MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b78257912955d636db85f7fc299662ebd040df5c2919f2614e52aaf511b54d05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b78257912955d636db85f7fc299662ebd040df5c2919f2614e52aaf511b54d05
SHA3-384 hash: 895594b80782059693626dd914b2a31b7298626cd6e8fa33c381db832451ff52a19a7dfce781d233fddcfb5370938f68
SHA1 hash: 5bae5d9ea4697546de153b999dcf0af7691ce443
MD5 hash: 35ead972b5619f506b5771357f738c18
humanhash: kansas-india-pizza-pip
File name:Ordine R20-T4077, pdf.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:750'256 bytes
First seen:2020-10-26 15:49:57 UTC
Last seen:2020-11-03 10:09:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:lXUGs/fEVce2skJ73ZF2sA9bwVKGOKS8Ep:lERfSrp
Threatray 27 similar samples on MalwareBazaar
TLSH 7BF41F3C6E8426A35273E676A0F50587FEE8658673B85D4B02C33B486D5AF023D9734E
Reporter abuse_ch
Tags:AveMariaRAT exe

Code Signing Certificate

Organisation:DigiCert Assured ID Root CA
Issuer:DigiCert Assured ID Root CA
Algorithm:sha1WithRSAEncryption
Valid from:Nov 10 00:00:00 2006 GMT
Valid to:Nov 10 00:00:00 2031 GMT
Serial number: 0CE7E0E517D846FE8FE560FC1BF03039
Intelligence: 22 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 3E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.nipponcarsrl.com.ar
Sending IP: 200.114.86.103
From: info@filtertechnics.it
Subject: R20-T4077
Attachment: Ordine R20-T4077, pdf.iso (contains "Ordine R20-T4077, pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
54
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/79357/
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/512417
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 305421 Sample: Ordine R20-T4077, pdf.exe Startdate: 26/10/2020 Architecture: WINDOWS Score: 100 28 graceland777.ddns.net 2->28 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus detection for dropped file 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 9 other signatures 2->40 7 Ordine R20-T4077, pdf.exe 1 4 2->7         started        10 vlc.exe 2->10         started        12 vlc.exe 1 2->12         started        signatures3 process4 file5 26 C:\Users\user\AppData\Roaming\...\vlc.exe, PE32 7->26 dropped 14 Ordine R20-T4077, pdf.exe 3 2 7->14         started        18 WerFault.exe 23 9 7->18         started        20 WerFault.exe 19 9 10->20         started        22 vlc.exe 1 10->22         started        24 WerFault.exe 9 12->24         started        process6 dnsIp7 30 graceland777.ddns.net 185.140.53.129, 49753, 49757, 49758 DAVID_CRAIGGG Sweden 14->30 42 Increases the number of concurrent connection per server for Internet Explorer 14->42 44 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->44 32 192.168.2.1 unknown unknown 18->32 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b78257912955d636db85f7fc299662ebd040df5c2919f2614e52aaf511b54d05/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-26 09:40:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w6bfpejjkxldnw4f676ctftc5piebx24fem7eykokkvpkenvjucq._file
Verdict:
unknown
Similar samples:
5fcc312a31029c692e592e1b70ec22e1008cfb3df910ab2fec80a193d420fe08
AveMariaRAT
676deae3db8218b9bf16e0ae37abde30655464de43497b2af747e53626f3735e
AveMariaRAT
7229eda7f70cf4048d377a97e470953853458f1635e9c426c042290fef14d979
AveMariaRAT
786dd4d9050a7a8d83b60280da6360b73ebf5680da7c9e5d8f6762f425ba099e
AveMariaRAT
91e3a5a72c848c5fdadef7dcb78767caf56a0d9ec266fc5fac46ed0885e55845
AveMariaRAT
b524b8d67e16781462e06815013dc190be41690c8a3cfcbbb6cff09bebb7c07f
AveMariaRAT
bb13a7a8fdc0b1a0c91de3c6dade1fd0e5b29cf74cc842d809c73a2a88c26854
AveMariaRAT
c55730133205122e022bb1681c30d9843889e63bd4f16497f6bbe08f2758e2ba
AveMariaRAT
dafee937bbe45fe3398e06d60f2177c42a20e41f9bc5c22dcadbf284cdf4fb75
AveMariaRAT
e32decb9aac454a38a186b4f7bc59e471c78e2cf6a5fff25c0d8b68d1c46805c
AveMariaRAT
+ 17 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/201026-kqka34n7n6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

iso fe3bd22419bc6b5ee64632dd4f84b3dde620aae75d7c4749e53f6b925679b794

AveMariaRAT

Executable exe b78257912955d636db85f7fc299662ebd040df5c2919f2614e52aaf511b54d05

(this sample)

  
Dropped by
MD5 dc729ececb344266f6fcf861480275e7
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 fe3bd22419bc6b5ee64632dd4f84b3dde620aae75d7c4749e53f6b925679b794
Cape
Cape
https://www.capesandbox.com/analysis/79357/

Comments