MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02b9bc3c8ac2cea4764860f49e6be78b8fad956c7bbf28d4260671bb5260568d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02b9bc3c8ac2cea4764860f49e6be78b8fad956c7bbf28d4260671bb5260568d
SHA3-384 hash: 6d9144d182e89561c0631e2edf11af04a6020339c6174718467e1f4cc3f125d6fb04365977ca2835db2fb5c1ce853c2b
SHA1 hash: 92cd78a053496147584dfc5fca0b8fac883ac4be
MD5 hash: 0d79a60ea621a2f5139aafbfd8e07c87
humanhash: bluebird-diet-twenty-alaska
File name:PO436394_Fuyang_Sensi_Trading-2020_07_21_dwg.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:599'552 bytes
First seen:2020-07-21 16:13:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:FkaL5xxZZOcHzrCpsyP//MecLdZ2L74VXISuWbez:FtfZBHzrS1//nAP2L/JP
Threatray 1'000 similar samples on MalwareBazaar
TLSH 0BD45B00F7B485C6D3AA5F7AD87141009671FD5AABE6E38B2B84F6AD18B33584743F12
Reporter abuse_ch
Tags:AveMariaRAT exe RAT


Avatar
abuse_ch
Malspam distributing AveMariaRAT:

HELO: smtp1.hiworks.co.kr
Sending IP: 121.254.168.204
From: sp001@ksmps.co.kr <sp001@ksmps.co.kr>
Subject: PO436394 - Fuyang Sensi Trading
Attachment: PO436394_Fuyang_Sensi_Trading-2020_07_21_dwg.img (contains "PO436394_Fuyang_Sensi_Trading-2020_07_21_dwg.exe")

AveMariaRAT C2:
zcv2ngnfg69354253.3utilities.com:5200

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30278/
Detection(s):
SecuriteInfo.com.Gen.NN.ZemsilF.34136.Km0@aOahI0o.13892.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Setting a keyboard event handler
Unauthorized injection to a system process
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/393495
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 249075 Sample: PO436394_Fuyang_Sensi_Tradi... Startdate: 22/07/2020 Architecture: WINDOWS Score: 100 28 Malicious sample detected (through community Yara rule) 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected AveMaria stealer 2->32 34 Contains functionality to hide user accounts 2->34 8 PO436394_Fuyang_Sensi_Trading-2020_07_21_dwg.exe 5 2->8         started        process3 file4 24 PO436394_Fuyang_Se...0_07_21_dwg.exe.log, ASCII 8->24 dropped 36 Contains functionality to inject threads in other processes 8->36 38 Contains functionality to steal Chrome passwords or cookies 8->38 40 Contains functionality to steal e-mail passwords 8->40 42 Injects a PE file into a foreign processes 8->42 12 PO436394_Fuyang_Sensi_Trading-2020_07_21_dwg.exe 3 2 8->12         started        16 PO436394_Fuyang_Sensi_Trading-2020_07_21_dwg.exe 8->16         started        18 PO436394_Fuyang_Sensi_Trading-2020_07_21_dwg.exe 8->18         started        signatures5 process6 dnsIp7 26 zcv2ngnfg69354253.3utilities.com 89.38.225.174, 5200 M247GB Romania 12->26 44 Writes to foreign memory regions 12->44 46 Allocates memory in foreign processes 12->46 48 Increases the number of concurrent connection per server for Internet Explorer 12->48 50 2 other signatures 12->50 20 cmd.exe 1 12->20         started        signatures8 process9 process10 22 conhost.exe 20->22         started       
Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/02b9bc3c8ac2cea4764860f49e6be78b8fad956c7bbf28d4260671bb5260568d/
Threat name:
ByteCode-MSIL.Trojan.MassLogger
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 16:14:10 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ak43ypekylhki5simd2j427hroh23flmpo7srvbgazy3wutak2gq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0206919af0add6cabd8ee38f1dc151c65630f204c63d4c145105c52f67c23de2
AveMariaRAT
2352a7cd00ed5221c4b807670ca01f49f76beb5dea868d8db38b1fcc0e362c18
AveMariaRAT
2dafd5f1570c579446d2b06ba815302da926c49683a36fe643241f1bd2144ac0
AveMariaRAT
51031d05083e587fa113208a5de4c7f7c0bd4f6ee385bdfee92c63786f7d7e88
AveMariaRAT
5e1aab06ccfce23aa83c2310f44c2b9ee1149fbe1afb2c02cc30172263facc10
AveMariaRAT
82182c1c2de7419a875c4b7cf492a3e3385485b444d45cec443b2fa968f1e4b7
AveMariaRAT
b8e2713744ae4bf75f6f051a88fd7cd88aa5a9d0e5707932b44a5fb47dd73057
AveMariaRAT
c3ca6a64f95f07e7557eb0ed7968c7d7bf735b08478f517061542059930bbf32
AveMariaRAT
e51adcf99928f26014b6993369a60a9d4371759f23ddbd4d0df10105ce6de848
AveMariaRAT
eed899d24d21a18eedea77f8f2860b70aa843e3f3757e8c53105f6eadd655d41
AveMariaRAT
+ 990 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200721-1n789pcfje/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
JavaScript code in executable
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/02b9bc3c8ac2cea4764860f49e6be78b8fad956c7bbf28d4260671bb5260568d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

img 78402cb1a321259e24f62d0b1991b99d8171100b7ed00e9f8b85db92b520d598

AveMariaRAT

Executable exe 02b9bc3c8ac2cea4764860f49e6be78b8fad956c7bbf28d4260671bb5260568d

(this sample)

  
Dropped by
MD5 29982612875cada47dd80666b8bd76cd
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/30278/
  
Dropped by
SHA256 78402cb1a321259e24f62d0b1991b99d8171100b7ed00e9f8b85db92b520d598

Comments