb1jd/NJYsDwUrf/KHKxyoL:12wunldSL9/jlaD8jz3d2qPXFj/Qo+
Threatray	521 similar samples on MalwareBazaar
TLSH	8F844A3535C2443ADF3546B008B899D3B229769C3B478ABFA6CE033E5E1285B776534E
Reporter	abuse_ch
Tags:	AveMariaRAT exe

abuse_ch

Malspam distributing unidentified malware:

HELO: pier.snetdns.com
Sending IP: 89.252.191.14
From: John Wu <fion@fethenaillounge.com>
Subject: Confirmed New Purchase Order PO# JM19152
Attachment: Confirmed PO JM19152.pdf.rar (contains "Confirmed PO# JM19152.pdf.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

WarzoneRAT

Link:

https://www.capesandbox.com/analysis/48250/

Detection(s):

SecuriteInfo.com.Variant.Barys.50278.29371.28738.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% subdirectories

Sending a UDP request

Creating a file

Creating a process from a recently created file

DNS request

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Creating a file in the Program Files subdirectories

Launching a service

Loading a system driver

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun for a service

Forced shutdown of a system process

Result

Threat name:

AveMaria

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/436478

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

Contains functionality to hide user accounts

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides user accounts

Increases the number of concurrent connection per server for Internet Explorer

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Tries to detect virtualization through RDTSC time measurements

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected AveMaria stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

avemaria

Link:

https://mwdb.cert.pl/sample/0c666978e3d3fbfa2fe40db4b7de89d5e4e9d4caeacc33b54ba0311aff72a23b/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-18 19:11:22 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=brtgs6hd2p57ul7ebw2lpxuj2xsotvgk5lgdhnkluayrv73sui5q._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

24bce555546817dc9293da3c7fe25301777f365e008ef2cdd3d979c829287ec6

AveMariaRAT

4cffbdf1d3e2016475da67b15f0ab12a9658e0970f691cebe0bd161e2e1772b2

AveMariaRAT

55a6b731215e8aea38a6f556669290c120ab916ac57754e45aca7b28b6cb0b9a

AveMariaRAT

9d3c04431db8d2630361ac69def49189101a5bf017627be2f147bcd66f3c8d29

AveMariaRAT

ae64e86e27b074ef0869d747916c9056b5e180f37f80624019d993f2b744dd35

AveMariaRAT

b5279796301bec9d8b3de84dff29a98dfb7cfe9d549279fddfd624b61583960f

AveMariaRAT

da103e7998ff3ffd61f85d819dc90514d910c30a0d2e9ee6c071001f9137161a

AveMariaRAT

e6d6cda38ec798c76fb5727c7af199c496408484c68f3d7c0d34d6be09900ca0

AveMariaRAT

e97d4cbbbb923b04cee8f87235ad15ab83a7cba51984422cdfdcfefa7e81d457

AveMariaRAT

+ 511 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

agilenet persistence spyware

Link:

https://tria.ge/reports/200819-192p687x6e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Drops file in System32 directory

Modifies service

Suspicious use of SetThreadContext

Drops file in System32 directory

Modifies service

Suspicious use of SetThreadContext

JavaScript code in executable

Modifies WinLogon

JavaScript code in executable

Modifies WinLogon

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Reads user/profile data of web browsers

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Reads user/profile data of web browsers

Executes dropped EXE

Sets DLL path for service in the registry

Executes dropped EXE

Sets DLL path for service in the registry

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Barys

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0c666978e3d3fbfa2fe40db4b7de89d5e4e9d4caeacc33b54ba0311aff72a23b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	RDPWrap Create hunting rule
Author:	@bartblaze
Description:	Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:	https://github.com/stascorp/rdpwrap

Rule name:	win_ave_maria_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator