MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c90f8f78263803cec8fe8b3b7a99db8ef8ee3d688b58882a85fbed421a3b11c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c90f8f78263803cec8fe8b3b7a99db8ef8ee3d688b58882a85fbed421a3b11c
SHA3-384 hash: f45e6facdcb059d544bc43b3801bb4fb9afc6928f8320edc34d5c7eebe0f405f5a527ca6c68fe6cf0bf3accfe8a88998
SHA1 hash: 8e7bfb8da94947bd740c591f1dadb07ee3879e36
MD5 hash: 1a94051c178e6797aee315365b4077a1
humanhash: zebra-alaska-india-potato
File name:Payment Advice.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:7'680 bytes
First seen:2022-03-23 08:15:15 UTC
Last seen:2022-03-23 12:37:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 96:cYFkiNYSIYH7CMQONjFn1cPX1gPmhqeH9v/dwdhkLyXEU1zNt:cMN1TmrON5n18mPcqeHwdaLutP
Threatray 1'761 similar samples on MalwareBazaar
TLSH T105F1E601EBE45B3AEF7A4B7258632340D370E343AC7B9B1E68C4521B6E023D41252BA1
Reporter Racco42
Tags:AveMariaRAT ave_maria exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Advice.exe
Verdict:
Malicious activity
Analysis date:
2022-03-23 13:10:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e82125a3-3d30-4481-a3ea-101e5fb0c1c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/255528/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Creating a file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/623ad7540cd58dbd92de1548/reports/a8ca9ae2-8538-4b8d-a8b4-d71388c3e662/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fb2e01a3-33b0-408d-93f2-ef716cf79175
Result
Threat name:
AveMaria UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/962739
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c90f8f78263803cec8fe8b3b7a99db8ef8ee3d688b58882a85fbed421a3b11c/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-03-23 08:17:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hsipr54cmoadz3ep5cz3pkm5xdxy5y6wrc2yravil67niindweoa._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
05e84562001d02e9ef09ef20c37104dc784e7c6e32d101d2e9b73ccee25c39c4
AveMariaRAT
0758171eb92e029d38cef3237e2cdd899827cdeeb3386761933254981b707809
AveMariaRAT
094dfa15dcc49cf2c2cc2f460e1d31ac4ac2a0f3e2c505662dcb08eef937b320
AveMariaRAT
09acaed1582d4f3da067862bc15fb60d54d8e65c2a64bd2432d354941daf716f
AveMariaRAT
34393676a0517ab30b0032c14396655e8139844c415fc1a0136b6a8f2cf4fd73
AveMariaRAT
4fd5308871e64c013989aa09faee94095127770aee308b8f73fdfeac61accde0
AveMariaRAT
541edd0b23eb209ff5c4dba556e429099a86e6aa2d1ac57213dffb43bc5d0f2a
AveMariaRAT
80fa88690cc6490e1eb7f735ff4421fc5f813505d41987747ac4c5a9e268272d
AveMariaRAT
c16e26e9b8d56c149eccfbc4f160694b3bbe8e21b38c2c1df62aa426f7f190de
AveMariaRAT
e41578bc2d18e9eb7359e062697ecdf2ea32afc0bcbbece876b3b75b406eb619
AveMariaRAT
+ 1'751 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220323-j5r81seegl/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
3c90f8f78263803cec8fe8b3b7a99db8ef8ee3d688b58882a85fbed421a3b11c
MD5 hash:
1a94051c178e6797aee315365b4077a1
SHA1 hash:
8e7bfb8da94947bd740c591f1dadb07ee3879e36
Link:
https://www.unpac.me/results/64407ca3-0ad2-46e0-8148-81b0459003d4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3c90f8f78263/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/3c90f8f78263803cec8fe8b3b7a99db8ef8ee3d688b58882a85fbed421a3b11c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 3c90f8f78263803cec8fe8b3b7a99db8ef8ee3d688b58882a85fbed421a3b11c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/255528/

Comments