MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa7983e98428266c58447652fe8c1b211db525293c117c59fc54d4cc318be59d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 4

Intelligence 4 IOCs YARA 6 File information Comments

SHA256 hash:	aa7983e98428266c58447652fe8c1b211db525293c117c59fc54d4cc318be59d
SHA3-384 hash:	7db21b9231e44f6a5361ec6efcc769a27a3cd029019ae0a6672f8b51ff5dd6f3b1bf86f2c4e47531c063b1e2e1597148
SHA1 hash:	38274586db61ffddb46b968caa28ad934bf2fa73
MD5 hash:	becf9d2d24054797cadc9bc97c9dae5f
humanhash:	hotel-kentucky-paris-king
File name:	aa7983e98428266c58447652fe8c1b211db525293c117c59fc54d4cc318be59d
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	275'968 bytes
First seen:	2020-06-16 09:37:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6ed4f5f04d62b18d96b26d6db7c18840 (230 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep	6144:MDRwWBqhocx/GKYEMG0bUfTko9zN5cTb//irwdWdS/bFbO:MQKGGKQQ7ko9zvCtkoRi
Threatray	510 similar samples on MalwareBazaar
TLSH	034412B2F128CC4AE59096304A36D1FA52773DD8F4B2122E7531BE7FBD37A812451A62
Reporter	JAMESWT_WT
Tags:	AveMariaRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/10784/

Detection(s):

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-6

PUA.Win.Downloader.Aiis-6803892-0

Gathering data

Threat name:

Win32.Trojan.Streamer

Status:

Malicious

First seen:

2020-06-11 07:27:16 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

35 of 48 (72.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vj4yh2mefatgywceozjp5da3eeo3kjjjhqixywp4ktkmymml4woq._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

53cd9651cbdd09d3f06b909017df029bf51ff781bce199fe823ca8cb78b3e75e

AveMariaRAT

7dff88b3b51db9f32b155133aba7bff719133a881082bbffd5dad02f7acf79e6

AveMariaRAT

922be6acb1365bac828b5493a4ba1a5fd0d214a5273f39bfbaf932d80c9b5a75

AveMariaRAT

a607cec440113a15857e5af97900685979bc307112628b6667a8a231f6559145

AveMariaRAT

b156f7eea25bfef26649faaeec108d9956479396f3f684fc257e379f305ccbdc

AveMariaRAT

b828c7f4161cc9b6b0285fc4c528ec53c13e23b562246709e66048d2daf658ca

AveMariaRAT

e8ced66e2e2f78e7b4360155e2513cb99aa57d9743b1eab6430cffaa7d8c3523

AveMariaRAT

f99107fb49e1a9ae31d72e1a052baa79ce419ce970bc521010885c98a3d6e6ac

AveMariaRAT

fe1fd26713b3290eb083f29aad553453ad78a6efd99c9b351bf405cfd45de4c3

AveMariaRAT

+ 500 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence

Link:

https://tria.ge/reports/200624-qzyqkzphxa/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

NTFS ADS

Suspicious use of WriteProcessMemory

Adds Run entry to start application

Loads dropped DLL

Drops startup file

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

Rule name:	win_ave_maria_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/10784/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample