MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 548a56a8561e017d98d7c207236ec0e072a33636fc5ecec193ba5ace0e2e8a05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 548a56a8561e017d98d7c207236ec0e072a33636fc5ecec193ba5ace0e2e8a05
SHA3-384 hash: 094098b8de5eac04c6963ed30ec28bc15d6bc3cde96498b46d6cc52b4ccfa5d0e4a5f1ed14b1f6bab8cf178c3c5843fc
SHA1 hash: 8adeaca1e56f63b8b027056ea7d5ec6409e8e10c
MD5 hash: faf4b45bf5be885c21b44c4dc9d473b3
humanhash: berlin-uniform-london-batman
File name:Sudhir PO 31051,pdf.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:371'712 bytes
First seen:2020-07-01 09:11:49 UTC
Last seen:2020-07-01 14:33:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:BbgIJCc90HaQUvAjXAYAabyAI4AeLa8xThl+uTtzlgAovP++Q2MapsE18d4HjCjE:19mzlgbP+UPXq4+Z9Dc
Threatray 600 similar samples on MalwareBazaar
TLSH 9C846BC07ABA4BD6EBB297FB1A62940047FAB97E6539D3590E8174CB91A1F004F50F13
Reporter jarumlus
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/17630/
Detection(s):
SecuriteInfo.com.generic.ml.24390.UNOFFICIAL
Create hunting rule

Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/548a56a8561e017d98d7c207236ec0e072a33636fc5ecec193ba5ace0e2e8a05/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-01 08:10:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ksffnkcwdyax3ggxyidsg3wa4bzkgnrw7rpm5qmtxjnm4droricq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
00168316f03e50b7cf516c090729a168491ff2bf8f3538abc8f64489c86ebd8b
AveMariaRAT
25fc942b81a074fe6b40b2f817fb87d28a54949bf604e54c414c890a351b83e4
AveMariaRAT
2e4efd8081c1f404f225783de4e421b212cb451e9ac8202616bf6946d70151d4
AveMariaRAT
64ac97cf73567009fd4ea4707b2c0ac2917c74842a81bddf874889d772bf9146
AveMariaRAT
77308f79f7cb15139144f338622072fe4adab5f73debb682a349fbee8700c4ed
AveMariaRAT
93a1f0fa0637acd096c86ec4d7d3c6f73f689bf41f3cd16b5e5bcce48dcdc540
AveMariaRAT
9c7b335e031c3c2fde1e7d75cbe08bd0951b0cb8a327fa4bd3e54c4c59d32936
AveMariaRAT
b74131f0e776928368dad6576cd55844d766a94605616c29a6d4b045efb6bfe6
AveMariaRAT
c9dcd1d7470488ed72d4a673592ab0c4684124dc7e69bb903d47d6a71ffe42fd
AveMariaRAT
e5a67f4da5b8e9ecd086bfa4f6b8e49843656d2dd8adba4840ee9cf46da3054e
AveMariaRAT
+ 590 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/200701-k1kaes3kr2/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

zip 99a87c2c10eda3c24c709823d65917cfdff280fbcd9d8e11b716f4c59dcfff19

AveMariaRAT

Executable exe 548a56a8561e017d98d7c207236ec0e072a33636fc5ecec193ba5ace0e2e8a05

(this sample)

  
Dropped by
MD5 980ef66841667856d94e19abdb4b0600
  
Dropped by
SHA256 99a87c2c10eda3c24c709823d65917cfdff280fbcd9d8e11b716f4c59dcfff19
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/17630/

Comments