MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b38f7cacc56a97f122827cc2e89c55c9747ad790f7649b6078cedca83659b4dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 4


Intelligence 4 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b38f7cacc56a97f122827cc2e89c55c9747ad790f7649b6078cedca83659b4dc
SHA3-384 hash: d4515a3187e8a91b53b6cc11477b6f0cd7b6b2ffbbd2692b7fae6fe133a5f78397528384080ef61e3da6cec436816f76
SHA1 hash: dfd62a6ba2d3889e9c5c8c9c749ce8c618af971d
MD5 hash: 245fdb577967d05abd2f0a663e4f30ea
humanhash: charlie-winner-carolina-sierra
File name:Cgwmgjt.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:602'626 bytes
First seen:2020-05-04 17:34:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e4442b35816ca2e900c77e488ad8f94f (5 x GuLoader, 1 x RemcosRAT, 1 x AveMariaRAT)
ssdeep 12288:K5XmZNmWOIbbF70XQLOKK5+NiIR6lGWGTZt6k:K52bbbJB7Is5Ztd
Threatray 586 similar samples on MalwareBazaar
TLSH 1BD48D22B1D3C633D222197DAC7E537CD826BE132F2424466AF59D4C5FF9791382A293
Reporter abuse_ch
Tags:AveMariaRAT exe nVpn RAT


Avatar
abuse_ch
Malspam distributing AveMariaRAT:

HELO: gsa-data.org
Sending IP: 45.249.91.173
From: Lilian <sales1@gsa-data.org>
Subject: Re: NEW MESSAGE
Attachment: 002INVOICE.rar (contains "Cgwmgjt.exe")

AveMariaRAT C2:
194.5.98.62:36075

Hosted on nVpn:

% Information related to '194.5.98.0 - 194.5.98.255'

% Abuse contact for '194.5.98.0 - 194.5.98.255' is 'abuse@inter-cloud.tech'

inetnum: 194.5.98.0 - 194.5.98.255
netname: Privacy_Online
descr: Longyearbyen, Svalbard und Jan Mayen
country: SJ
admin-c: RA9926-RIPE
tech-c: RA9926-RIPE
org: ORG-NFAS6-RIPE
status: ASSIGNED PA
mnt-by: inter-cloud-mnt
created: 2019-04-26T16:42:54Z
last-modified: 2020-03-13T23:11:55Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Zusy.302747.1907.18345.UNOFFICIAL
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-05-04 13:17:12 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wohxzlgfnkl7ciucptborhcvzf2hvv4q65sjwydyz3okqnszwtoa._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
14bc7146562bb679d9e708f1f748512a140a4a32e2ae1d7a8de6c971b5639686
AveMariaRAT
4fe45a8e07fc28eb30222f08219ca2bb8832220a97ff56333193bd422a876f0c
AveMariaRAT
62a9e0bc56c03b9ad7ff3ff1242415b95c29b10c2699a55c4d8940338e18887e
AveMariaRAT
7b7b7e7ad9b106a5508583f1b60e3a3d7385bf0d6592ca816839f6633f5e8045
AveMariaRAT
8f787ad8df4ea3ee0c0940cf5170cccffa5c5783f065b89581de06c53a20b30c
AveMariaRAT
8fbd0e656a1ee90b82591111e01fb0e8b7a3d3e711e0d5165d05a5d844b8c03f
AveMariaRAT
a445a5bc6990861c07657cc70e85253ff73cd88e6d7f040e00fb03ffbce5764b
AveMariaRAT
b5b64f85cdeb5432018e22087fce4b6dc1e56593e8416335f471d4eac1e2b8cf
AveMariaRAT
f56671421295bb65ac0572a24d6638c072465d4061eb7f1e8ad9fdc3c2967913
AveMariaRAT
fae5d87e8771f0025e306697f68afe511275e9772af23dfd081ffbfc0b56f38d
AveMariaRAT
+ 576 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-pbnbghnn26/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

rar fb1a94fce6c015c7862213b9032f4e04fc6b4391a6d94aa0efcdbd8f8b599588

AveMariaRAT

Executable exe b38f7cacc56a97f122827cc2e89c55c9747ad790f7649b6078cedca83659b4dc

(this sample)

  
Dropped by
MD5 22678fcab7f0026c65bf668dbc406c35
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 fb1a94fce6c015c7862213b9032f4e04fc6b4391a6d94aa0efcdbd8f8b599588

Comments