MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe4f9a7b5da072d7af80c2d4d91e47888e0420e7c5ee8fd8c051d44283ac0c41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe4f9a7b5da072d7af80c2d4d91e47888e0420e7c5ee8fd8c051d44283ac0c41
SHA3-384 hash: 9bfe74b2e6486a1b62b96c69b7329e3b1b385cdbeb80595f38ba83936b0f29c4cfb924e6dbd593ae3ad18f4388d0f1cc
SHA1 hash: 1860accaa72e173217f5725f18b1fa57b4b8e19b
MD5 hash: 21e43b05560c378daed2e8ff1bb180ea
humanhash: arizona-delaware-delaware-ink
File name:Confirmed PO# JM19152.pdf .exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'030'656 bytes
First seen:2020-08-17 06:31:48 UTC
Last seen:2020-08-17 08:27:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:PS14FFhvAqvxXdF9UWK5WpLsep7dR5maqglsvOIIQHxBh8pxhC/DerIDjZvuhx:PS1QbvgWK5WpLsGdBlsvOIISBM6GeZa
Threatray 516 similar samples on MalwareBazaar
TLSH FB2596323A824C38C93A127064289DC2F325AA853FD4CB2F62DB67CC6F2255F7B6555D
Reporter abuse_ch
Tags:AveMariaRAT exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: pier.snetdns.com
Sending IP: 89.252.191.14
From: John Wu <fion@fethenaillounge.com>
Subject: Confirmed New Purchase Order PO# JM19152
Attachment: Confirmed PO JM19152.pdf .rar (contains "Confirmed PO# JM19152.pdf .exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/46680/
Detection(s):
PUA.Win.Packer.BorlandDelphiKo-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Sending a UDP request
Creating a file
Creating a process from a recently created file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/432624
Signature
Allocates memory in foreign processes
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides user accounts
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 268590 Sample: Confirmed PO# JM19152.pdf .exe Startdate: 17/08/2020 Architecture: WINDOWS Score: 100 33 Malicious sample detected (through community Yara rule) 2->33 35 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->35 37 Yara detected AveMaria stealer 2->37 39 5 other signatures 2->39 7 Confirmed PO# JM19152.pdf .exe 6 2->7         started        process3 file4 19 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 7->19 dropped 21 C:\Users\user\AppData\...\AgileDotNetRT.dll, PE32 7->21 dropped 41 Writes to foreign memory regions 7->41 43 Allocates memory in foreign processes 7->43 45 Injects a PE file into a foreign processes 7->45 11 AddInProcess32.exe 3 7->11         started        signatures5 process6 file7 23 C:\Users\user\...\AddInProcess32.exe.log, ASCII 11->23 dropped 47 Contains functionality to inject threads in other processes 11->47 49 Contains functionality to steal Chrome passwords or cookies 11->49 51 Contains functionality to steal e-mail passwords 11->51 53 2 other signatures 11->53 15 AddInProcess32.exe 4 2 11->15         started        signatures8 process9 dnsIp10 25 caebd.ddns.net 194.5.97.60, 49734, 8822 DANILENKODE Netherlands 15->25 27 Hides user accounts 15->27 29 Increases the number of concurrent connection per server for Internet Explorer 15->29 31 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->31 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe4f9a7b5da072d7af80c2d4d91e47888e0420e7c5ee8fd8c051d44283ac0c41/
Threat name:
ByteCode-MSIL.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 06:33:09 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7zhzu625ubznpl4aylknshshrchaiihhyxxi7wgakhkefa5mbraq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0c666978e3d3fbfa2fe40db4b7de89d5e4e9d4caeacc33b54ba0311aff72a23b
AveMariaRAT
39f11c07469a7c80d1ec02da5e69b70c761597cf0032c1937c452c2229f66459
AveMariaRAT
4fa4af45c70295513c486589c0e36e7436be6abbf3c75e97b544db959e9dfcb5
AveMariaRAT
51966d322a39d2b7c08c85a58e19b558ab678862385be75ab90e69b84fde583f
AveMariaRAT
57f4246d683336ab606ba5831ce88a0ff47a42de652f72795fe76169195821e1
AveMariaRAT
60d7b2ab0fb53d37576c2edd50231cc82e87d0c0cee85afddac247cb795164c3
AveMariaRAT
90d5792fd0a2ab859f120bef8f12a28c8f7e4119a43054c22db57e76c7b386a0
AveMariaRAT
b44646b530b067dadca8a6b31582efa9b9738c068a209af3b1bb4d403bd574fc
AveMariaRAT
d045c6b114f25c29811bbb61864da2f464c9d5195b54d70008b7bbf91384b47f
AveMariaRAT
fd5a7b200d38d962d9dc74639994bb1ecf989ecc189a5c2d06bc5196120f4ea5
AveMariaRAT
+ 506 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
agilenet persistence
Link:
https://tria.ge/reports/200817-e46fvzm2d6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Program Files directory
Drops file in System32 directory
Modifies service
Suspicious use of SetThreadContext
Drops file in System32 directory
Modifies service
Suspicious use of SetThreadContext
Modifies WinLogon
Modifies WinLogon
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Sets DLL path for service in the registry
Executes dropped EXE
Sets DLL path for service in the registry
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe4f9a7b5da072d7af80c2d4d91e47888e0420e7c5ee8fd8c051d44283ac0c41

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

rar af90821e7f5e7b129e6c9a94d53c2906f0e0dca5ee3f3ee90d9809d93c67af9b

AveMariaRAT

Executable exe fe4f9a7b5da072d7af80c2d4d91e47888e0420e7c5ee8fd8c051d44283ac0c41

(this sample)

  
Dropped by
MD5 aa0bd6aba5ade119f4d568b8f531a7cb
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/46680/
  
Dropped by
SHA256 af90821e7f5e7b129e6c9a94d53c2906f0e0dca5ee3f3ee90d9809d93c67af9b

Comments