MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30690dd57acb0fdd1b40b8985089381f463d9cc0601605782624283be72be025. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30690dd57acb0fdd1b40b8985089381f463d9cc0601605782624283be72be025
SHA3-384 hash: bae1302abac8eef05081bf9a2d999fe772d76e0e76381e2a7bf5628ff9ff20186b7dfba2d8886a6cd0f0c5ac04439ad7
SHA1 hash: dd06260610bc0a4dbfcb0778cd4fdf703e10770e
MD5 hash: 2114535592ff9c28d5bd897c10caada2
humanhash: twelve-maryland-connecticut-blue
File name:ReQUOTATION_REQUEST20200829.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:729'088 bytes
First seen:2020-08-28 06:06:13 UTC
Last seen:2020-08-28 07:04:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:vbmU2DqljanetnCysSVW7DAS5DKPmcOZVqIL3fNPVg5KeNdV8GTXH:i1MnCyLS5Ds411PqIyH
Threatray 443 similar samples on MalwareBazaar
TLSH FBF4D04A03298B6CDD58B6BC2590D0BCD1316E83EB79E1D4DEC73DAA395A34DA54C2C3
Reporter abuse_ch
Tags:AveMariaRAT exe RAT


Avatar
abuse_ch
Malspam distributing AveMariaRAT:

HELO: smtp66.iad3a.emailsrvr.com
Sending IP: 173.203.187.66
From: Sales <rami@smarttours-jo.com>
Subject: 回复: new products and offer
Attachment: ReQUOTATION_REQUEST20200829.xz (contains "ReQUOTATION_REQUEST20200829.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/52185/
Detection(s):
SecuriteInfo.com.Fareit-FYE2114535592FF.22791.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
DNS request
Connection attempt
Enabling autorun by creating a file
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/453243
Signature
Contains functionality to hide user accounts
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 278992 Sample: ReQUOTATION_REQUEST20200829.exe Startdate: 28/08/2020 Architecture: WINDOWS Score: 100 28 g.msn.com 2->28 34 Malicious sample detected (through community Yara rule) 2->34 36 Multi AV Scanner detection for dropped file 2->36 38 Sigma detected: Scheduled temp file as task from temp location 2->38 40 9 other signatures 2->40 8 ReQUOTATION_REQUEST20200829.exe 7 2->8         started        signatures3 process4 file5 20 C:\Users\user\AppData\...\grYggiKlrC.exe, PE32 8->20 dropped 22 C:\Users\...\grYggiKlrC.exe:Zone.Identifier, ASCII 8->22 dropped 24 C:\Users\user\AppData\Local\...\tmp7205.tmp, XML 8->24 dropped 26 C:\...\ReQUOTATION_REQUEST20200829.exe.log, ASCII 8->26 dropped 42 Injects a PE file into a foreign processes 8->42 12 ReQUOTATION_REQUEST20200829.exe 3 4 8->12         started        16 schtasks.exe 1 8->16         started        signatures6 process7 dnsIp8 30 ca-fax123.home-webserver.de 103.99.1.43, 1050, 49728 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 12->30 32 192.168.2.1 unknown unknown 12->32 44 Tries to steal Mail credentials (via file access) 12->44 46 Increases the number of concurrent connection per server for Internet Explorer 12->46 48 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->48 50 Installs a global keyboard hook 12->50 18 conhost.exe 16->18         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30690dd57acb0fdd1b40b8985089381f463d9cc0601605782624283be72be025/
Threat name:
ByteCode-MSIL.Trojan.Sudloader
Create hunting rule
Status:
Malicious
First seen:
2020-08-28 06:08:07 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gbuq3vl2zmh52g2axcmfbcjyd5dd3hgamalak6bgequdxzzl4asq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
07ceaea9dd455538281cd8afd3b0fe49b34be3bfd7e30718572f6464bead5569
AveMariaRAT
3309682d4e7fe2d802cbe22c698b31d93e4d35a5ee611aedabc1f6e1f6a96e46
AveMariaRAT
4c61b7e22d734c70904acd8b8c64f5e40aa837729bbcec8d50f11addfb652963
AveMariaRAT
516b29be6f0d91a249adca2b26381bfa5b90cf6a643d1b621095c6425a74795b
AveMariaRAT
65dc5eae6aba498e459af4ab782d21cf3708141b3886226a9e31c407b6d9aa8f
AveMariaRAT
75692c6d88025cd8de4afa58076bd2dfe2b3adbf536c13513bf1f9b99811e143
AveMariaRAT
829abf5ae6cc64c2099d4e8f5160877ee47f82d9d8c29f24b47cee0aad726986
AveMariaRAT
9b79d0622124809cc47cc7b7423db95a0aae0f37a60d6a224e181f846ef6206d
AveMariaRAT
b7f19729b194bac7f587a7cc19778e925a218fec8106b23466367b2847b99ea2
AveMariaRAT
bd99f6b970cc52ee725dd1b734a440243655a3fbc1e2304a665b29d41477c25b
AveMariaRAT
+ 433 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/200828-765px28e4j/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/30690dd57acb0fdd1b40b8985089381f463d9cc0601605782624283be72be025

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

xz a936bdfb2d4c029116202a54e0fca985f94a788d5d40555b98b0e20d1d9fea9f

AveMariaRAT

Executable exe 30690dd57acb0fdd1b40b8985089381f463d9cc0601605782624283be72be025

(this sample)

  
Dropped by
MD5 ba5601911edf89144e8acfd2b8ae9d2a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/52185/
  
Dropped by
SHA256 a936bdfb2d4c029116202a54e0fca985f94a788d5d40555b98b0e20d1d9fea9f

Comments