MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c74c79cb7ab3a130b3ad8f31fa7bb79f85bc9788d9e0c60e798f29050c51785. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash:	8c74c79cb7ab3a130b3ad8f31fa7bb79f85bc9788d9e0c60e798f29050c51785
SHA3-384 hash:	c425eaec08100c6a9893ead2c2bd73e13fe8c8a2a62bbd36bd6d471376065df052ad22adc85dc5c0765373da228e83bb
SHA1 hash:	9947e269f8efc5ef22c8f8448cba06a059252bcd
MD5 hash:	fbd7145f34810c5ae37d3530b62da336
humanhash:	music-hydrogen-july-bravo
File name:	PO-057686565668_Order-2020-Sample-Quote,xlxs.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	380'416 bytes
First seen:	2020-07-21 07:48:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	6144:mMHzYXgxkmNiF4Y9nDUdLcwtnF02yRw6TB:r9NBYZDUdgOnWb
Threatray	553 similar samples on MalwareBazaar
TLSH	E0843814E7B88AD9E3BA17BDE470404087B5B51AA7EAE3595B90F0ED1C22751CB13F23
Reporter	abuse_ch
Tags:	AveMariaRAT exe geo KOR RAT

abuse_ch

Malspam distributing AveMariaRAT:

HELO: mail-smail-vm83.hanmail.net
Sending IP: 211.231.106.158
From: 김보성 <magic0k@hanmail.net>
Subject: Purchase-Order: 구매견적의뢰 (7 월 주문)
Attachment: PO-057686565668_Order-2020-Sample-Quote,xlxs.z (contains "PO-057686565668_Order-2020-Sample-Quote,xlxs.exe")

AveMariaRAT C2:
phaz6434325328.redirectme.net:5200 (46.102.153.53)

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

WarzoneRAT

Link:

https://www.capesandbox.com/analysis/29847/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Launching cmd.exe command interpreter

Connection attempt to an infection source

Unauthorized injection to a system process

Detection:

avemaria

Link:

https://mwdb.cert.pl/sample/8c74c79cb7ab3a130b3ad8f31fa7bb79f85bc9788d9e0c60e798f29050c51785/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-07-21 07:50:11 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rr2mphfxvm5bgcz23dzr7j53ph4fxslyrwpayyhhtdzjaugfc6cq._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

33fafc21865d301586e6c0563fd5345b3c46f03bddea4e69dd4d2f72382d2aaa

AveMariaRAT

51d3cb67de439aca2814ae5eda56dc730fc590ed7353aba47febc451c740f501

AveMariaRAT

5bb841161ff484e03a7cfe4ffe1ec77920ec61ab2e8eafa0c63e15b749ca34cb

AveMariaRAT

70440fbc25870bbadcbe1278c0772221c0a8a34058aa1bbe8f5d00a72a1c883a

AveMariaRAT

74fa5488d019423ff5ddac6f9a397aa9454bad8c10db7fb645fb3e92bf4cc630

AveMariaRAT

9d1e2a8584f32720f3f504ab505d1eab3864248b043107382d431fc731eeb953

AveMariaRAT

b46571fd44360c7d8e9771a807c0914f419dc7dc69a43b475b537484a1aa5053

AveMariaRAT

ba98faeaed7980253c2b7896bcb627bc16459f4ede941f3890897707b2992579

AveMariaRAT

d9e8955f7aad89624502ab87b2d50a8728652e7d1c5864f3658d6e8f08d17540

AveMariaRAT

+ 543 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/200721-fpe731xen2/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Program crash

Suspicious use of SetThreadContext

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Unknown

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8c74c79cb7ab3a130b3ad8f31fa7bb79f85bc9788d9e0c60e798f29050c51785

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	win_ave_maria_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator