MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b9431b196547553849eebdb7a4a6cb57fc6d7d9af2c61c1abfffbf83e337984. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b9431b196547553849eebdb7a4a6cb57fc6d7d9af2c61c1abfffbf83e337984
SHA3-384 hash: 34a79028129eccc747635dfa5631827387fb5c1c0db9d8e5984c7d938db709cdb9b24d99c98409615a7e1d400e768320
SHA1 hash: 3ee633de3f2b4445383efd7b7bb0d3d943b11904
MD5 hash: 5ba833ae0b992d08486739f4dc0065dd
humanhash: xray-seventeen-mountain-oregon
File name:BV10013 (Rev A).scr
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:69'632 bytes
First seen:2020-07-30 07:16:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash da5a7637ca909c4a78bd4cca8d00d206 (1 x AveMariaRAT)
ssdeep 384:QWOi37J+6aNqB6Xfy9k1Eoz4ye65SQUTt/gSLmeOPWX:QWL7ENqB64k1GXQUp/gSfOPWX
Threatray 677 similar samples on MalwareBazaar
TLSH 38633C12F64D65B6F6AFC7F1EA3A8AD70776FC3068540907A4D83F1E2933A06BD40256
Reporter abuse_ch
Tags:AveMariaRAT scr


Avatar
abuse_ch
Malspam distributing AveMariaRAT:

HELO: vps.hond-red.xyz
Sending IP: 45.95.169.93
From: info@hond-red.xyz
Reply-To: info@hond-red.xyz
Subject: Quote#CON-071720-EB
Attachment: Lists.img (contains "BV10013 (Rev A).scr")

Guloader payload URL:
http://seedwellresources.xyz/oke_qrerqI1.bin

AveMariaRAT C2:
216.170.119.24:5200

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35337/
Detection(s):
SecuriteInfo.com.Gen.NN.ZevbaF.34142.em0@aahp3wbG.2376.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Launching a service
Unauthorized injection to a recently created process
Setting a single autorun event
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun for a service
Forced shutdown of a system process
Result
Threat name:
AveMaria GuLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/403250
Signature
Contains functionality to hide a thread from the debugger
Contains functionality to hide user accounts
Creates autostart registry keys with suspicious values (likely registry only malware)
Drops PE files with a suspicious file extension
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Hides user accounts
Increases the number of concurrent connection per server for Internet Explorer
Sleep loop found (likely to delay execution)
Tries to steal Mail credentials (via file access)
Yara detected AveMaria stealer
Yara detected Generic Dropper
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 253854 Sample: BV10013 (Rev A).scr Startdate: 30/07/2020 Architecture: WINDOWS Score: 100 45 g.msn.com 2->45 47 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->47 57 Yara detected GuLoader 2->57 59 Yara detected Generic Dropper 2->59 61 Yara detected AveMaria stealer 2->61 63 3 other signatures 2->63 9 BV10013 (Rev A).exe 1 2 2->9         started        12 wscript.exe 2->12         started        14 wscript.exe 2->14         started        16 3 other processes 2->16 signatures3 process4 signatures5 75 Creates autostart registry keys with suspicious values (likely registry only malware) 9->75 77 Hides threads from debuggers 9->77 18 BV10013 (Rev A).exe 4 9->18         started        22 fipic.scr 2 12->22         started        24 fipic.scr 2 14->24         started        process6 file7 39 C:\Users\user\AppData\Local\...\fipic.scr, PE32 18->39 dropped 41 C:\Users\user\AppData\Local\...\fipic.vbs, ASCII 18->41 dropped 65 Hides threads from debuggers 18->65 26 fipic.scr 2 18->26         started        29 fipic.scr 8 22->29         started        32 fipic.scr 8 24->32         started        signatures8 process9 dnsIp10 79 Hides threads from debuggers 26->79 34 fipic.scr 8 12 26->34         started        53 seedwellresources.xyz 29->53 55 seedwellresources.xyz 32->55 signatures11 process12 dnsIp13 49 seedwellresources.xyz 68.65.123.182, 49728, 49732, 49734 NAMECHEAP-NETUS United States 34->49 51 216.170.119.24, 49729, 5200 AS-COLOCROSSINGUS United States 34->51 43 C:\Program Files\Microsoft DN1\sqlmap.dll, PE32+ 34->43 dropped 67 Hides user accounts 34->67 69 Tries to steal Mail credentials (via file access) 34->69 71 Sleep loop found (likely to delay execution) 34->71 73 3 other signatures 34->73 file14 signatures15
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0b9431b196547553849eebdb7a4a6cb57fc6d7d9af2c61c1abfffbf83e337984/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-07-30 07:18:08 UTC
AV detection:
32 of 48 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bokddmmwkr2vhbe65pnxustmwv74nv6zv4wgdqnl7757qprtpgca._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
03d585ea89f4e62bc18d42d1fadad0b02faca6d68c831e79fb542e9efd183f7a
AveMariaRAT
07bea1f0f5a11fdada688ba215ee670c1a77d2f05b0e1125edaee37e66a0819c
AveMariaRAT
26578480a0124210e78362e63cb2fb0d2998a47e6b1d8f43cbe787caba1ac5b6
AveMariaRAT
6535df8dcbd659939c18a93ee2b58e8ef05898e1baa30932cf3cfa876659d183
AveMariaRAT
6f0a196952625afc497fc03a952fc59f1dbef32d4ea5248c92f1dc5705da2d63
AveMariaRAT
988b22396032c7352be36c70d738091e7df261013cb1161194e8dc416fd15fe3
AveMariaRAT
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
AveMariaRAT
c123d96d15083236ebd509b2a5381b350e533d3c869f9aeed7df54651a04c238
AveMariaRAT
dc352fba70b027e2bfd420907be5443af811848df52a16a4845b2caac3ad8d2c
AveMariaRAT
f473972f1bc6adb86928a21d4a7af08550aec0ca5c17056a95e830142a2e8f11
AveMariaRAT
+ 667 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200730-nrvp3xesp6/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Drops file in Program Files directory
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in System32 directory
Modifies service
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Modifies service
Suspicious use of SetThreadContext
Modifies WinLogon
JavaScript code in executable
Adds Run key to start application
Adds Run key to start application
Modifies WinLogon
JavaScript code in executable
Loads dropped DLL
Reads user/profile data of web browsers
Loads dropped DLL
Reads user/profile data of web browsers
Sets DLL path for service in the registry
Executes dropped EXE
Sets DLL path for service in the registry
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0b9431b196547553849eebdb7a4a6cb57fc6d7d9af2c61c1abfffbf83e337984

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img 8c8320a0470cec7b4127e375a4568a7c4b9b23284b4d6bf73bf603aeb9b7be6a

AveMariaRAT

Executable exe 0b9431b196547553849eebdb7a4a6cb57fc6d7d9af2c61c1abfffbf83e337984

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/421805/
  
Dropped by
MD5 3b58aceb63eb2a84e5fc03856e0118cc
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/35337/
  
Dropped by
SHA256 8c8320a0470cec7b4127e375a4568a7c4b9b23284b4d6bf73bf603aeb9b7be6a

Comments