MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d64f2c47bc182a160e02ceebb8e194dd627fb83d762f9d1609d4f1d7cf3ff89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d64f2c47bc182a160e02ceebb8e194dd627fb83d762f9d1609d4f1d7cf3ff89
SHA3-384 hash: 461c9ff53e1c6a91046a1c0685df0f814a8b728899bbeb08af44b3cea7897465bd3d7ba02cb52ce5c8e93df7be404142
SHA1 hash: 0288a2c724051d6f42784b84dbb5cae170144358
MD5 hash: f2dc2472943a80a1adb493cefc36235a
humanhash: oranges-cat-berlin-green
File name:payment Slip.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:843'776 bytes
First seen:2020-07-16 18:32:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:f3cMfO2k4zUAkv5xM4PfF6aUEFv2PXydlcYJ/DZzHmsClHsYKcl:fheM4nFf5sCrcYtDZK
Threatray 2'088 similar samples on MalwareBazaar
TLSH E705F5C92401B0CDC40D8D7A4596D8B455E02E36F2F69E4366C22E6B78FF296EE0DDE1
Reporter abuse_ch
Tags:AveMariaRAT exe nVpn RAT


Avatar
abuse_ch
Malspam distributing AveMariaRAT:

HELO: rdns1.portram.space
Sending IP: 164.132.242.252
From: mrfrank1@office365.com
Subject: office update
Attachment: payment Slip.rar (contains "payment Slip.exe")

AveMariaRAT C2:
185.140.53.21:1297

Hosted on nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@privacyfirst.sh'

inetnum: 185.140.53.0 - 185.140.53.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-NL4-BE
country: EU
descr: Amsterdam, Netherlands
descr: Brussels, Belgium
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-07-14T13:31:17Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26940/
Detection(s):
Win.Trojan.Autoit-7356348-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/388726
Signature
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 246537 Sample: payment Slip.exe Startdate: 18/07/2020 Architecture: WINDOWS Score: 100 71 Malicious sample detected (through community Yara rule) 2->71 73 Multi AV Scanner detection for dropped file 2->73 75 Sigma detected: Scheduled temp file as task from temp location 2->75 77 12 other signatures 2->77 10 payment Slip.exe 5 2->10         started        13 images.exe 2->13         started        process3 file4 55 C:\Users\user\AppData\Roaming\vxhZpRRd.exe, PE32 10->55 dropped 57 C:\Users\...\vxhZpRRd.exe:Zone.Identifier, ASCII 10->57 dropped 59 C:\Users\user\AppData\Local\...\tmp54BD.tmp, XML 10->59 dropped 61 C:\Users\user\...\payment Slip.exe.log, ASCII 10->61 dropped 15 payment Slip.exe 4 10->15         started        19 schtasks.exe 1 10->19         started        21 payment Slip.exe 10->21         started        23 images.exe 13->23         started        process5 file6 63 C:\Users\user\AppData\...\eWehepvFoFJKw.exe, PE32 15->63 dropped 65 C:\...\eWehepvFoFJKw.exe:Zone.Identifier, ASCII 15->65 dropped 69 Injects a PE file into a foreign processes 15->69 25 payment Slip.exe 5 5 15->25         started        29 schtasks.exe 1 15->29         started        31 payment Slip.exe 15->31         started        33 conhost.exe 19->33         started        35 images.exe 23->35         started        signatures7 process8 file9 51 C:\ProgramData\images.exe, PE32 25->51 dropped 53 C:\ProgramData\images.exe:Zone.Identifier, ASCII 25->53 dropped 87 Increases the number of concurrent connection per server for Internet Explorer 25->87 89 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->89 37 images.exe 1 25->37         started        41 conhost.exe 29->41         started        signatures10 process11 file12 49 C:\Users\user\AppData\...\images.exe.log, ASCII 37->49 dropped 79 Multi AV Scanner detection for dropped file 37->79 81 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 37->81 83 Machine Learning detection for dropped file 37->83 85 4 other signatures 37->85 43 images.exe 37->43         started        signatures13 process14 signatures15 91 Injects a PE file into a foreign processes 43->91 46 images.exe 2 43->46         started        process16 dnsIp17 67 185.140.53.21, 1297, 49717, 49718 DAVID_CRAIGGG Sweden 46->67
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6d64f2c47bc182a160e02ceebb8e194dd627fb83d762f9d1609d4f1d7cf3ff89/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-16 18:34:06 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nvspfrd3ygbkcyhaftxlxdqzjxlcp64d25rptulatvhr27ht76eq._file
Verdict:
malicious
Similar samples:
083c70afde1be48426ebcf28eacfa0cd47f96130790b79f5a367ae6b00eab142
AveMariaRAT
1e351911bf4f3405c644d9145ba2947cf78e9049578fe1e64b3466478ad3e1cf
AveMariaRAT
3c424e2399b9c7c6137ebd07c82955103e205ec70fa52518ea73fa82ef5cf946
AveMariaRAT
61d3b16d69068afeb3bc8e202dac064f6feb408f8146a721a6b31d83c20fe13c
AveMariaRAT
8210f4c4fedbca54d332df8d9e672cef8a4424695c2ffce581bf526a1537be27
AveMariaRAT
8beeeeda5eedb1246f95b8c4f658e71dc5f709dd00454da770d1529a87b2b810
AveMariaRAT
8c57c150d120c496a04aaad020b5458e8eff5f3fd69704a581360c785288c8d0
AveMariaRAT
960bdf7b7b3bd263fcd5aa32f4b0ddb567349d46f6d5062a8000981675bffe6f
AveMariaRAT
a5ce2ebab407749927a5056f7d432f5936675ec94e166e67bf0ea254a63e1abb
AveMariaRAT
f32433910c4e4cfc2c310279138f0c977abdb9878661781bf28c752b15b92df7
AveMariaRAT
+ 2'078 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200716-t7hysepg6x/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Maps connected drives based on registry
Checks BIOS information in registry
Loads dropped DLL
Executes dropped EXE
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_malumpos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

rar da819740f14e1c1f85f33466ffe2f39156fb61c63c9b7af1dd07d16548bc28c6

AveMariaRAT

Executable exe 6d64f2c47bc182a160e02ceebb8e194dd627fb83d762f9d1609d4f1d7cf3ff89

(this sample)

  
Dropped by
MD5 aafb01a080e7d0a47fb2065ca29b39fe
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/26940/
  
Dropped by
SHA256 da819740f14e1c1f85f33466ffe2f39156fb61c63c9b7af1dd07d16548bc28c6

Comments