MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 5

Intelligence 5 IOCs YARA 5 File information Comments

SHA256 hash:	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e
SHA3-384 hash:	8587265b7478f6084334ba596e8fff1c994244727ffc90637ebf9f9e018524cf6d799ff8f98c790d35601dc183f934b8
SHA1 hash:	22b487be37f13797100c3348e1c9a3a254b41abc
MD5 hash:	771d64a701a7827fb3229f98ad3ff858
humanhash:	fruit-three-moon-berlin
File name:	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	1'105'920 bytes
First seen:	2020-06-17 09:03:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep	24576:FAHnh+eWsN3skA4RV1Hom2KXMmHaT+t4Nt75:0h+ZkldoPK8YaT+tW
Threatray	574 similar samples on MalwareBazaar
TLSH	6935AD0273D1C036FFABA2739B6AF64556BC79254133852F13981DB9BD701B2223E663
Reporter	JAMESWT_WT
Tags:	AveMariaRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

WarzoneRAT

Link:

https://www.capesandbox.com/analysis/19273/

Detection(s):

Sanesecurity.Malware.27686.AidExe.UNOFFICIAL

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL

Gathering data

Threat name:

Win32.Spyware.AveMaria

Status:

Malicious

First seen:

2020-06-16 13:54:55 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vx62eq72qxfviv2r2rrzxbcdgkcd53c52tkcjpexgac376coyf7a._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

4b6d468aa63c45a4c7947487548bbaee9d6c1199839b20d884e43c150ffdea94

AveMariaRAT

4d62ea7ff9065f1febffff7abd440a0a0c8ba97b3728f276e8188e64353b4e05

AveMariaRAT

5c55ae6627bd38b18d3f347f40fbd6f6adc8c8954d514bd6bd3f7030565bf026

AveMariaRAT

9188298a545444368a26d4d1fcc9be1e49ed55660891458d75c3dd5a2981c93b

AveMariaRAT

b10488bbd95fcf6ddad889eaefb6a7585a41071d24062bd0894ce6a5fc6eab87

AveMariaRAT

c72cde3224e01da2283065c5a94d252f528c132019eb2f2656c86a7caa1006c2

AveMariaRAT

d0b771681ca1f486be3efc349653e38e750a626bea06ebcb1d634431fd1e8dda

AveMariaRAT

dafbe8f50df58d704b31ddd6cde8fafa09627ffc4dc63b774104376fe924c3e9

AveMariaRAT

df70b7f1c190951daadb981dddb42d7e7ace1d6cba158dbfa983035398ef61aa

AveMariaRAT

+ 564 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence

Link:

https://tria.ge/reports/200624-tgwkn56tfj/

Behaviour

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

NTFS ADS

Suspicious use of SetThreadContext

Adds Run entry to start application

Loads dropped DLL

Drops startup file

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	win_ave_maria_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/19273/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample