MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c62d911a4efd2a37364d26439085d493ca2ab7e4b0fa90ba2f5d937e99e5bdf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 4


Intelligence 4 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c62d911a4efd2a37364d26439085d493ca2ab7e4b0fa90ba2f5d937e99e5bdf
SHA3-384 hash: c7648cac362771b7065f058f4aefa271956e10dc04d1aa73d47a114f0b799c2b0263da380e56361a5118eb4c54c804bc
SHA1 hash: b4c2a82be93673b0b4455a20539d48305eff8d5e
MD5 hash: 5c49f2098dc63b81fac25d387f4f73b3
humanhash: aspen-mars-pasta-florida
File name:Bhohuum.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:796'162 bytes
First seen:2020-05-08 07:16:56 UTC
Last seen:2020-05-08 07:39:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ebfe1b80a2b16c891f090e59c5d49378 (2 x RemcosRAT, 2 x AveMariaRAT)
ssdeep 12288:unUo0e4kMU/NOJF19U9aZqr18iN1uwIoVBXiDjN5dLro6gVZhglUSamsZsCNXsWR:4U96dNOz15Zqr1t3IoTy1CalGmYsQ
Threatray 428 similar samples on MalwareBazaar
TLSH 37058E23F6914437D16325785C1B97B95936BE203A68B88A3BF43E4C4F3A7813939397
Reporter abuse_ch
Tags:AveMariaRAT exe RAT


Avatar
abuse_ch
Malspam distributing AveMariaRAT:

HELO: aqmail.org
Sending IP: 45.249.91.173
From: Trade Store <sales@aqmail.org>
Subject: Re: Re: PAYMENT INVOICE
Attachment: VIN-Paid.rar (contains "Bhohuum.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-05-08 07:36:13 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=trrnsene57jkg43e2jsdscc5je6kfk36jmh2sc5c6xmtp2m6lppq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0d38ea72059443a96e979d8669d1eb95be5863beb8459ef4d408417c3e823484
AveMariaRAT
14bc7146562bb679d9e708f1f748512a140a4a32e2ae1d7a8de6c971b5639686
AveMariaRAT
4a7fd200df098a126c9661ba9507674202dbd1864fb3edf03860110f66e8297a
AveMariaRAT
4b13bb36220d46ab9fa89c4163c8ec571fe0c113af00773d0968fa51c4056bbd
AveMariaRAT
6eb590a11b5310606564853be8c43179b95ee93c3a4c8c3ea8f011819a3b2337
AveMariaRAT
7c7fbeb0b90a27a56ddbd1adee5627396a0d3f4639bea0d8675687a66064b6c8
AveMariaRAT
9ce5eb576c72ecc29eabbbece917f1873bf4f5782485b22549dfbb6ff1d56f58
AveMariaRAT
b38f7cacc56a97f122827cc2e89c55c9747ad790f7649b6078cedca83659b4dc
AveMariaRAT
e1457c29de4acf85b9420e78bb22d8c84e674a1bce55a9a8070bb4ef4bd883d2
AveMariaRAT
e43d34170181b3e9b5baf550d70b27fdbcfcc8e974694352d77e5e52e8866a2d
AveMariaRAT
+ 418 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-jcdz57khme/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

rar 12d6478d5a99732e39a8654f6e7b5872621c42212f32f3fb7e5e36cd0f1e8b92

AveMariaRAT

Executable exe 9c62d911a4efd2a37364d26439085d493ca2ab7e4b0fa90ba2f5d937e99e5bdf

(this sample)

  
Dropped by
MD5 aef5ff6a515f39a0af3b63fa0cc9400d
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 12d6478d5a99732e39a8654f6e7b5872621c42212f32f3fb7e5e36cd0f1e8b92

Comments