MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f0161e643adfaeca9dc6918e8cc29fc85ecdcf6727afd601649068f1e36a814. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f0161e643adfaeca9dc6918e8cc29fc85ecdcf6727afd601649068f1e36a814
SHA3-384 hash: 29414ebef02176fcd1c3a8875d89a59f52f75098cca33784858b9afaf00ebd1e87ebbcea4011b24af58ee491d242fe05
SHA1 hash: a500948c7b3c51d8b6306621abfbf5acb15afe2a
MD5 hash: 31bf42235c2d67f9af49c72286868bc9
humanhash: carolina-william-summer-fanta
File name:Order_#44983796060069937734- одело България ЕООД.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:686'432 bytes
First seen:2021-04-06 08:19:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 810b60d80fc0f9a70fe609b43363aa3f (2 x RemcosRAT, 1 x AveMariaRAT)
ssdeep 12288:TmZutCqMrtdeLlyKvPpfKnbOEV7S8wN29U/OyV2:T+ugtdeL5JoTVuDc9UDV2
Threatray 812 similar samples on MalwareBazaar
TLSH A6E48E21A2E14033E4AF2B399D6BB7655C36FE802EE4B4496BF47C499F753913428393
Reporter abuse_ch
Tags:AveMariaRAT BGR exe geo


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: server5.pavanhost.com
Sending IP: 85.25.203.11
From: Odelo Bulgaria EOOD Sofia R&D Center <vibhorgoyal@smilaxgroup.net>
Subject: Order_#44983796060069937734- одело България ЕООД
Attachment: Order_44983796060069937734-06_04_2021.img (contains "Order_#44983796060069937734- одело България ЕООД.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order_#44983796060069937734- одело България ЕООД.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-06 09:07:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ea1cb05f-e95e-4d96-90de-adbfeab6d182

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/132624/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/667341
Signature
Allocates memory in foreign processes
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 382603 Sample: 1e#U0414.exe Startdate: 06/04/2021 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for domain / URL 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 4 other signatures 2->47 6 1e#U0414.exe 1 19 2->6         started        11 Ardrdo.exe 13 2->11         started        13 Ardrdo.exe 14 2->13         started        process3 dnsIp4 25 banglaboi.com.bd 104.21.16.122, 443, 49709, 49710 CLOUDFLARENETUS United States 6->25 23 C:\Users\Public\Libraries\Ardrdo\Ardrdo.exe, PE32 6->23 dropped 49 Writes to foreign memory regions 6->49 51 Allocates memory in foreign processes 6->51 53 Creates a thread in another existing process (thread injection) 6->53 15 ieinstal.exe 3 4 6->15         started        55 Multi AV Scanner detection for dropped file 11->55 57 Machine Learning detection for dropped file 11->57 59 Injects a PE file into a foreign processes 11->59 19 ieinstal.exe 1 11->19         started        27 172.67.212.122, 443, 49726 CLOUDFLARENETUS United States 13->27 21 ieinstal.exe 1 13->21         started        file5 signatures6 process7 dnsIp8 29 xchilogs.duckdns.org 82.102.23.131, 23411, 49722 M247GB Malta 15->29 31 192.168.2.1 unknown unknown 15->31 33 Tries to steal Mail credentials (via file access) 15->33 35 Tries to harvest and steal browser information (history, passwords, etc) 15->35 37 Increases the number of concurrent connection per server for Internet Explorer 15->37 39 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->39 signatures9
Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5f0161e643adfaeca9dc6918e8cc29fc85ecdcf6727afd601649068f1e36a814/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-04-06 08:20:14 UTC
AV detection:
15 of 48 (31.25%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l4awdzsdvx5ozko4nemortbj7sc6zxhwoj5p2yawjedi6hrwvaka._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
08424a8ed34a7731f4118f3e4ddc49ae332b20f6ce042f1c967fd5d75ec1f0c7
AveMariaRAT
122ef85900670d4776f3afdbe676d59c23c4cd9944b9d392eb9a446b3bb40dde
AveMariaRAT
1ec80487df001c0f6d41a90bbe2451242977a6f36a276d6eefa8aef0f593ab6b
AveMariaRAT
5ba2e4021682f2700ca05c93eb32efb3c93d7bebd816842bdcca6cc768771cbe
AveMariaRAT
5cbed2f8a5fdadbd99816c4c8792bd51a2db7479f80bf70409f0f257f942d0c9
AveMariaRAT
688db922ed6771475dc6c379990567dc7e07ecaa848ada113472d1021eb02926
AveMariaRAT
803ed954a2fbfa36e1b154d7b1b6b270021eb72583d5a876e5aaedd728c39cc7
AveMariaRAT
9b342770fe4594e3a6d22b0b8d50269f8c749fb6d43c4f22d6ba48ddbff23bb4
AveMariaRAT
a67866e26c35be123728faf13ab166a05eb79ad7e8c6c79768ea059326d5cb60
AveMariaRAT
be783c2bd964fe9b8cc8a49b0312a6125ca2981ab1abe3d2d2b42c32395368fd
AveMariaRAT
+ 802 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210406-1wmrrrjwv2/
Unpacked files
SH256 hash:
31ffb1d8050b158b4c432cbb831f9da9b918443b7ed3ecca7e3d7a18a531e3f9
MD5 hash:
406f0b9cc6dacbdd1b715c557b941343
SHA1 hash:
77387463c87215e20a8592430665820cbb146660
Link:
https://www.unpac.me/results/0227284b-84c7-4402-86de-775c683b70e7/
SH256 hash:
5f0161e643adfaeca9dc6918e8cc29fc85ecdcf6727afd601649068f1e36a814
MD5 hash:
31bf42235c2d67f9af49c72286868bc9
SHA1 hash:
a500948c7b3c51d8b6306621abfbf5acb15afe2a
Link:
https://www.unpac.me/results/0227284b-84c7-4402-86de-775c683b70e7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f0161e643adfaeca9dc6918e8cc29fc85ecdcf6727afd601649068f1e36a814

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_0be3f393d1ef0272aed0e2319c1b5dd0
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:MALWARE_Win_DLAgent07
Create hunting rule
Author:ditekSHen
Description:Detects delf downloader agent

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

img d0e3fd420d139b9c1ac0587dfea228ba9de8a3f87ab43a80cfa296b2431a275d

AveMariaRAT

Executable exe 5f0161e643adfaeca9dc6918e8cc29fc85ecdcf6727afd601649068f1e36a814

(this sample)

  
Dropped by
MD5 48560140a9a27e43649f5f2e7484b9d2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/132624/
  
Dropped by
SHA256 d0e3fd420d139b9c1ac0587dfea228ba9de8a3f87ab43a80cfa296b2431a275d

Comments