MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5136cc442f7ff2a99cb5c3c64c0419d23a3aba57f7389af3a758615eb8b6d26b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5136cc442f7ff2a99cb5c3c64c0419d23a3aba57f7389af3a758615eb8b6d26b
SHA3-384 hash: 336ceac56ad5cd94af14e88afc1929d4abf984009d2c63e2d0dacbb9b5bd903b24ab08fd2e6a90fb8c94cb4bd420bb56
SHA1 hash: 90992b92cbda0f62a6990ad47e2ceccd1c3df1dd
MD5 hash: a41fdbd40b07e4cec71b57868db22eaf
humanhash: two-pip-football-lemon
File name:RFQ For P.T Int #40803788200019 ,pdf.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'920'000 bytes
First seen:2020-05-06 16:35:07 UTC
Last seen:2020-05-06 18:04:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:XNYGYRb6O0mYWS1tpFyrzxOtwnftCSI5LO9:dzYcwVAtp4zxO6CZ+
Threatray 3'645 similar samples on MalwareBazaar
TLSH 2395F12623A052EEFB71B4F29D5C6E50E435DEFFC980B84C5722392B162D025E63747A
Reporter abuse_ch
Tags:AveMariaRAT exe


Avatar
abuse_ch
Malspam distributing :

HELO: gmail.com
Sending IP: 103.133.111.162
From: Olivia Whiston <oliviawhistonwhiston@gmail.com>
Subject: URGENT ORDER RFQ #218B
Attachment: RFQ For P.T Int 40803788200019 ,pdf.rar (contains "RFQ For P.T Int #40803788200019 ,pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VTN.26678.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-06 17:36:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ke3myrbpp7zkthfvypdeybaz2i5dvosx644jv45hlbqv5ofw2jvq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
13dd79b77c2ed2ba77d509e2d3b4621e83f7105674353f7e30930e07b099bce5
AveMariaRAT
182321120c1270861876820e9413137d6c32cd8af4e6aee6cef87ee5fa236b5b
AveMariaRAT
2222ddfcb76c8c278bbabf1b094e47950023f1319ae484d44dc502b91700db17
AveMariaRAT
3ecc7f6abd145158004019c01e8f8f7e56c2bc3d9b4625a3fe2e1eee470a7dd8
AveMariaRAT
6b946bb613a85c620302f21a45e55e1cf87fa06941df163aafcfbfcecb580276
AveMariaRAT
8978b5eb14061436a8d2249f9c92ac75d8307c83a09ea7aa3e6572f704b4335f
AveMariaRAT
b46571fd44360c7d8e9771a807c0914f419dc7dc69a43b475b537484a1aa5053
AveMariaRAT
dbdbfa24b62d54b1624dac7d07bd939677342c820867b0d8993f0ab95af3d342
AveMariaRAT
e666762b026d8017d202c3bf8f6b32d9a13bff5549735a93611e79b3c1a9ff83
AveMariaRAT
fe3dcdbbb57d61e04df490402d1e477ec1a804add945a2287c697b18a2234227
AveMariaRAT
+ 3'635 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger rezer0 spyware stealer upx
Link:
https://tria.ge/reports/201109-at3xe45vfj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
rezer0
MassLogger
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

rar b163004e067a5fb9aece369e536cee93dfb0dcd72c3fdd641b1fdacdd1d6b914

AveMariaRAT

Executable exe 5136cc442f7ff2a99cb5c3c64c0419d23a3aba57f7389af3a758615eb8b6d26b

(this sample)

  
Dropped by
MD5 9044b3b2ea6e1da700d7e931dd61f1e1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b163004e067a5fb9aece369e536cee93dfb0dcd72c3fdd641b1fdacdd1d6b914

Comments