MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a445a5bc6990861c07657cc70e85253ff73cd88e6d7f040e00fb03ffbce5764b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 4

Intelligence 4 IOCs YARA 5 File information Comments

SHA256 hash:	a445a5bc6990861c07657cc70e85253ff73cd88e6d7f040e00fb03ffbce5764b
SHA3-384 hash:	05677683a00b96f4a8c4899164f15c1422fd88a3312083e5c51f3128d96aed909caecb9e8321ac5d4e393f521040e5f4
SHA1 hash:	f2ef206a4cde0e340cb033dd51c3c17a17e6780e
MD5 hash:	94bcbe00000c86532e40fc6dab917195
humanhash:	nine-fix-maryland-india
File name:	testingmic.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	1'325'568 bytes
First seen:	2020-05-09 12:47:38 UTC
Last seen:	2020-05-09 14:46:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	78243cbfbc4dd1522113701bde066d1e (4 x AveMariaRAT, 3 x RemcosRAT)
ssdeep	12288:ZfXeibdNUawAHXqJyjUcgAxKRouPCuinlyudlglGXgAId7NESgK1fF8h:ZvKaw86SHfKVPAmlAgrd7NNLF
Threatray	659 similar samples on MalwareBazaar
TLSH	79551876A381C8FDD3615634CC2B39B394BA7B30255A7049BEE0DD2D5A39A90B11D38F
Reporter	James_inthe_box
Tags:	AveMariaRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Win32.GenKryptik.EKFT.24330.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-05-09 12:46:53 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 31 (74.19%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=urc2lpdjscdbyb3fptdq5bjfh73tzweonv7qidqa7mb77phfozfq._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

21c5dfaf16a6b6fb850af64a34db2eac7263835048a6041533967de282a42caf

AveMariaRAT

4fe45a8e07fc28eb30222f08219ca2bb8832220a97ff56333193bd422a876f0c

AveMariaRAT

62a9e0bc56c03b9ad7ff3ff1242415b95c29b10c2699a55c4d8940338e18887e

AveMariaRAT

7b7b7e7ad9b106a5508583f1b60e3a3d7385bf0d6592ca816839f6633f5e8045

AveMariaRAT

8fbd0e656a1ee90b82591111e01fb0e8b7a3d3e711e0d5165d05a5d844b8c03f

AveMariaRAT

9cbb4a330c540c4632d8640472dafa3f204b1765ff09b15716b76de1d48ebbfc

AveMariaRAT

b38f7cacc56a97f122827cc2e89c55c9747ad790f7649b6078cedca83659b4dc

AveMariaRAT

e1457c29de4acf85b9420e78bb22d8c84e674a1bce55a9a8070bb4ef4bd883d2

AveMariaRAT

fe974cd55e593d754c3dca74db62bc2fb48f9144c7098eedcf3b9abad1fe05e2

AveMariaRAT

+ 649 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-n7nn5a5qx6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Legitimate hosting services abused for malware hosting/C2

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	win_ave_maria_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

URLhaus

https://urlhaus.abuse.ch/url/360493/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample