MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d9346916b045c5d6641614a9657dcab88a2e667c7ad764fc281d4bf80a7746e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d9346916b045c5d6641614a9657dcab88a2e667c7ad764fc281d4bf80a7746e
SHA3-384 hash: 6583d3308d09e0930a44e81d21eb13549db935bb382d529926bf69d73401aa1b29ca59abb0081c6d7221c7380d5dfd10
SHA1 hash: 102d8f59882afdcbd1cf7857370d41afcece63f2
MD5 hash: bed5ba44eb5f618beaf24ab935d05c96
humanhash: blossom-robert-wisconsin-beryllium
File name:Transaction_Details.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:296'960 bytes
First seen:2020-08-08 17:58:55 UTC
Last seen:2020-08-08 18:55:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:Z/bEIA6PKvGlxmIb/zv3tmZlF9VwfgiWpiA:Z/OeKIb/zv3El8grpiA
Threatray 143 similar samples on MalwareBazaar
TLSH 3454F0B9379EDFB2D4EC1AB2555D308003792D3AE711E3557ECA31EB2A3639046813A7
Reporter abuse_ch
Tags:AveMariaRAT exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.frehty.info
Sending IP: 157.245.229.28
From: Angela Lim <security@frehty.info>
Subject: Your Order is out for delivery
Attachment: Transaction_Details.rar (contains "Transaction_Details.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/42212/
Detection(s):
SecuriteInfo.com.Fareit-FXHBED5BA44EB5F.6771.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/415892
Signature
Allocates memory in foreign processes
Contain functionality to detect virtual machines
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Creates files in alternative data streams (ADS)
Creates multiple autostart registry keys
Detected unpacking (creates a PE file in dynamic memory)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: System File Execution Location Anomaly
Sleep loop found (likely to delay execution)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 260196 Sample: Transaction_Details.exe Startdate: 08/08/2020 Architecture: WINDOWS Score: 100 94 Malicious sample detected (through community Yara rule) 2->94 96 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->96 98 Sigma detected: Scheduled temp file as task from temp location 2->98 100 7 other signatures 2->100 9 Transaction_Details.exe 15 8 2->9         started        14 SSystemUpdate.exe 2->14         started        16 SSystemUpdate.exe 2->16         started        18 2 other processes 2->18 process3 dnsIp4 92 cobhamplasteringservices.co.uk 95.131.65.73, 49727, 49736, 80 GD-EMEA-DC-LD5GB United Kingdom 9->92 74 C:\Users\user\AppData\...\SystemUpdate.exe, PE32 9->74 dropped 76 C:\Users\user\AppData\Local\...\tmpA6D3.tmp, XML 9->76 dropped 78 C:\Users\user\AppData\...\BtNkElxAKmISx.exe, PE32 9->78 dropped 132 Detected unpacking (creates a PE file in dynamic memory) 9->132 134 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->134 136 Injects a PE file into a foreign processes 9->136 20 Transaction_Details.exe 3 19 9->20         started        25 SystemUpdate.exe 1 2 9->25         started        27 schtasks.exe 1 9->27         started        29 Transaction_Details.exe 9->29         started        31 SSystemUpdate.exe 14->31         started        33 SSystemUpdate.exe 16->33         started        138 Machine Learning detection for dropped file 18->138 file5 signatures6 process7 dnsIp8 80 162.250.125.46, 49732, 52001 IS-AS-1US United States 20->80 82 cobhamplasteringservices.co.uk 20->82 68 C:\Users\user\AppData\Roaming\xr.FusyKG.exe, PE32 20->68 dropped 70 C:\Users\user\...