MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a8b601dbdc4a8b83fa1802be973df5562916711e95de88d77c0d86ce3a3e1e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 7

Intelligence 7 IOCs YARA 7 File information Comments

SHA256 hash:	8a8b601dbdc4a8b83fa1802be973df5562916711e95de88d77c0d86ce3a3e1e5
SHA3-384 hash:	2b31c8298d3a410d3c3e856d4294faf673aa9ec988ffbcfac1683fee59e3702d52640d00cb625403f4851f53d8fb26fa
SHA1 hash:	81015e96dd24740b8095391ea4c11aac2acc65e1
MD5 hash:	188567a5dc5ecb27eff09da32924bd03
humanhash:	beryllium-charlie-glucose-five
File name:	New Government Regulations Effective.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	405'504 bytes
First seen:	2020-07-09 08:52:53 UTC
Last seen:	2020-07-09 10:25:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	6144:jEIpgQwgkvE2ZdhX/u9DE4ZqPD5WHUQl9IIAHaS8B+ti2WS2Wii32jSrk:jX4JZdV/kvqbIrZAE+Y2l2WiI22r
Threatray	431 similar samples on MalwareBazaar
TLSH	1D84E028237A0827F06E3B3311E66513C3BEB227490B979FBE4314691D617734A99B77
Reporter	abuse_ch
Tags:	AveMariaRAT exe RAT

abuse_ch

AveMariaRAT C2:
109.169.89.12:5200

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

WarzoneRAT

Link:

https://www.capesandbox.com/analysis/23621/

Detection(s):

SecuriteInfo.com.Generic.mg.188567a5dc5ecb27.23901.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Setting a keyboard event handler

Reading critical registry keys

Launching a service

Creating a file

Stealing user critical data

Enabling autorun with Startup directory

Detection:

avemaria

Link:

https://mwdb.cert.pl/sample/8a8b601dbdc4a8b83fa1802be973df5562916711e95de88d77c0d86ce3a3e1e5/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-07-09 08:05:07 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rkfwahn5ysulqp5bqav6s467kvrjczyr5fo6rdlxydmgzy5d4hsq._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

0f380b216cfb271182cd7ca20e0cb98e29801f22f931013aa342b11e7d22070b

AveMariaRAT

220d9dee8512451f79c4ea016e9ed065ca3f378f3f1b29531cee3c686a100cce

AveMariaRAT

3ac41aaeb5772f77fa5e3c6bfaeecc906430b37abb0b7d3be40adc87b0d57e1d

AveMariaRAT

4cffbdf1d3e2016475da67b15f0ab12a9658e0970f691cebe0bd161e2e1772b2

AveMariaRAT

6142ce64bdf7d4373dedcadb54fb06efed10595a65713783f2930eb1ebb9f989

AveMariaRAT

84b4040d764a758414d6e7d913161c97846e563eb18e3497f207670f9d239bc8

AveMariaRAT

aa81b1d5e5dc459eac6dff63b95e6a08653c6afb5e925e8dd047ff9abfadd49a

AveMariaRAT

b5279796301bec9d8b3de84dff29a98dfb7cfe9d549279fddfd624b61583960f

AveMariaRAT

de25f269f4f7e5cc02f5e16e0c780ef25787df1d161f2fad276d88ddfce79f90

AveMariaRAT

+ 421 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/200709-nzlkbam8f2/

Behaviour

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Suspicious use of SetThreadContext

Loads dropped DLL

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	win_ave_maria_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_malumpos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/23621/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample