MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad9e8312433e5a1b32f661f93f4fa23ecc7e952f61b2bfb1b917f5cf1e6f7495. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad9e8312433e5a1b32f661f93f4fa23ecc7e952f61b2bfb1b917f5cf1e6f7495
SHA3-384 hash: c0728c6d50d6bd7c721c3b2c0b9f3968433f5b7181427faeea1a1c6f99e35b4148925051271f6f88ef2b137754659cd3
SHA1 hash: 0962d1ad7b897d8dc06f23d32a2c4bb8f6a05dc4
MD5 hash: 33b165cc4a07744c213ba2146d603160
humanhash: north-pizza-stream-alpha
File name:QUOTATION_AUG7FIBA00541.z
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:990'501 bytes
First seen:2023-08-30 19:30:08 UTC
Last seen:Never
File type: z
MIME type:application/x-7z-compressed
ssdeep 24576:ZQ6pyP2T1UjygS6f7TRWJGLaZ3Z6CWsE4dUm:ZxmcU20pWJGLahZ6CREWUm
TLSH T1B82533C8CEF94114494AF3F9BEB5CDDC334CC5002ABBB5569062EB22690D72A276939D
TrID 57.1% (.7Z) 7-Zip compressed archive (v0.4) (8000/1)
42.8% (.7Z) 7-Zip compressed archive (gen) (6000/1)
Reporter cocaman
Tags:AveMariaRAT QUOTATION RFQ z


Avatar
cocaman
Malicious email (T1566.001)
From: "Dong Hui<Dong Hui2@growatt.com>" (likely spoofed)
Received: "from [163.123.143.173] (unknown [163.123.143.173]) "
Date: "29 Aug 2023 12:49:25 +0200"
Subject: "RFQ no.Growatt /ORDER LIST_AUG7FIBA005417."
Attachment: "QUOTATION_AUG7FIBA00541.z"

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
CH CH
File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:32512
File size:188 bytes
SHA256 hash: 50754318d26dba3f88614de1876671de7b6da4221d50886070da0b620045c36e
MD5 hash: 2b813330dc0a2164eb1fa23549e3828d
MIME type:application/octet-stream
Signature AveMariaRAT
File name:QUOTATION_AUG7FIBA00541·PDF.scr
File size:1'961'512 bytes
SHA256 hash: 511ac21d17ad7b77173c3007465b034ce0a83517749f7263d27243453f6728c3
MD5 hash: 0fcb28f04c3fead1520ea0b7476b0957
MIME type:application/x-dosexec
Signature AveMariaRAT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.1786.9122.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
80%
Tags:
overlay packed packed
Link:
https://www.filescan.io/uploads/64ef98f7b3b7d7c782d158f5/reports/6523e913-392f-43fe-a150-9364a0ae5ff7/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/ad9e8312433e5a1b32f661f93f4fa23ecc7e952f61b2bfb1b917f5cf1e6f7495
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad9e8312433e5a1b32f661f93f4fa23ecc7e952f61b2bfb1b917f5cf1e6f7495/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-08-29 09:25:40 UTC
File Type:
Binary (Archive)
Extracted files:
38
AV detection:
14 of 38 (36.84%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vwpigesdhznbwmxwmh4t6t5ch3gh5fjpmgzl7mnzc7246htposkq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/ad9e8312433e5a1b32f661f93f4fa23ecc7e952f61b2bfb1b917f5cf1e6f7495

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

z ad9e8312433e5a1b32f661f93f4fa23ecc7e952f61b2bfb1b917f5cf1e6f7495

(this sample)

AveMariaRAT

Executable exe 511ac21d17ad7b77173c3007465b034ce0a83517749f7263d27243453f6728c3

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 511ac21d17ad7b77173c3007465b034ce0a83517749f7263d27243453f6728c3
  
Dropping
AveMariaRAT

Comments