MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 712b802459737989654a3cc99301c44c89827c0785da304077f41616cb73ddc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 712b802459737989654a3cc99301c44c89827c0785da304077f41616cb73ddc0
SHA3-384 hash: b16d790bd4b220438167546f2eb347058abb0ca777c17c580b7022a56bd4c74e4afd2217051ff8c93f93aafedaabe33a
SHA1 hash: 397b6dfa8ff67c67da5a502462e6a17ee0efaa50
MD5 hash: 83eb62a7f6cb08fea499735986945ea1
humanhash: ceiling-saturn-hotel-chicken
File name:ORDER LIST_AUG7FIBA00541.z
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:964'382 bytes
First seen:2023-08-30 18:09:30 UTC
Last seen:Never
File type: z
MIME type:application/x-7z-compressed
ssdeep 24576:3dOt8yYCyT2wshafbKgOn1CDHyevHtX6ZQc+rvVB1b4zPQUzy:tOqTzeEOOycqZQcyvAPQUzy
TLSH T1CF25337B89DF912EE84168E0F5473ED5C3018E908C6CDA57681ADE7DE09BDEE2209D43
TrID 57.1% (.7Z) 7-Zip compressed archive (v0.4) (8000/1)
42.8% (.7Z) 7-Zip compressed archive (gen) (6000/1)
Reporter cocaman
Tags:z


Avatar
cocaman
Malicious email (T1566.001)
From: "Mohammed Arif<noreply@nwh.ae>" (likely spoofed)
Received: "from [163.123.143.173] (unknown [163.123.143.173]) "
Date: "28 Aug 2023 17:12:29 +0200"
Subject: "ORDER LIST_AUG7FIBA00541"
Attachment: "ORDER LIST_AUG7FIBA00541.z"

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
CH CH
File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:32512
File size:188 bytes
SHA256 hash: 50754318d26dba3f88614de1876671de7b6da4221d50886070da0b620045c36e
MD5 hash: 2b813330dc0a2164eb1fa23549e3828d
MIME type:application/octet-stream
Signature AveMariaRAT
File name:ORDER LIST_AUG7FIBA00541·PDF.scr
File size:1'942'056 bytes
SHA256 hash: 8d241ada0e443465f7a76c1603677d5519b901a654a9a27b21c6e82a69ef7e3c
MD5 hash: 96b3a6a89137c2abc9d354e5a248f591
MIME type:application/x-dosexec
Signature AveMariaRAT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.12518.1002.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin masquerade overlay packed packed
Link:
https://www.filescan.io/uploads/64ef85fb8d6d59beeee4f32c/reports/53ce42a8-937c-4ba4-859e-15e4e4831dc2/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/712b802459737989654a3cc99301c44c89827c0785da304077f41616cb73ddc0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/712b802459737989654a3cc99301c44c89827c0785da304077f41616cb73ddc0/
Threat name:
Win32.Trojan.MortyStealer
Create hunting rule
Status:
Malicious
First seen:
2023-08-28 09:05:16 UTC
File Type:
Binary (Archive)
Extracted files:
38
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oevyajczon4yszkkhtezgaoejseye7ahqxndaqdx6qlbns3t3xaa._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.78
Link:
https://yomi.yoroi.company/submissions/712b802459737989654a3cc99301c44c89827c0785da304077f41616cb73ddc0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

z 712b802459737989654a3cc99301c44c89827c0785da304077f41616cb73ddc0

(this sample)

AveMariaRAT

Executable exe 8d241ada0e443465f7a76c1603677d5519b901a654a9a27b21c6e82a69ef7e3c

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 8d241ada0e443465f7a76c1603677d5519b901a654a9a27b21c6e82a69ef7e3c
  
Dropping
MD5 96b3a6a89137c2abc9d354e5a248f591

Comments