MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85c02d0cd6412118420143865d77fc24fdc9fcddae292155919aad1270d327ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85c02d0cd6412118420143865d77fc24fdc9fcddae292155919aad1270d327ca
SHA3-384 hash: 3b588f9a9aa67ffa0ba23e339f34dc75122438bdd387d3c175c249614583b2c8c533208eb3688c6fea98fd6902610365
SHA1 hash: eb11fece160cc11255541d42ef89c42657cdef67
MD5 hash: b455358185501ce270f622fa64e60560
humanhash: skylark-lactose-undress-wyoming
File name:عرض المنتج Stomanas_SKCGM_63746352021doc.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:35'840 bytes
First seen:2021-06-30 09:06:09 UTC
Last seen:2021-06-30 12:25:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:b9y7UilJKLMlhijkd+vQZaxV2zsVufLcz0tO/gprqFs3GYA/ifGfAJmX4hjidkv4:txEfo/ifaQRUl165I
Threatray 1'035 similar samples on MalwareBazaar
TLSH 63F2B501B2E95B67E6BDABF42471980043B3796B5A71F74D0DC520EF15B2B404BA2F2B
Reporter lowmal3
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
عرض المنتج Stomanas_SKCGM_63746352021doc.exe
Verdict:
Malicious activity
Analysis date:
2021-06-30 09:07:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e1754e8c-8c58-4c36-ab1b-6c96a916221d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168921/
Detection(s):
SecuriteInfo.com.ArtemisB45535818550.22148.11898.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5d6047d5-1931-4d7e-aea2-95372cc49a1d
Result
Threat name:
AveMaria UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/809852
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Drops PE files to the startup folder
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 442263 Sample: #U0639#U0631#U0636 #U0627#U... Startdate: 30/06/2021 Architecture: WINDOWS Score: 100 64 Multi AV Scanner detection for domain / URL 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 10 other signatures 2->70 9 #U0639#U0631#U0636 #U0627#U0644#U0645#U0646#U062a#U062c Stomanas_SKCGM_63746352021doc.exe 15 4 2->9         started        12 #U0639#U0631#U0636 #U0627#U0644#U0645#U0646#U062a#U062c Stomanas_SKCGM_63746352021doc.exe 3 2->12         started        process3 dnsIp4 52 cdn.discordapp.com 162.159.134.233, 443, 49737, 49759 CLOUDFLARENETUS United States 9->52 15 cmd.exe 3 9->15         started        19 cmd.exe 1 9->19         started        54 162.159.133.233, 443, 49746 CLOUDFLARENETUS United States 12->54 40 #U0639#U0631#U0636...46352021doc.exe.log, ASCII 12->40 dropped 21 #U0639#U0631#U0636 #U0627#U0644#U0645#U0646#U062a#U062c Stomanas_SKCGM_63746352021doc.exe 3 2 12->21         started        file5 process6 dnsIp7 42 #U0639#U0631#U0636..._63746352021doc.exe, PE32 15->42 dropped 44 #U0639#U0631#U0636...exe:Zone.Identifier, ASCII 15->44 dropped 56 Suspicious powershell command line found 15->56 58 Drops PE files to the startup folder 15->58 24 conhost.exe 15->24         started        26 powershell.exe 18 19->26         started        28 wscript.exe 19->28         started        30 conhost.exe 19->30         started        32 timeout.exe 1 19->32         started        50 178.170.138.163, 4554 ETOP-ASPL Netherlands 21->50 60 Increases the number of concurrent connection per server for Internet Explorer 21->60 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->62 file8 signatures9 process10 process11 34 #U0639#U0631#U0636 #U0627#U0644#U0645#U0646#U062a#U062c Stomanas_SKCGM_63746352021doc.exe 2 26->34         started        dnsIp12 46 192.168.2.1 unknown unknown 34->46 48 cdn.discordapp.com 34->48 72 Injects a PE file into a foreign processes 34->72 38 #U0639#U0631#U0636 #U0627#U0644#U0645#U0646#U062a#U062c Stomanas_SKCGM_63746352021doc.exe 34->38         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85c02d0cd6412118420143865d77fc24fdc9fcddae292155919aad1270d327ca/
Threat name:
ByteCode-MSIL.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2021-06-30 06:07:23 UTC
AV detection:
5 of 46 (10.87%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qxac2dgwieqrqqqbiodf2574et64t7g5vyuscvmrtkwre4gte7fa._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
18ccd421e41af7dedbdeff8e6d3df085182c3fb7e2f27d9e4594553dcbc2834b
AveMariaRAT
46520e8955eff183518aa7ad908eff5e9d0c7094be0d9821f037a11a25ff4b3e
AveMariaRAT
7406e77d7cbbc5344697900906c5a5930330dcdfba382b22181b41494ace670e
AveMariaRAT
88cd6b3cae21bbdf028d5fee94c3552ecc427043b70b8407e9f936857c637ee5
AveMariaRAT
8eb47be229e6a2bf70d2a46deb714c60ce6d60e335d45fced78879798fa811c9
AveMariaRAT
a21a0d414080476ea51f99a3d207c12e1e9b15646b39338e989ed817a91429f6
AveMariaRAT
aae06c61ea30fd920db8caa7e32eefe1b74842affe3fa6d53ce6765f49783ed5
AveMariaRAT
da31c02c004f7e04408dea6429c362b4870c87a99fb2ae8ace1dac200a7fce5d
AveMariaRAT
e05ae83047c3026873ff147e2b6e6a71ab396d23ee8c9346b2755c16a776774b
AveMariaRAT
f4be91d5771599ee3f80dd26990d324c291e4b327db563c15379b09ffa79eadb
AveMariaRAT
+ 1'025 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210630-xtybzam85a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops startup file
Unpacked files
SH256 hash:
85c02d0cd6412118420143865d77fc24fdc9fcddae292155919aad1270d327ca
MD5 hash:
b455358185501ce270f622fa64e60560
SHA1 hash:
eb11fece160cc11255541d42ef89c42657cdef67
Link:
https://www.unpac.me/results/1747329f-1d1c-4ae3-bafd-a64bb4c0c600/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/85c02d0cd6412118420143865d77fc24fdc9fcddae292155919aad1270d327ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe 85c02d0cd6412118420143865d77fc24fdc9fcddae292155919aad1270d327ca

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/168921/

Comments