MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 578df50c34d2f8f3146e5c4a457c4e9eac639070d3766ba202c84af6a790d4a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 578df50c34d2f8f3146e5c4a457c4e9eac639070d3766ba202c84af6a790d4a7
SHA3-384 hash: f5ea1be499bc8332843c71ba28102b6d3b560a6c183130b62b84b33152ff9f2941fcbb355d96b8f46f2ed86aa230260a
SHA1 hash: bbbd6d9bfc546b6f40908554e4dfd4900a25008a
MD5 hash: b7470a5b6952b5b301d92fb58606f23b
humanhash: solar-maryland-fifteen-delta
File name:New order-karbosaTurkey.scr
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:569'856 bytes
First seen:2020-08-31 09:15:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 6144:G15SnDWDaz3ZpCQBdDnMKfTn0MrnKRk2CreKnPj8vbO/riD7sH3R6vt:05yeadppBdzMKfT05HmexUrMsX
Threatray 443 similar samples on MalwareBazaar
TLSH EFC49E29070DAB2FC82876BD249001DCD1F19781EA74F5C8ED8B60F9D9C564FA76D2C6
Reporter abuse_ch
Tags:AveMariaRAT RAT scr Strato


Avatar
abuse_ch
Malspam distributing AveMariaRAT:

HELO: mo4-p05-ob.smtp.rzone.de
Sending IP: 81.169.146.181
From: info@karbosan.com.tr
Subject: New order -karbosan
Attachment: New order-karbosaTurkey.r11 (contains "New order-karbosaTurkey.scr")

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/53332/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/455084
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 279917 Sample: New order-karbosaTurkey.scr Startdate: 31/08/2020 Architecture: WINDOWS Score: 100 30 Malicious sample detected (through community Yara rule) 2->30 32 Antivirus / Scanner detection for submitted sample 2->32 34 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->34 36 7 other signatures 2->36 8 New order-karbosaTurkey.exe 3 2->8         started        12 images.exe 1 2->12         started        process3 file4 28 C:\Users\...28ew order-karbosaTurkey.exe.log, ASCII 8->28 dropped 38 Writes to foreign memory regions 8->38 40 Allocates memory in foreign processes 8->40 42 Injects a PE file into a foreign processes 8->42 14 MSBuild.exe 8->14         started        17 MSBuild.exe 5 4 8->17         started        20 conhost.exe 12->20         started        signatures5 process6 file7 44 Contains functionality to inject threads in other processes 14->44 46 Contains functionality to steal Chrome passwords or cookies 14->46 48 Contains functionality to steal e-mail passwords 14->48 26 C:\ProgramData\images.exe, PE32 17->26 dropped 50 Increases the number of concurrent connection per server for Internet Explorer 17->50 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->52 22 images.exe 2 17->22         started        signatures8 process9 process10 24 conhost.exe 22->24         started       
Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/578df50c34d2f8f3146e5c4a457c4e9eac639070d3766ba202c84af6a790d4a7/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-31 02:19:10 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=k6g7kdbu2l4pgfdolrfek7cot2wghedq2n3gxiqczbfpnj4q2stq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
194537d76b5270112c3d5faf6a1aa1aedf9c665602b5083895de781f935b4289
AveMariaRAT
433d26c66e7c158b84024a6ee83ad8145598d238ed8855a21a77b8324715c9d8
AveMariaRAT
60d7b2ab0fb53d37576c2edd50231cc82e87d0c0cee85afddac247cb795164c3
AveMariaRAT
61079c74aff96424d4b6d794636faa4d7bfd9df2ba67a506164d4168ca6bb234
AveMariaRAT
9d3c04431db8d2630361ac69def49189101a5bf017627be2f147bcd66f3c8d29
AveMariaRAT
9d71c01a2e63e041ca58886eba792d3fc0c0064198d225f2f0e2e70c6222365c
AveMariaRAT
aec7bb752bfb4fb49d6d363db8393e84a05da72cd3b54a9b368bc43adcd3f08d
AveMariaRAT
b612173e75cc939bb718725850a57a1487095d863db268758b5ee0bf2463f89d
AveMariaRAT
e1b924fa9552fc6bccfe3134bd3930b41ddbb93854e4a82cd6df2344496e5948
AveMariaRAT
e97d4cbbbb923b04cee8f87235ad15ab83a7cba51984422cdfdcfefa7e81d457
AveMariaRAT
+ 433 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/200831-v3q3s41edn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/578df50c34d2f8f3146e5c4a457c4e9eac639070d3766ba202c84af6a790d4a7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

rar 29964f2a0d6cf2aa62f8e8cb1ed921fe357a1d98a80979bca5e735474fe82c56

AveMariaRAT

Executable exe 578df50c34d2f8f3146e5c4a457c4e9eac639070d3766ba202c84af6a790d4a7

(this sample)

  
Dropped by
MD5 c34968d467a5188ce33763ebcc0c3219
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/53332/
  
Dropped by
SHA256 29964f2a0d6cf2aa62f8e8cb1ed921fe357a1d98a80979bca5e735474fe82c56

Comments