MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 147fd6db099fd3dc5df37edc08622878edd4b048e858e8c002db3f3511d922a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	147fd6db099fd3dc5df37edc08622878edd4b048e858e8c002db3f3511d922a6
SHA3-384 hash:	927a00b7291218d66b8b2cccb0b878203a53587e9e35d4529cb8b1d33203952c49007ae2b211549c7214efab971b9a3d
SHA1 hash:	bd8ae32c6db7c683712779cf692ad576cbc697df
MD5 hash:	20eee2daca26b592dd74fc3e2c6c843d
humanhash:	zulu-early-happy-november
File name:	PO-84542.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	480'256 bytes
First seen:	2020-08-18 11:50:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:dsgC787FqN57RNa4FwqRaXXeJUNmV7fz3zWxt:7C78RqXRNXFwqRmXeJUNmV7fz3Sr
Threatray	879 similar samples on MalwareBazaar
TLSH	24A4E1323294DB15D17A533ACC99614513FAB8037612DB6DBDDC229C0A117A78B23FDB
Reporter	abuse_ch
Tags:	AveMariaRAT exe nVpn RAT

abuse_ch

Malspam distributing AveMariaRAT:

HELO: swn0.723.zazomika.ml
Sending IP: 157.245.102.133
From: Anna Simon <ASimon@trevali.com>
Subject: Quotation/Inquiry PO-84542
Attachment: PO-84542.rar (contains "PO-84542.exe")

AveMariaRAT C2:
194.5.98.158:4570

Hosted on nVpn:

% Information related to '194.5.98.0 - 194.5.98.255'

% Abuse contact for '194.5.98.0 - 194.5.98.255' is 'abuse@privacyfirst.sh'

inetnum: 194.5.98.0 - 194.5.98.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU6
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-04-26T16:42:54Z
last-modified: 2020-07-30T03:41:26Z
source: RIPE

Intelligence

File Origin

# of uploads :

1

# of downloads :

74

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/47775/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Using the Windows Management Instrumentation requests

Creating a file

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/147fd6db099fd3dc5df37edc08622878edd4b048e858e8c002db3f3511d922a6/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2020-08-18 11:52:07 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cr75nwyjt7j5yxptp3oaqyripdw5jmci5bmorqac3m7tkeozekta._file

Verdict:

malicious

Label(s):

avemaria

Similar samples:

041f85034f71a295c168af2719d1dfa7a5d346f57b16a4b17bd6a471e3ceb55e

220d9dee8512451f79c4ea016e9ed065ca3f378f3f1b29531cee3c686a100cce

4fa4af45c70295513c486589c0e36e7436be6abbf3c75e97b544db959e9dfcb5

6b985c20924c1b78ef2067405f6035dde9ce889882963aa755be990c7cdae311

90d5792fd0a2ab859f120bef8f12a28c8f7e4119a43054c22db57e76c7b386a0

b2d2fb4b44455c19c6274c4c988e675a95ad9fc2f868b0abfeafba7a51426762

b3124db4cffc55f2d3ee216ea71ea422ad3d4d7ff025d068a4cc2261fa43e4b3

b4d3bccc58e0a1222261fc91cf6c0b56db9116302c9aaf9d4ddf9273706d571f

be66827292b98575cb69b0898954699f52c491ddb0bc8c613a70d20fb3871657

de25f269f4f7e5cc02f5e16e0c780ef25787df1d161f2fad276d88ddfce79f90

+ 869 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

evasion spyware

Link:

https://tria.ge/reports/200818-qkesl1yea2/

Behaviour

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Suspicious use of SetThreadContext

JavaScript code in executable

Maps connected drives based on registry

JavaScript code in executable

Maps connected drives based on registry

Checks BIOS information in registry

Loads dropped DLL

Reads user/profile data of web browsers

Uses the VBS compiler for execution

Checks BIOS information in registry

Loads dropped DLL

Reads user/profile data of web browsers

Uses the VBS compiler for execution

Looks for VMWare Tools registry key

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

Looks for VirtualBox Guest Additions in registry

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/147fd6db099fd3dc5df37edc08622878edd4b048e858e8c002db3f3511d922a6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 1eb697dff13eb912b3b788b3a7fc68fe90649e1b9fd668c00a4e5adc3d50e072

exe 147fd6db099fd3dc5df37edc08622878edd4b048e858e8c002db3f3511d922a6

(this sample)

Dropped by

MD5 b4a99e69f87a750af2af2bbf9b530cbf

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/47775/

Dropped by

SHA256 1eb697dff13eb912b3b788b3a7fc68fe90649e1b9fd668c00a4e5adc3d50e072

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample