MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 331f79d447c67aba1c4c7c9453adf79eb9c631219720e5fbcc051af167dff87d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	331f79d447c67aba1c4c7c9453adf79eb9c631219720e5fbcc051af167dff87d
SHA3-384 hash:	0fc450133d52ed0848a395953252ff61f823d2f82b7d35e2824b186797bff4451affd1cdfd7f893990181b26585ac8a5
SHA1 hash:	d97e56c8712a5404e60e8c97e808618c518b9534
MD5 hash:	e74aff2ce9a3acbfa4cb6434f4c294c2
humanhash:	saturn-dakota-single-carbon
File name:	Inquiry0172020pdf.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	678'912 bytes
First seen:	2020-07-01 09:27:41 UTC
Last seen:	2020-07-01 11:09:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4b522d1337a03224b843b6d2e54f5f21 (2 x AveMariaRAT, 2 x FormBook, 1 x RemcosRAT)
ssdeep	12288:rsGedX0ZE/lT+YhK6Aosb3zvIje3qBrJCSuAFofYM5PajSaY:AfmZ6x+WHhi3zAxfCSuAFIYMB
Threatray	438 similar samples on MalwareBazaar
TLSH	22E48E22B690C437C07619389D0BBBF45936BD10AEE4A9873BE87D4C5F34A913939397
Reporter	abuse_ch
Tags:	AveMariaRAT exe

abuse_ch

Malspam distributing unidentified malware:

HELO: rdns0.frettiz.xyz
Sending IP: 159.89.88.152
From: Maggi<office@frettiz.xyz>
Subject: New Inquiry from Morsun Technologies
Attachment: Morsun Technologies.img (contains "Inquiry0172020pdf.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

79

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/18152/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/331f79d447c67aba1c4c7c9453adf79eb9c631219720e5fbcc051af167dff87d/

Threat name:

Win32.Exploit.BypassUac

Status:

Malicious

First seen:

2020-07-01 09:29:06 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gmpxtvchyz5luhcmpskfhlpxt244mmjbs4qol66maunpcz677b6q._file

Verdict:

malicious

Label(s):

avemaria

Similar samples:

1b13660c52adcccc1cef45f137a3373f5615500a609c61a9872e5ed4336e629a

2248af8172666d8874da1df1fc121c29520571361c6aab67e9b156c072531d90

2534d4d9d35acd53aacf73d734a158e8cfd12c9e6a3d3527f2fb1e2dbf5a487d

2a73b5bcf40617742a535178183021aa1f0ed55f85a431e1535a0b65030b6867

33a76af55237d9ba192ee8496fd6c4adc489593705e81c663a890b39e1c92a8e

3a5943219f8400531a411b909b666337ba4f232d19e003a0128e0d699106f04f

40503a4df817599fdf0125c5b99076700718e3eb50bbb759d139aa95a8d18d59

8f787ad8df4ea3ee0c0940cf5170cccffa5c5783f065b89581de06c53a20b30c

b5b64f85cdeb5432018e22087fce4b6dc1e56593e8416335f471d4eac1e2b8cf

c72cde3224e01da2283065c5a94d252f528c132019eb2f2656c86a7caa1006c2

+ 428 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

persistence

Link:

https://tria.ge/reports/200701-98kjeqat3a/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Adds Run entry to start application

Checks whether UAC is enabled

Adds Run entry to start application

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

791ba4fc461822c5b53083f05af6e286

exe 331f79d447c67aba1c4c7c9453adf79eb9c631219720e5fbcc051af167dff87d

(this sample)

Dropped by

MD5 791ba4fc461822c5b53083f05af6e286

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/18152/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample