MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72329d4e81edcaa19778b8bf36f51e41f6ad5847d32f073b0d4959d9b1a9e458. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 6 Comments

SHA256 hash: 72329d4e81edcaa19778b8bf36f51e41f6ad5847d32f073b0d4959d9b1a9e458
SHA3-384 hash: 148beb755f437a563a0dab3992c5210046b1e416c050c7462494de966c574ad0f95f5d13ce91693f134248f65ce10600
SHA1 hash: 848694417b664dc4773125b20d5bc08f977ed3a4
MD5 hash: 0a8e1e15aae37ceba94dd78e4b722dce
humanhash: mountain-lactose-mars-hydrogen
File name:Shipping Doument.20200731.exe
Download: download sample
Signature AveMariaRAT
File size:363'008 bytes
First seen:2020-07-31 12:07:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:qHuZEaQKexQTbBCcWYH7PggpcVeswY46P7HUqP4/proUz3s5czlSrcSb8nMcZ:qHuZEaQQvfH7IccYtDpUCc5MOb8h
TLSH 7374BE5CB0EA251AF41236BF5FF9829BCE96F52F1692416B127524DB803CB4C6EC0E71
Reporter @abuse_ch
Tags:AveMariaRAT exe RAT


Twitter
@abuse_ch
Malspam distributing AveMariaRAT:

HELO: mail.prakash.com
Sending IP: 203.115.100.10
From: akc@prakash.com
Subject: Shipment notification: Invoice Bill of Lading
Attachment: Shipping Doument.20200731.xz (contains "Shipping Doument.20200731.exe")

AveMariaRAT C2:
ca-fax123.home-webserver.de:1050 (103.99.1.43)

Intelligence


File Origin
# of uploads :
1
# of downloads :
33
Origin country :
US US
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Result
Threat name:
AveMaria
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Signature
Contains functionality to hide user accounts
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Status:
Malicious
First seen:
2020-07-31 12:09:05 UTC
AV detection:
24 of 31 (77.42%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
JavaScript code in executable
Loads dropped DLL
Reads user/profile data of web browsers
Threat name:
Kryptik
Score:
1.00

Yara Signatures


Rule name:Cobalt_functions
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:MAL_Envrial_Jan18_1
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:win_ave_maria_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 72329d4e81edcaa19778b8bf36f51e41f6ad5847d32f073b0d4959d9b1a9e458

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments