MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6998249e77f7c33821b3678fbdbc0a843ca39d80d49aa55335b48ef7c4011ad2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	6998249e77f7c33821b3678fbdbc0a843ca39d80d49aa55335b48ef7c4011ad2
SHA3-384 hash:	65ff83aafce2d40b841686da45753c5fbc4554fc82bf8820cc8cf9e502577ae6b7a55d631c7b749cc98ee549429140c7
SHA1 hash:	599dc65b9bc3ddda93678454b179151af02eed7b
MD5 hash:	596a8138a493a2e448525bdc8f1ea983
humanhash:	december-william-edward-william
File name:	280deef36e8bcf318d71ee70e6e93a8a.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	100'352 bytes
First seen:	2020-04-06 11:25:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b76aafdc988ade2ab3db3b02fa4c6d00 (26 x AveMariaRAT, 1 x njrat, 1 x NanoCore)
ssdeep	1536:5Csejmb+6BQyusX1UjtA0uWRf/eloc/9T1jVEyp:AtD6jSm0uWRfCogTjVEG
Threatray	433 similar samples on MalwareBazaar
TLSH	F6A39D2377E1483DF67501B02EBCBE7A97FEB9750321895FA36811836E72548D926343
Reporter	abuse_ch
Tags:	AveMariaRAT exe GuLoader

abuse_ch

Payload dropped by GuLoader from the following URL:
https://portalconnectme.com/server_encrypted_6E79EB0.bin

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.PWS.Maria.4.17072.22484.UNOFFICIAL

SecuriteInfo.com.Trojan.PWS.Maria.3.30306.22950.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Mocrt

Status:

Malicious

First seen:

2020-04-06 11:36:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

42 of 47 (89.36%)

Threat level:

5/5

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

1e0cc4051f5ea6cb75b0df551bc5be60abc54ca51cd1611dc760aa245a0055dd

AveMariaRAT

2002e2506e59be859c12de94b1d9ddbfeeee31373684ce15f4e5b952da036a69

AveMariaRAT

4fed79d044df2a4c1c7fe6261a9b557de0c8940f5b92d853892a619537bd989f

AveMariaRAT

6c08295f40c3b798331023edf5166fc3dc159f120eaf02db0991f6d682c7df13

AveMariaRAT

97abfa66c19a23ccabb59254cf91e13eb56d9d64df727f66034ac5a063cc566c

AveMariaRAT

b01d0e871f96ddcf4df2358b7a452c488d628829d14d5ede0a58243cdd1dbdc7

AveMariaRAT

cad851d943cb185cb15220b74b66ba5f60058d0b155c020db6b71315183f940c

AveMariaRAT

e3ec188cee8aedebacb4156103cebe176b3521415be6de03ec98304d94963498

AveMariaRAT

eee4d211bbffe896f0de21854cb5adac6e10c85016986efd260b45c7022d7521

AveMariaRAT

+ 423 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

xlsx 30ba983c41c400c82c194778c9ca6798383b00c80bec7b85c9c8010dd667fdcf

GuLoader

exe 91dfd41acf3e4f461c8c0c5ffdad45e08e92c839dd4f4f233b3e0ff57efd5064

AveMariaRAT

exe 6998249e77f7c33821b3678fbdbc0a843ca39d80d49aa55335b48ef7c4011ad2

(this sample)

Dropped by

MD5 280deef36e8bcf318d71ee70e6e93a8a

Dropped by

MD5 1998534cb6c5031254994b0a0787b6af

Dropped by

GuLoader

Dropped by

SHA256 91dfd41acf3e4f461c8c0c5ffdad45e08e92c839dd4f4f233b3e0ff57efd5064

Dropped by

SHA256 57cc45c4a3e1ce92c5fb4e970e16334dd4db47858607b7e7f26388f0d2f83f70

URLhaus

https://urlhaus.abuse.ch/url/335715/

URLhaus

https://urlhaus.abuse.ch/url/335751/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::FreeSid
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
DP_API	Uses DP API	CRYPT32.dll::CryptUnprotectData
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::GetTokenInformation
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteW SHELL32.dll::ShellExecuteExA
URL_MONIKERS_API	Can Download & Execute components	urlmon.dll::URLDownloadToFileW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateRemoteThread KERNEL32.dll::CreateProcessW KERNEL32.dll::CreateProcessA KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken KERNEL32.dll::VirtualAllocEx
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDriveTypeW KERNEL32.dll::GetStartupInfoA
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW SHELL32.dll::SHCreateDirectoryExW KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileA KERNEL32.dll::DeleteFileW
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameW ADVAPI32.dll::LookupAccountSidW ADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegQueryInfoKeyW
WIN_SOCK_API	Uses Network to send and receive data	WS2_32.dll::freeaddrinfo WS2_32.dll::getaddrinfo
WIN_SVC_API	Can Manipulate Windows Services	ADVAPI32.dll::ChangeServiceConfigW ADVAPI32.dll::OpenSCManagerW ADVAPI32.dll::OpenServiceW ADVAPI32.dll::QueryServiceConfigW ADVAPI32.dll::StartServiceW
WIN_USER_API	Performs GUI Actions	USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample