MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b44646b530b067dadca8a6b31582efa9b9738c068a209af3b1bb4d403bd574fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b44646b530b067dadca8a6b31582efa9b9738c068a209af3b1bb4d403bd574fc
SHA3-384 hash: f398d8016a6d399238b12bae89f9e05ecfb98717bb8519967f426ddc6769534c086696870263d78f48f5ff2a17a8247c
SHA1 hash: 446717cae3fe55adcc43e349ee6d87554dd6287e
MD5 hash: d193ca6edff4139d4659dfd698250a8e
humanhash: eighteen-pizza-march-idaho
File name:DEBIT NOTE_P.List and Invoice Reload.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:667'618 bytes
First seen:2020-08-18 13:04:00 UTC
Last seen:2020-08-18 15:59:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1d3807efc70a0a5a6d2ab497250e9cb5 (4 x RemcosRAT, 1 x AZORult, 1 x AveMariaRAT)
ssdeep 12288:Im/ZNPa2c/PWwuUDKcoEwWLC2W2nKjdkOdqY55w/oPXjlBeh0KCaj:Im/TyzPWwuUDpoEwECcKpkON/Tno0
Threatray 525 similar samples on MalwareBazaar
TLSH 94E49E62E6804837C0631578AC0B9FE9D937AF113B58AC476BF62E0C5F397D17A29097
Reporter abuse_ch
Tags:AveMariaRAT exe

Code Signing Certificate

Organisation:Microsoft Time-Stamp Service
Issuer:Microsoft Time-Stamp PCA
Algorithm:sha1WithRSAEncryption
Valid from:Sep 7 17:58:56 2016 GMT
Valid to:Sep 7 17:58:56 2018 GMT
Serial number: 33000000CCCBB813EB5D722D450000000000CC
Intelligence: 15 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0C043752471269029D69B98BD42DFAD2656F1BCFDEC9A291039F4EF69B496C70
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: brcsupplychain.in
Sending IP: 185.222.58.146
From: BRC Opearation /Co ordination <docs@brcsupplychain.in>
Subject: Re: Debit note // TOP URGENT // Felixstowe // 0DEH005648
Attachment: DEBIT NOTE_P.List and Invoice Reload.r00 (contains "DEBIT NOTE_P.List and Invoice Reload.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
55
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47871/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Setting a single autorun event
Unauthorized injection to a system process
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b44646b530b067dadca8a6b31582efa9b9738c068a209af3b1bb4d403bd574fc/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 05:02:07 UTC
File Type:
PE (Exe)
Extracted files:
98
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wrdennjqwbt5vxfiu2zrlaxpvg4xhdagriqjv45rxnguao6vot6a._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
1c517ddebb6f5893d52918c51a70e56f68b50dd65e0460a673cce3625a0f8a2b
AveMariaRAT
3f937c7dddcdc31780807b68e4b93eea42d4146195b9c45d671bf6ed2f52a5bc
AveMariaRAT
4fa4af45c70295513c486589c0e36e7436be6abbf3c75e97b544db959e9dfcb5
AveMariaRAT
51966d322a39d2b7c08c85a58e19b558ab678862385be75ab90e69b84fde583f
AveMariaRAT
51c81d6e49ad27baa52a1d1047fe0a5c61c209d39110b81ab07cd2aa30a221ab
AveMariaRAT
5ef2d70f9e7fa30c9fea637c8b0c60276ca69505640ffb417a27a320575f3807
AveMariaRAT
60d7b2ab0fb53d37576c2edd50231cc82e87d0c0cee85afddac247cb795164c3
AveMariaRAT
bdf0628de7c3965db41f88705c2b900a19fc12499435fd77f6eabc172c397861
AveMariaRAT
c8dda41b34e9b16da333bfa30653a6f46be67c657158ecfd2c0463903b01e54d
AveMariaRAT
f54187c724636062fdf6287ad5b83c5c198e44577158b30b15d1144c287f4c17
AveMariaRAT
+ 515 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/200818-hvg22xsv9n/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b44646b530b067dadca8a6b31582efa9b9738c068a209af3b1bb4d403bd574fc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

r00 6517ff6ce7efd967f365dcb6217bd5e1e34e2aae0e5c3db57a7e1f04d819a6ed

AveMariaRAT

Executable exe b44646b530b067dadca8a6b31582efa9b9738c068a209af3b1bb4d403bd574fc

(this sample)

  
Dropped by
MD5 c2b644274a2886abe8e60c34e6d4ab34
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47871/
  
Dropped by
SHA256 6517ff6ce7efd967f365dcb6217bd5e1e34e2aae0e5c3db57a7e1f04d819a6ed

Comments