MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56b95c3399a705e1bcdc312f3c82749308279f744f1199a59e9bcb3818c194c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	56b95c3399a705e1bcdc312f3c82749308279f744f1199a59e9bcb3818c194c9
SHA3-384 hash:	1658140d845756b6bd87270d13347ee48b476c3261005d67b8c9bbf6d322ce4c6475386b90e596724c8b1a5ad5eb89e9
SHA1 hash:	c7ae2794b223343a84daf4bffe229ae7886f7233
MD5 hash:	60afc55f88a6172d4d598c15477fbbec
humanhash:	harry-coffee-oranges-king
File name:	Revised Proforma Invoice_pdf.scr
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	61'440 bytes
First seen:	2020-12-10 07:02:33 UTC
Last seen:	2020-12-10 08:34:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0821586b2482e6b496b4783e86c20f40 (1 x GuLoader, 1 x AveMariaRAT)
ssdeep	384:/0AoL6XUg1gT9cbQOMpEsp6KTgmdsdDBjDxy8pBqn/ASWpnFLJxW2xxjsDEUEyCB:HoLRyA9aw9p66iBcCqnRKHxWi+aRCI
TLSH	C2532A1366A85E35EBDB49BF4A1201E500436E2C96877FC2B8DC2FCD5E3B663406536E
Reporter	cocaman
Tags:	AveMariaRAT scr

Intelligence

File Origin

# of uploads :

# of downloads :

131

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Revised Proforma Invoice_pdf.scr

Verdict:

No threats detected

Analysis date:

2020-12-10 07:11:14 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/922f3621-4868-46d8-874a-5e05139a72bb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/107600/

Detection(s):

SecuriteInfo.com.Variant.Razy.802060.30687.32028.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

DNS request

Sending a custom TCP request

Creating a file

Unauthorized injection to a recently created process by context flags manipulation

Result

Gathering data

Result

Threat name:

AveMaria GuLoader

Detection:

malicious

Classification:

rans.phis.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/559825

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Contains functionality to hide a thread from the debugger

Contains functionality to hide user accounts

Executable has a suspicious name (potential lure to open the executable)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Increases the number of concurrent connection per server for Internet Explorer

Initial sample is a PE file and has a suspicious name

Malicious sample detected (through community Yara rule)

Potential malicious icon found

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected AveMaria stealer

Yara detected GuLoader

Yara detected VB6 Downloader Generic

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/56b95c3399a705e1bcdc312f3c82749308279f744f1199a59e9bcb3818c194c9/

Threat name:

Win32.Trojan.Vebzenpak

Status:

Malicious

First seen:

2020-12-10 02:10:46 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=k24vym4zu4c6dpg4gextzatusmecph3uj4iztjm6tpftqggbsteq._file

Verdict:

malicious

Label(s):

guloader

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat infostealer rat

Link:

https://tria.ge/reports/201210-rtlfrgp692/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Executes dropped EXE

WarzoneRat, AveMaria

Unpacked files

SH256 hash:

56b95c3399a705e1bcdc312f3c82749308279f744f1199a59e9bcb3818c194c9

MD5 hash:

60afc55f88a6172d4d598c15477fbbec

SHA1 hash:

c7ae2794b223343a84daf4bffe229ae7886f7233

Link:

https://www.unpac.me/results/9924ea5b-7cd0-4386-b5c7-6699763ccd0b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/56b95c3399a705e1bcdc312f3c82749308279f744f1199a59e9bcb3818c194c9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

rar 3c6bc4dcd62f6647b85eadf13d0f581fae657cbc4c5053463666d9f5a5a7841e

AveMariaRAT

exe 56b95c3399a705e1bcdc312f3c82749308279f744f1199a59e9bcb3818c194c9

(this sample)

Delivery method

Other

Dropped by

SHA256 3c6bc4dcd62f6647b85eadf13d0f581fae657cbc4c5053463666d9f5a5a7841e

Cape

https://www.capesandbox.com/analysis/107600/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample