MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6969df5b378c0ac923dfceaac03c45afc9588c8a5a11ed9d74e78db61b04a13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 5

Intelligence 5 IOCs YARA 4 File information Comments

SHA256 hash:	a6969df5b378c0ac923dfceaac03c45afc9588c8a5a11ed9d74e78db61b04a13
SHA3-384 hash:	ec4b6fa7971cf9ff9ee0948046c248811f71fed7756383aab453a6a8c727fbb3c576a1f279430e76a945c3b62922aa64
SHA1 hash:	1c71cbcd11b1ac31ea2e8f9636e0558a42850d13
MD5 hash:	ecfa8fad85df635aadee4f44f3daafeb
humanhash:	zulu-mexico-vegan-potato
File name:	a6969df5b378c0ac923dfceaac03c45afc9588c8a5a11ed9d74e78db61b04a13
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	60'160 bytes
First seen:	2020-06-29 07:51:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ae7d0bf9c619b111b6a98d55dfb55af3 (5 x AveMariaRAT)
ssdeep	768:BNlVQTYNIGZsrdwUfDsFQ6wp4zP6ZdkJzBlPFzCMBCnngXqLF0K9uLD1V3wL:BiTTG6rXDsFRzS7AzrFnaLl/
Threatray	424 similar samples on MalwareBazaar
TLSH	E643E157B778F1A1E9B408363C348520830274B19356BAE6645B93923FF13E25FFA94E
Reporter	JAMESWT_WT
Tags:	AveMariaRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Warzone

Link:

https://www.capesandbox.com/analysis/15992/

Detection(s):

PUA.Win.Packer.Upolyx-12

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a6969df5b378c0ac923dfceaac03c45afc9588c8a5a11ed9d74e78db61b04a13/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2020-06-25 23:09:27 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 29 (96.55%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=u2lj35ntpdakzer57tvkya6ell6jlcgiuwqr5woxjz4nwynqjijq._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

4d6cac6b50fd6a9ef2d2e81e96174dd95d8f869ea7539a9525a6d4a11945c978

AveMariaRAT

5dd2674c9f116740c0132fca0553257cd52d8785a7ff47dd6d361b30a9634189

AveMariaRAT

7b7b7e7ad9b106a5508583f1b60e3a3d7385bf0d6592ca816839f6633f5e8045

AveMariaRAT

7c7fbeb0b90a27a56ddbd1adee5627396a0d3f4639bea0d8675687a66064b6c8

AveMariaRAT

7f29131cb5f28ccbd60dbdf39b6b3c79a974d4a3950aac1d1c0f7edd68193c03

AveMariaRAT

94c5bf5ba01bdb8b028fe00eca0d805b8150c3639ce9e3cf0b86670061d66196

AveMariaRAT

a445a5bc6990861c07657cc70e85253ff73cd88e6d7f040e00fb03ffbce5764b

AveMariaRAT

c44f241eb6a6d9904d1cfd5f750124d56174e25ca2691a7028b32224b36911db

AveMariaRAT

e43d34170181b3e9b5baf550d70b27fdbcfcc8e974694352d77e5e52e8866a2d

AveMariaRAT

+ 414 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/200629-87x9d22ea6/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Program crash

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/15992/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample