MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fe45a8e07fc28eb30222f08219ca2bb8832220a97ff56333193bd422a876f0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 4


Intelligence 4 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fe45a8e07fc28eb30222f08219ca2bb8832220a97ff56333193bd422a876f0c
SHA3-384 hash: b865a57757a15505ae63f978633799e7616b4f15ba9f6efa97f5fce0b3f300876c68295a4cd073ea8d4f7d865a013b0a
SHA1 hash: f88aaf79c4fb1ede0be9304da5c2acde84b2acf0
MD5 hash: 2ac0a5bf25087878319d1e0847424ce7
humanhash: five-monkey-november-moon
File name:RFQ.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:308'224 bytes
First seen:2020-04-30 09:53:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 185f93f292866cbf152ddfdef275b809 (1 x AveMariaRAT)
ssdeep 6144:D/Vk+38TuWmWEng5tfLlyi/Mo68E/wFcCXbcQVcW2NlXqCvYxB9yo:DZsTJLEOtPM8TFcCXYoN2NlRvY79y
Threatray 520 similar samples on MalwareBazaar
TLSH A36423DFE93E9C10FC5E93B850096FB7F21C32E31C2F55564F568AA0AAF1681D29580E
Reporter abuse_ch
Tags:AveMariaRAT exe RAT


Avatar
abuse_ch
Malspam distributing AveMariaRAT:

HELO: tltrade.pw
Sending IP: 62.173.145.226
From: Habib Lateef <support@tltrade.pw>
Reply-To: support@tltrade.pw
Subject: ALMEER RFQ
Attachment: RFQ.zip (contains "RFQ.exe")

AveMariaRAT C2:
45.138.172.56 56421

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Avemaria
Create hunting rule
Status:
Malicious
First seen:
2020-04-30 06:51:54 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
30 of 31 (96.77%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j7sfvdqh7quowmbcf4ecdhfcxoedeiqks77vmmzrso6uekuhn4ga._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
041f85034f71a295c168af2719d1dfa7a5d346f57b16a4b17bd6a471e3ceb55e
AveMariaRAT
4cffbdf1d3e2016475da67b15f0ab12a9658e0970f691cebe0bd161e2e1772b2
AveMariaRAT
4fa4af45c70295513c486589c0e36e7436be6abbf3c75e97b544db959e9dfcb5
AveMariaRAT
548bf8f685146ed7ee17c7a2aef0d62dba7be7aaed575712c5004aa26e83f1b3
AveMariaRAT
6142ce64bdf7d4373dedcadb54fb06efed10595a65713783f2930eb1ebb9f989
AveMariaRAT
8f787ad8df4ea3ee0c0940cf5170cccffa5c5783f065b89581de06c53a20b30c
AveMariaRAT
b2d2fb4b44455c19c6274c4c988e675a95ad9fc2f868b0abfeafba7a51426762
AveMariaRAT
b5279796301bec9d8b3de84dff29a98dfb7cfe9d549279fddfd624b61583960f
AveMariaRAT
c72cde3224e01da2283065c5a94d252f528c132019eb2f2656c86a7caa1006c2
AveMariaRAT
e7a5b30eb4ad9f5b7b53bd402756a623c67cfb8d46d1148b40d8bc2d4ea43594
AveMariaRAT
+ 510 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

zip 4b4d45013c86390dfe7cacd19907c033e1e9ff94e46d909c293b2a303e1020d5

AveMariaRAT

Executable exe 4fe45a8e07fc28eb30222f08219ca2bb8832220a97ff56333193bd422a876f0c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/333093/
  
Dropped by
MD5 6d14d6a86dd9e1343fa5e2ba57d668c1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 4b4d45013c86390dfe7cacd19907c033e1e9ff94e46d909c293b2a303e1020d5

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA

Comments