MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b20d47852dd39e2a2174bfdfbf4b19aed0e3f4ee767c6d57a659cb06dca9b5c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	b20d47852dd39e2a2174bfdfbf4b19aed0e3f4ee767c6d57a659cb06dca9b5c7
SHA3-384 hash:	1e9defee1bc25e5503d7e1032b22d2b44b783ae857ca3629aa1d4245e0e2eba5406f4cc9420de56139578d8620e64dd1
SHA1 hash:	3569fa82e9931cb5f8cd02284dca54dee0bd4f8b
MD5 hash:	a9350050ec6f1a58cc81dbeee789c436
humanhash:	earth-lamp-bluebird-double
File name:	b20d47852dd39e2a2174bfdfbf4b19aed0e3f4ee767c6d57a659cb06dca9b5c7
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	1'931'146 bytes
First seen:	2020-06-29 07:10:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7be4c98eebb39d282cdffc1cea8fb470 (661 x AveMariaRAT, 29 x Riskware.Generic)
ssdeep	12288:Q99Vbpgx4OuE+aCpBPY0PkI686WNUfWO6yuXzT5SPlSG9dA7W2FeDSIGVH/KIDgS:k1gg4CppEI6GGfWDkMQDbGV6eH8tkj
Threatray	739 similar samples on MalwareBazaar
TLSH	32957DD23B1204ABDBB32A75E40FE5B02195BD3A1A10F75E77B37D18895B2D1381638B
Reporter	JAMESWT_WT

Intelligence

File Origin

# of uploads :

1

# of downloads :

67

Origin country :

n/a

Vendor Threat Intelligence

Detection:

WarzoneRAT

Link:

https://www.capesandbox.com/analysis/15479/

Detection(s):

PUA.Win.Packer.Asprotect-3

Win.Malware.Daqc-6598201-0

Win.Malware.Ursu-6793772-0

Win.Malware.Ursu-6914171-0

Detection:

avemaria

Link:

https://mwdb.cert.pl/sample/b20d47852dd39e2a2174bfdfbf4b19aed0e3f4ee767c6d57a659cb06dca9b5c7/

Threat name:

Win32.Spyware.AveMaria

Status:

Malicious

First seen:

2020-06-20 00:02:29 UTC

File Type:

PE (Exe)

Extracted files:

63

AV detection:

26 of 28 (92.86%)

Threat level:

2/5

Verdict:

malicious

Similar samples:

04fb4d7876dc1e4c31448a62dbc77223b453fb6abd187c92f51658807c21eaa5

1badaedfef29ff3d768eb71cb739d45107d67a160244fb2b17a978f2202a5b36

1f3155a17517ae07b481c78d6611f7053275b9d488d7475aec599683a80d8a85

45e16f925fd769f19452d415ba3ad69fa6bc5c3e97fef7f048d13f2fabe840c6

54c9ce578a123b2abbcb00af7638f3d1c93041959ebccf3981a099a869c5a171

753e45a48d86d4832c4cfe09e5c5dc18342aae8dde9a2a1851434aa1467da4b9

7f95fc08dcdbe713e3a41b5b5d72763b4b3a4c608a1766596c8d055b12b2ee27

950c5135a82ae668688c83c699fc372e74f2745aae8effd9f87fcae2b4a447be

96d15bb3fe99161d651573512abb94b55f9b88e72c3a34d52eb4ce7574da8db7

b9eb219ce57af2c2320bab070cc02c9c1e263b6cf79205a0799129bf29d22a5f

+ 729 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

persistence

Link:

https://tria.ge/reports/200629-yra1xbtnw6/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Drops file in Windows directory

Suspicious use of SetThreadContext

Adds Run entry to start application

Loads dropped DLL

Executes dropped EXE

Modifies WinLogon for persistence

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/15479/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample