MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 043c7dd432720c9a854ddec54afef3c2651b6f419b7e58be93531cc75ec7e5d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 8

Intelligence 8 IOCs YARA 6 File information Comments

SHA256 hash:	043c7dd432720c9a854ddec54afef3c2651b6f419b7e58be93531cc75ec7e5d3
SHA3-384 hash:	4f531e263e7bacf603c3a3355ce9e6c2f325988116ce557fd7729aa42e48cdc9f1a40587f754b22a3c2c3108108541d7
SHA1 hash:	0c0d0932f4f34cb33b2c31a2d11ac6f71a6e1339
MD5 hash:	757e03ba058a8d2936901b3066ad7285
humanhash:	five-green-georgia-purple
File name:	757e03ba058a8d2936901b3066ad7285.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	620'032 bytes
First seen:	2020-09-19 09:58:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f01e0f86270b7f3e5d91b31f21985535 (5 x AgentTesla, 2 x Loki, 1 x AveMariaRAT)
ssdeep	12288:QY2SRgOu9uO2dm4rqoXa3p1RxPhq3Lpqnjwd7:QxSJvObTV37jC1ZR
Threatray	430 similar samples on MalwareBazaar
TLSH	95D4AF67B2904433C1632E3D9D4B47B8A827BE1139285886EBE5EF4C5F39681F53B187
Reporter	abuse_ch
Tags:	AveMariaRAT exe RAT

Intelligence

File Origin

# of uploads :

# of downloads :

102

Origin country :

n/a

Vendor Threat Intelligence

Detection:

WarzoneRAT

Link:

https://www.capesandbox.com/analysis/63695/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Variant.Zusy.313289.23925.21257.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Connection attempt

Result

Threat name:

AveMaria

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/470528

Signature

Contains functionality to detect sleep reduction / modifications

Contains functionality to hide user accounts

Contains functionality to inject threads in other processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal e-mail passwords

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Increases the number of concurrent connection per server for Internet Explorer

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Yara detected AveMaria stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/043c7dd432720c9a854ddec54afef3c2651b6f419b7e58be93531cc75ec7e5d3/

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2020-09-18 21:46:23 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=aq6h3vbsoigjvbkn33cuv7xtyjsrw32btn7frputkmomoxwh4xjq._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

49f5e75f64b5a1620cc9a6cbd3870e87853aecb3ef4019ac1a42bdd8a0c499e7

AveMariaRAT

578df50c34d2f8f3146e5c4a457c4e9eac639070d3766ba202c84af6a790d4a7

AveMariaRAT

668566b73ffe0c42699030779e8704261bad9d095c56cac1206170c89c5fb698

AveMariaRAT

7fefe993a5094956c0dbdfb98e7a90aa3cc4a1dce3a4becc9fffc28e3ed4b00a

AveMariaRAT

ad7968f514af1229d279999f3b31876a6e78edcf4eb1584a27bf51e6d3f4c338

AveMariaRAT

aec7bb752bfb4fb49d6d363db8393e84a05da72cd3b54a9b368bc43adcd3f08d

AveMariaRAT

b1de8cf2d588ceb071c2549d61bec4724abffc886a42042268fdbfa9215a774b

AveMariaRAT

d30b949fc05b15b611b3fe420b6883062c5bb2b270c769540c48f703a46cbbf3

AveMariaRAT

df6b12e28602092e6841be50355a76684b5333b236cf9b8441dd73fc1abbf4ae

AveMariaRAT

+ 420 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/200919-gd3vakex1s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Tinba

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/043c7dd432720c9a854ddec54afef3c2651b6f419b7e58be93531cc75ec7e5d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	RDPWrap Create hunting rule
Author:	@bartblaze
Description:	Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:	https://github.com/stascorp/rdpwrap

Rule name:	win_ave_maria_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator