MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31267dc52948955da50418bc0c092ef55312cf74befb4136a5421013804e0ecf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 4


Intelligence 4 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31267dc52948955da50418bc0c092ef55312cf74befb4136a5421013804e0ecf
SHA3-384 hash: cec14353fb29c529af1a84230f06c0f1ecb7184a4eaadfb7376cc9eb7a7f74b87d3798a7f6f21982b3bb5663ccc9a655
SHA1 hash: 84ea15f29b4dcc8c5bd60486cf1ea71fdd168d87
MD5 hash: 3f5b04dc71eec30e6bc199a78c0561f5
humanhash: apart-tennessee-six-venus
File name:Payment_Details.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:678'912 bytes
First seen:2020-07-01 17:55:54 UTC
Last seen:2020-07-01 19:13:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4b522d1337a03224b843b6d2e54f5f21 (2 x AveMariaRAT, 2 x FormBook, 1 x RemcosRAT)
ssdeep 12288:lsGedX0ZE/lT+YhK6Aosb3zvIje3qBrJCSuAvofYM5PajSax:WfmZ6x+WHhi3zAxfCSuAvIYMB
Threatray 476 similar samples on MalwareBazaar
TLSH C9E48E22B690C437C07619389D0BBBF45936BD10AEE4A9873BE87D4C5F34A913939397
Reporter abuse_ch
Tags:AveMariaRAT exe RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/17747/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/31267dc52948955da50418bc0c092ef55312cf74befb4136a5421013804e0ecf/
Threat name:
Win32.Exploit.BypassUac
Create hunting rule
Status:
Malicious
First seen:
2020-07-01 17:57:04 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=geth3rjjjckv3jiedc6aycjo6vjrft3ux35ucnvfiiibhacob3hq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
09fe435d0a761f4ebf0a28d7c023bb5448f5b924f3296f5054392996a521fc11
AveMariaRAT
0ca6d24907152bf5a6dd6a35cf7ab3e7712ebfa0a2245f2bdfc8a17ebed71bc4
AveMariaRAT
161f76475c6d357b76f661c3dbd0c653870b2a83ffe59c41511db64ff09b4b2f
AveMariaRAT
331f79d447c67aba1c4c7c9453adf79eb9c631219720e5fbcc051af167dff87d
AveMariaRAT
5c7b6c75eee95614a740b733b6895346066ae6c893c7b7cc8885ffa425ca6c86
AveMariaRAT
a102c4a2dfca8c218f1e65cbb5050012da856c3deba018d8c238fa9b09dd3a2b
AveMariaRAT
b10488bbd95fcf6ddad889eaefb6a7585a41071d24062bd0894ce6a5fc6eab87
AveMariaRAT
da8e89fa0cbec2f66ea695865de7a0eb7f9211c10aae3598490bbaec4f83ebfc
AveMariaRAT
dafbe8f50df58d704b31ddd6cde8fafa09627ffc4dc63b774104376fe924c3e9
AveMariaRAT
ebddbf171d569ce4db44a0284ac1cbe390e075854749713aa9186276036cacd6
AveMariaRAT
+ 466 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/200701-e4z2y55h2a/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run entry to start application
Legitimate hosting services abused for malware hosting/C2
Adds Run entry to start application
Legitimate hosting services abused for malware hosting/C2
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 31267dc52948955da50418bc0c092ef55312cf74befb4136a5421013804e0ecf

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/17747/

Comments