MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 125cb3c64b38341e06ac31caa06939ce0a3a5ec9e8824d7bbb819a6d7e8c8a5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 125cb3c64b38341e06ac31caa06939ce0a3a5ec9e8824d7bbb819a6d7e8c8a5f
SHA3-384 hash: ef3884dfdab63adc06185ece1a61ddb8deb2394cf77422b86222996c6c5c02173ae70c93e26b2be6bd18aef3cf5ce185
SHA1 hash: 4399cd379a4a926d730f3f4c862dd27ed27718bd
MD5 hash: 604ab0760ec7dcb487d124790385333e
humanhash: illinois-kansas-xray-vegan
File name:ORDER200814pdf.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:946'688 bytes
First seen:2020-06-26 15:26:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e4ea71003f2e4bb27bd8bad8c2c3305e (6 x RemcosRAT, 2 x FormBook, 1 x NetWire)
ssdeep 12288:+s7OYB2c+UHVuEp4tZEmfZE7wuLzMLqPbziLlv039vSZ+mEpdgjNV9Q:+sKYIguEpKGk+XicUqdgn9Q
Threatray 590 similar samples on MalwareBazaar
TLSH BE157E23F2914477C1631678AC6B5769993ABF112E28694B6BF83C0C5F393513C3E29B
Reporter abuse_ch
Tags:AveMariaRAT exe nVpn RAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: WIN-SP3ZIDQ0RNC
Sending IP: 103.149.12.155
From: Sgarbo Ltd<admin@genoeven.ml>
Subject: RE: 20F480 QUOTE
Attachment: 200814pdf.7z (contains "ORDER200814pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/14952/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.generic.ml.6960.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/125cb3c64b38341e06ac31caa06939ce0a3a5ec9e8824d7bbb819a6d7e8c8a5f/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-06-26 15:28:07 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cjolhrslha2b4bvmghfka2jzzyfduxwj5cbe2653qgng27umrjpq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
1b13660c52adcccc1cef45f137a3373f5615500a609c61a9872e5ed4336e629a
AveMariaRAT
2248af8172666d8874da1df1fc121c29520571361c6aab67e9b156c072531d90
AveMariaRAT
2a73b5bcf40617742a535178183021aa1f0ed55f85a431e1535a0b65030b6867
AveMariaRAT
331f79d447c67aba1c4c7c9453adf79eb9c631219720e5fbcc051af167dff87d
AveMariaRAT
33a76af55237d9ba192ee8496fd6c4adc489593705e81c663a890b39e1c92a8e
AveMariaRAT
3a5943219f8400531a411b909b666337ba4f232d19e003a0128e0d699106f04f
AveMariaRAT
40503a4df817599fdf0125c5b99076700718e3eb50bbb759d139aa95a8d18d59
AveMariaRAT
8f787ad8df4ea3ee0c0940cf5170cccffa5c5783f065b89581de06c53a20b30c
AveMariaRAT
b5b64f85cdeb5432018e22087fce4b6dc1e56593e8416335f471d4eac1e2b8cf
AveMariaRAT
c72cde3224e01da2283065c5a94d252f528c132019eb2f2656c86a7caa1006c2
AveMariaRAT
+ 580 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200626-dpfc7l33dj/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Adds Run entry to start application
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

zip c84878329b2ef322933bae4c09c15c3edc12dfc021ac644e614c4fd8e108552a

AveMariaRAT

Executable exe 125cb3c64b38341e06ac31caa06939ce0a3a5ec9e8824d7bbb819a6d7e8c8a5f

(this sample)

  
Dropped by
MD5 eedee1c3e7a6dabb134bf205e1b56228
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/14952/
  
Dropped by
SHA256 c84878329b2ef322933bae4c09c15c3edc12dfc021ac644e614c4fd8e108552a

Comments