MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 5 Comments

SHA256 hash: adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e
SHA3-384 hash: 8587265b7478f6084334ba596e8fff1c994244727ffc90637ebf9f9e018524cf6d799ff8f98c790d35601dc183f934b8
SHA1 hash: 22b487be37f13797100c3348e1c9a3a254b41abc
MD5 hash: 771d64a701a7827fb3229f98ad3ff858
humanhash: fruit-three-moon-berlin
File name:adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e
Download: download sample
Signature AveMariaRAT
File size:1'105'920 bytes
First seen:2020-06-17 09:03:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7
ssdeep 24576:FAHnh+eWsN3skA4RV1Hom2KXMmHaT+t4Nt75:0h+ZkldoPK8YaT+tW
TLSH 6935AD0273D1C036FFABA2739B6AF64556BC79254133852F13981DB9BD701B2223E663
Reporter @JAMESWT_MHT
Tags:AveMariaRAT

Intelligence


File Origin
# of uploads :
1
# of downloads :
26
Origin country :
IT IT
Mail intelligence
No data
Vendor Threat Intelligence
Detection:
WarzoneRAT
Gathering data
Threat name:
Win32.Spyware.AveMaria
Status:
Malicious
First seen:
2020-06-16 13:54:55 UTC
AV detection:
26 of 31 (83.87%)
Threat level
  2/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Behaviour
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
NTFS ADS
Suspicious use of SetThreadContext
Adds Run entry to start application
Loads dropped DLL
Drops startup file
Executes dropped EXE

Yara Signatures


Rule name:Cobalt_functions
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:MAL_Envrial_Jan18_1
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:win_ave_maria_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments