MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b91df85affd5ae567a565e3dca83bc8a014acddcf7bd743782b7b6cb2f93754. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b91df85affd5ae567a565e3dca83bc8a014acddcf7bd743782b7b6cb2f93754
SHA3-384 hash: 79a93da361bb6ad5e047e1a6c9e7cc8a06fe0f3e71bdac3dc38aedb9b8e894715e973d3b119e2b6fcad21e7414418a66
SHA1 hash: 32c8a7334444bf8844b0091255bbefee83ddad6b
MD5 hash: d6bc9cb3362a09dff11449527080e03f
humanhash: louisiana-seventeen-uncle-juliet
File name:Bank Remittance copy.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:565'248 bytes
First seen:2021-09-01 06:06:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ef471c0edf1877cd5a881a6a8bf647b9 (83 x Formbook, 33 x Loki, 31 x Loda)
ssdeep 12288:+Xe9PPlowWX0t6mOQwg1Qd15CcYk0We1nNzfJoomJxRHHE6mRsc9gC8NLhPtDWl3:ThloDX0XOf4RNzfJhOa5
Threatray 2'337 similar samples on MalwareBazaar
TLSH T1D5C4E163A187DCA6D649593D42A4FBAC423CCF524D1FA68570793223EA73D0B2F48CD6
dhash icon f0f0f2b2e834b498 (29 x AgentTesla, 12 x AveMariaRAT, 8 x RedLineStealer)
Reporter lowmal3
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184360/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

SecuriteInfo.com.W32.AIDetect.malware1.26871.13679.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d345f70-632a-4500-b722-b9d214cda9fc
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/843107
Signature
AutoIt script contains suspicious strings
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b91df85affd5ae567a565e3dca83bc8a014acddcf7bd743782b7b6cb2f93754/
Threat name:
Win32.Trojan.Nymeria
Create hunting rule
Status:
Malicious
First seen:
2021-08-31 11:49:28 UTC
AV detection:
12 of 42 (28.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=loi57bnp7vnokz5fmxr5zkb3zcqbjlg5z555oq3yfn5wzmxzg5ka._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0caaaa5f4ab21a8ceaaded6e69be05b30e424980e159c6458b0c8379adee95da
AveMariaRAT
156efe89fee459bec720ab5e1e4b24110d3bb3f8a85b9804e40fe35942bbcd86
AveMariaRAT
4841307c8072c7aa013a5b090f7b3ee0ad2af6ad9212781edd02806b4894239e
AveMariaRAT
54802aa4ca1557f67314a573e918be4157b838d1bd0aa30c23d8e1f312994dac
AveMariaRAT
916146b7a06999f90a389b0384608f0e4fee074f6d322b2e6437980af9a4c8f4
AveMariaRAT
9218a2c4cfd9538b65b06202b850c2900e625477b176708d44e09a6bafbb5d43
AveMariaRAT
b143f984cc0745b1529e2253761eaff547509e7fa44d20c220d44d176a7952e7
AveMariaRAT
be8ca19f6d30ff45310e64470f12b39dc6529b9921899f5671be5f9359ebf8aa
AveMariaRAT
+ 2'327 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/210901-fz5q1xmprs/
Behaviour
Modifies system certificate store
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
b46aae9e724b7c5f6e5cbe80a05d26d25014fb747a7cb186e94337d109663248
MD5 hash:
b0479977843026c1aaa413b4fc5aca86
SHA1 hash:
f5bbea7f0ae4d45e17b58be608d156b3e5c6844e
Link:
https://www.unpac.me/results/e21606b1-3dbb-46c1-a4b0-c5177ba5c77f/
SH256 hash:
5b91df85affd5ae567a565e3dca83bc8a014acddcf7bd743782b7b6cb2f93754
MD5 hash:
d6bc9cb3362a09dff11449527080e03f
SHA1 hash:
32c8a7334444bf8844b0091255bbefee83ddad6b
Link:
https://www.unpac.me/results/e21606b1-3dbb-46c1-a4b0-c5177ba5c77f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/5b91df85affd5ae567a565e3dca83bc8a014acddcf7bd743782b7b6cb2f93754

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 5b91df85affd5ae567a565e3dca83bc8a014acddcf7bd743782b7b6cb2f93754

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/184360/

Comments