\SystemUpdates[1].exe, PE32 20->70 dropped 114 Writes to foreign memory regions 20->114 116 Allocates memory in foreign processes 20->116 118 Increases the number of concurrent connection per server for Internet Explorer 20->118 130 3 other signatures 20->130 35 xr.FusyKG.exe 20->35         started        39 cmd.exe 1 20->39         started        72 C:\Users\user\AppData\...\SSystemUpdate.exe, PE32 25->72 dropped 120 Machine Learning detection for dropped file 25->120 122 Creates multiple autostart registry keys 25->122 124 Contain functionality to detect virtual machines 25->124 126 Injects a PE file into a foreign processes 25->126 41 SystemUpdate.exe 14 25->41         started        43 conhost.exe 27->43         started        128 Hides threads from debuggers 31->128 45 dllhost.exe 31->45         started        file9 signatures10 process11 file12 58 C:\Users\user\AppData\...\SystemUpdates.exe, PE32 35->58 dropped 102 Machine Learning detection for dropped file 35->102 104 Creates multiple autostart registry keys 35->104 106 Injects a PE file into a foreign processes 35->106 47 xr.FusyKG.exe 35->47         started        50 conhost.exe 39->50         started        60 C:\Users\user\AppData\Local\...\dllhost.exe, PE32 41->60 dropped 62 C:\Users\user\AppData\Local:08-08-2020, HTML 41->62 dropped 64 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 41->64 dropped 66 6 other files (none is malicious) 41->66 dropped 108 Creates files in alternative data streams (ADS) 41->108 110 Sleep loop found (likely to delay execution) 41->110 112 Hides threads from debuggers 41->112 52 dllhost.exe 8 41->52         started        signatures13 process14 dnsIp15 140 Hides threads from debuggers 47->140 55 dllhost.exe 47->55         started        84 212.129.62.232, 443, 49735 OnlineSASFR France 52->84 86 145.239.84.172, 443, 49740 OVHFR France 52->86 88 4 other IPs or domains 52->88 142 System process connects to network (likely due to code injection or exploit) 52->142 signatures16 process17 dnsIp18 90 192.168.2.1 unknown unknown 55->90
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d9346916b045c5d6641614a9657dcab88a2e667c7ad764fc281d4bf80a7746e/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-08 18:00:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hwjunellarof2zsbmffjmv64voekfzthy6wxmt6cqhkl7afhorxa._file
Verdict:
unknown
Similar samples:
04137e9b2a7f99a37c6da31b742fed748321ae4a3ff670d97e5181c11ac25c08
AveMariaRAT
721f51920fe400448124a5a2cdc2c231f49209a966178fc1921723067f65e341
AveMariaRAT
7294bdc3333d08ac9c2397b3555c0126928c13600b23de09f21841cfee83f55a
AveMariaRAT
82e096f7dc6b24209315d4088e562056ef056e5fa3c1b16b1552f7cc0a57d005
AveMariaRAT
8f93c794e02fbd006a5a7d2f929042819d7d5666ccb976ff248eef4dc6d2591e
AveMariaRAT
ac6059835dff236452027450749d077775411e277447a711e5f53bea47262821
AveMariaRAT
c7a4cb30492911fff0eb668a1b5d1bd4c97b968329a81e53ca164e4cc7f5d669
AveMariaRAT
e245394d284c52b53c088927f7548cccff63b0bdc36427c1e4f6f66edc3153bd
AveMariaRAT
e5bb7fe62b3588cea451847f7be43579b3af9f3fd5223c028493ff0700c36aaa
AveMariaRAT
f9e4285da09e52bb7663a55b15e36210aead9761fab4f7e63563259566f4b740
AveMariaRAT
+ 133 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200808-mag1fj1taa/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

rar 30ddd91b77f463562d9ee3543b0e9ca9582c7645896549f7a96dde6821e62059

AveMariaRAT

Executable exe 3d9346916b045c5d6641614a9657dcab88a2e667c7ad764fc281d4bf80a7746e

(this sample)

  
Dropped by
MD5 73f50c3645d928e25b7c5c709750fe5c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 30ddd91b77f463562d9ee3543b0e9ca9582c7645896549f7a96dde6821e62059
Cape
Cape
https://www.capesandbox.com/analysis/42212/

Comments