MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 155b9d26bbe7326b6aff0b6561ba0c3b10f3a404bbc74392bcf1fd91f3f89041. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 155b9d26bbe7326b6aff0b6561ba0c3b10f3a404bbc74392bcf1fd91f3f89041
SHA3-384 hash: 30b18a68fedfea521f6add3ecda0a46657997450bc520639453a41c5118f899b9a7a55c5aa83540f7e8a22729b4e1511
SHA1 hash: 10ea86381e16230db74b077cbf7ef3a8614d39a7
MD5 hash: eadd4fd3815f25abbc20c1dd289738c7
humanhash: virginia-blossom-video-xray
File name:PO#694563963_2020-07-20_Quotation_dwg.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:694'272 bytes
First seen:2020-07-20 08:31:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:/uNDo1q9I6/kldSCGDyaod+ik4g8y3SoDYtvjlcrahU5bVF:/u9oOPW2rEloDqSrahKT
Threatray 599 similar samples on MalwareBazaar
TLSH 66E4DFC9AA905400D6ED2FF59E628AB44335BD05F5F2D30F1FC0B98A2A7B393D464762
Reporter abuse_ch
Tags:AveMariaRAT exe RAT


Avatar
abuse_ch
Malspam distributing AveMariaRAT:

HELO: smtp1.hiworks.co.kr
Sending IP: 121.254.168.204
From: Andy Saunders <kns10024@sungilsim.com>
Subject: Purchase Order - CN#811348
Attachment: PO694563963_2020-07-20_Quotation_dwg.img (contains "PO#694563963_2020-07-20_Quotation_dwg.exe")

AveMariaRAT C2:
4610215325.redirectme.net:5200 (46.102.153.25)

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28821/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/391092
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 247882 Sample: PO#694563963_2020-07-20_Quo... Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 29 4610215325.redirectme.net 2->29 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected AveMaria stealer 2->37 39 3 other signatures 2->39 9 PO#694563963_2020-07-20_Quotation_dwg.exe 1 2->9         started        signatures3 process4 file5 27 PO#694563963_2020-...otation_dwg.exe.log, ASCII 9->27 dropped 41 Contains functionality to inject threads in other processes 9->41 43 Contains functionality to steal Chrome passwords or cookies 9->43 45 Contains functionality to steal e-mail passwords 9->45 47 Injects a PE file into a foreign processes 9->47 13 PO#694563963_2020-07-20_Quotation_dwg.exe 3 2 9->13         started        17 PO#694563963_2020-07-20_Quotation_dwg.exe 9->17         started        19 PO#694563963_2020-07-20_Quotation_dwg.exe 9->19         started        21 PO#694563963_2020-07-20_Quotation_dwg.exe 9->21         started        signatures6 process7 dnsIp8 31 4610215325.redirectme.net 13->31 49 Writes to foreign memory regions 13->49 51 Allocates memory in foreign processes 13->51 53 Increases the number of concurrent connection per server for Internet Explorer 13->53 55 2 other signatures 13->55 23 cmd.exe 1 13->23         started        signatures9 process10 process11 25 conhost.exe 23->25         started       
Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/155b9d26bbe7326b6aff0b6561ba0c3b10f3a404bbc74392bcf1fd91f3f89041/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 08:33:05 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cvnz2jv344zgw2x7bnswdoqmhmiphjaexpduhev46h6zd47ysbaq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
032f594e26c4a20fc56b06210d294f7134f6c9a51cf30b7125db4683465a6643
AveMariaRAT
0698cbff335f16544c0a97a71df4f0e52ee4dbddf3cadad2ee0ac52103ea8ed2
AveMariaRAT
662e6858fb2067c38af99173b7a3201a148bd9104771badd96868bccc20ec687
AveMariaRAT
7ffbd591d72f33b826c40da82f5f72195ca4af6a311bb934862f3cd190d4fdad
AveMariaRAT
880bba3fa9d2e255ad00cc35d53aa361bcdf739d16064d669a4b21b9a8034f73
AveMariaRAT
9c33a1f6a337e39a99c4480f19e63fbaeee191defcd51c8a908e9af9da8e115c
AveMariaRAT
aed6c9d200b86186575d13e40ed7231c61bba34c0159c19ca6428168019da4f9
AveMariaRAT
c8d4a30dc6aa1224dd98bbb384b54e90ee845cbb0e0e591964868a0be5657897
AveMariaRAT
d4f9f7cd2d03cd2a1ede00200777caac9bd3ca5c337ce6bf6e15a3ff8e53f844
AveMariaRAT
ebd23b0402ce1f9f8d45a37ec77fc89381869a3399aa2d405830e7eb05299ad3
AveMariaRAT
+ 589 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200720-mda8zdejj6/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/155b9d26bbe7326b6aff0b6561ba0c3b10f3a404bbc74392bcf1fd91f3f89041

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

img aa3771d655fdfa6157ad4f7f5c1b62e22a2bacef65f52301fb4ca483611ecfc1

AveMariaRAT

Executable exe 155b9d26bbe7326b6aff0b6561ba0c3b10f3a404bbc74392bcf1fd91f3f89041

(this sample)

  
Dropped by
MD5 52ba2a3c2d4890d35d8d5e3585596b05
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/28821/
  
Dropped by
SHA256 aa3771d655fdfa6157ad4f7f5c1b62e22a2bacef65f52301fb4ca483611ecfc1

Comments