MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0055c111a78ee76cb6946a1e9a22f96b1b0533537865d055f465b03ac1aa7df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0055c111a78ee76cb6946a1e9a22f96b1b0533537865d055f465b03ac1aa7df
SHA3-384 hash: 42301267b587085cafe89befe829f9ea44e74bae1066732fc8f56e5d8ad7aa353d5e227abd1cb4645efe8b5b7da244c1
SHA1 hash: 1bad86ed68b6e8d9f360c5a430b17102521fe920
MD5 hash: 87ed91228920b08d9228ec61e927c0da
humanhash: alanine-quiet-missouri-mobile
File name:Order.pdf
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:676'864 bytes
First seen:2020-10-06 06:04:22 UTC
Last seen:2020-10-06 07:22:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:MGKf+0/hitjkl6VgYBBTh0+X2qjNlIM/+PQgLOvN1C9j4akG1hFdf9vICVvVPVJ:42glqTh0+X2YNSBLSY4JGZd9IC33
Threatray 153 similar samples on MalwareBazaar
TLSH 16E49DBD39C36A6DC93A077695B141C1F63932C63FA18E0DB19BA30C0E1765F6B1624E
Reporter abuse_ch
Tags:AveMariaRAT pdf


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: fujitec.co
Sending IP: 209.11.159.147
From: PURCHASE DEPT <adminchn@fujitecindia.com>
Subject: Re: New Order and Contract
Attachment: Purchase Contract Order.zip (contains "Order.pdf")

Intelligence

File Origin
# of uploads :
2
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ispy
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68435/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %temp% subdirectories
Creating a file
Creating a process from a recently created file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/482368
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0055c111a78ee76cb6946a1e9a22f96b1b0533537865d055f465b03ac1aa7df/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 02:18:36 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wacvyei2pdxhns3ji2q6tirps2y3auzvg6df2bk7iznqhla2u7pq._file
Verdict:
unknown
Similar samples:
659c836026b1ee353c16584705804815ea357519b446db36822fb40bed5ab320
AveMariaRAT
6a25765e7d969b6c324cc461b08d947d49204191d97f620b4a74ba0f6dc744ca
AveMariaRAT
73f6286bd85316cb72796f461e1ad724b8434837f1a10a4a625862c3a7e3c173
AveMariaRAT
93129fbf583ce2e637e0a21c490a549e1597902179636ebc13a7c937b5707782
AveMariaRAT
b796ebc23a355b8fbd29552b2ff7142f09617c25a30a33d5a92626f69e337d48
AveMariaRAT
c1830ba81a707357031fc8e5cd7cf3a6083c30f33669fe29590cc639140d6780
AveMariaRAT
c62ef08103c30d5d2d18fbc2eff820985af40aa377828ef72c3ecad495103511
AveMariaRAT
ca86c76c753d3c8812228b08c1459bdee50a40b0aa36460906e452f80258c1b7
AveMariaRAT
f71494245a0d5304debf8b402ab8096593893d81adbabfa1540e013e0ec99e26
AveMariaRAT
f8f5e97b40ead4c316e0dc6adc5490aafdf806ec5c203931e9d699be3b95a88a
AveMariaRAT
+ 143 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/201006-as7q2zed4n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
b0055c111a78ee76cb6946a1e9a22f96b1b0533537865d055f465b03ac1aa7df
MD5 hash:
87ed91228920b08d9228ec61e927c0da
SHA1 hash:
1bad86ed68b6e8d9f360c5a430b17102521fe920
Link:
https://www.unpac.me/results/6c0b8276-4d5b-4d5b-902f-fff251eb53a6/
SH256 hash:
b80155dbd80f8bc5d3f59e08df47aefa42e73612aac6e8845fad3cae516cbdb0
MD5 hash:
0478256ba4237f2e33b77f8127d9a145
SHA1 hash:
560f2cd098bd81c18174d980652b28a8c90c48e2
Link:
https://www.unpac.me/results/6c0b8276-4d5b-4d5b-902f-fff251eb53a6/
SH256 hash:
6588cb59743ca04e6fb14256ed375908c9a74840b37df3eaa4d9e520f747e430
MD5 hash:
36bf02bda20d358a18f7ac65b7d7ac6c
SHA1 hash:
a08c8bb774773bd957adaf80ee544e53cc43679d
Link:
https://www.unpac.me/results/6c0b8276-4d5b-4d5b-902f-fff251eb53a6/
SH256 hash:
da98f072bfe58f53f1756c3afd8375c48a03b48de10fec0ad97a0a3684462099
MD5 hash:
953384e089f80b4e5e68873bb4b9ba85
SHA1 hash:
af73792a41106fbed15328d0473ea54ab970a069
Link:
https://www.unpac.me/results/6c0b8276-4d5b-4d5b-902f-fff251eb53a6/
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/6c0b8276-4d5b-4d5b-902f-fff251eb53a6/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b0055c111a78ee76cb6946a1e9a22f96b1b0533537865d055f465b03ac1aa7df

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

zip 01ebcc4f8c007d2204c50f1a36ade1694c14ba24604e32a372a4097da6ce2642

AveMariaRAT

Executable exe b0055c111a78ee76cb6946a1e9a22f96b1b0533537865d055f465b03ac1aa7df

(this sample)

  
Dropped by
MD5 6b1741655fe5f36c54db94652a2a2065
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 01ebcc4f8c007d2204c50f1a36ade1694c14ba24604e32a372a4097da6ce2642
Cape
Cape
https://www.capesandbox.com/analysis/68435/

Comments