MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d6cac6b50fd6a9ef2d2e81e96174dd95d8f869ea7539a9525a6d4a11945c978. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 5

Intelligence 5 IOCs YARA 4 File information Comments

SHA256 hash:	4d6cac6b50fd6a9ef2d2e81e96174dd95d8f869ea7539a9525a6d4a11945c978
SHA3-384 hash:	a50070166fd9a1c9fdbd874eafa67c6c39ec0da6a691d2ff7c990d039e57af45754e6ad1d909b5c2e99678ff431ff7f3
SHA1 hash:	815ac1743efb13884e634a072c1d19e926ac7eab
MD5 hash:	b99e60fcd541199de46533ec7808c97b
humanhash:	salami-seventeen-delaware-bulldog
File name:	4d6cac6b50fd6a9ef2d2e81e96174dd95d8f869ea7539a9525a6d4a11945c978
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	64'000 bytes
First seen:	2020-06-29 07:51:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ae7d0bf9c619b111b6a98d55dfb55af3 (5 x AveMariaRAT)
ssdeep	768:BDmqvcQWXqb2yV55uCyx4HunAxOfK5y/OsN39CNqGa0RmRCec6S/s/e5fdoPwTdV:dRvAXANxyiHVWEE7HAA4rff6PwZ5dER
Threatray	424 similar samples on MalwareBazaar
TLSH	5953E126DFE1B471C9DD4A30E36B8A2B4244779403A9644DE93063E78DB0B8C6DF498F
Reporter	JAMESWT_WT
Tags:	AveMariaRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Warzone

Link:

https://www.capesandbox.com/analysis/15986/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Maria.4.17072.22484.UNOFFICIAL

SecuriteInfo.com.Trojan.PWS.Maria.3.30306.22950.UNOFFICIAL

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4d6cac6b50fd6a9ef2d2e81e96174dd95d8f869ea7539a9525a6d4a11945c978/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2020-06-25 22:34:32 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 29 (96.55%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jvwky22q7vvj54ws5apjmf2n3foy7bu6u5jzvfjfu3kkcgkfzf4a._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

5dd2674c9f116740c0132fca0553257cd52d8785a7ff47dd6d361b30a9634189

AveMariaRAT

7b7b7e7ad9b106a5508583f1b60e3a3d7385bf0d6592ca816839f6633f5e8045

AveMariaRAT

7c7fbeb0b90a27a56ddbd1adee5627396a0d3f4639bea0d8675687a66064b6c8

AveMariaRAT

7f29131cb5f28ccbd60dbdf39b6b3c79a974d4a3950aac1d1c0f7edd68193c03

AveMariaRAT

7f62e5e2d0cfbe0740718588465b71a701fe3e188a8a4755baacbdc6fb41d52c

AveMariaRAT

94c5bf5ba01bdb8b028fe00eca0d805b8150c3639ce9e3cf0b86670061d66196

AveMariaRAT

a445a5bc6990861c07657cc70e85253ff73cd88e6d7f040e00fb03ffbce5764b

AveMariaRAT

c44f241eb6a6d9904d1cfd5f750124d56174e25ca2691a7028b32224b36911db

AveMariaRAT

e43d34170181b3e9b5baf550d70b27fdbcfcc8e974694352d77e5e52e8866a2d

AveMariaRAT

+ 414 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/200629-hfw3wdjwms/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Program crash

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/15986/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample