MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc4d71c433212a94ba581d1ffbdbefcf696c47b9944fac63352350186559cf83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 4

Intelligence 4 IOCs YARA 4 File information Comments

SHA256 hash:	bc4d71c433212a94ba581d1ffbdbefcf696c47b9944fac63352350186559cf83
SHA3-384 hash:	3aacf5bafdeb86b641c5665e6412f9b537ec7d1981d270a5282f99d5a180f223c68ea27c5520f8ac6eebcff3eb9a29f8
SHA1 hash:	3d189b02d55411b8702cf5f9a5415862d9ad03cf
MD5 hash:	d2c7ebc843f4d2b00ca6926c2e2aedc8
humanhash:	uranus-timing-violet-cup
File name:	bc4d71c433212a94ba581d1ffbdbefcf696c47b9944fac63352350186559cf83
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	64'256 bytes
First seen:	2020-06-29 07:51:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ae7d0bf9c619b111b6a98d55dfb55af3 (5 x AveMariaRAT)
ssdeep	768:zDmqvcQWXqb2yV55uCyx4HunAxOfK5y/OsN39CNqGa0RmRCec6S/s/e5fdoPwTdV:nRvAXANxyiHVWEE7HAA4rff6PwZ5dERC
Threatray	424 similar samples on MalwareBazaar
TLSH	9C53D1269FE1B471C9DD4A30E36B8A2B4244779403A9644DE93063E78DB0B8C6DB498F
Reporter	JAMESWT_WT
Tags:	AveMariaRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Warzone

Link:

https://www.capesandbox.com/analysis/15985/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Maria.4.17072.22484.UNOFFICIAL

SecuriteInfo.com.Trojan.PWS.Maria.3.30306.22950.UNOFFICIAL

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bc4d71c433212a94ba581d1ffbdbefcf696c47b9944fac63352350186559cf83/

Threat name:

Win32.Trojan.Ursnif

Status:

Malicious

First seen:

2020-06-25 23:08:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

31 of 31 (100.00%)

Threat level:

5/5

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

6eb590a11b5310606564853be8c43179b95ee93c3a4c8c3ea8f011819a3b2337

AveMariaRAT

7b7b7e7ad9b106a5508583f1b60e3a3d7385bf0d6592ca816839f6633f5e8045

AveMariaRAT

7c7fbeb0b90a27a56ddbd1adee5627396a0d3f4639bea0d8675687a66064b6c8

AveMariaRAT

94c5bf5ba01bdb8b028fe00eca0d805b8150c3639ce9e3cf0b86670061d66196

AveMariaRAT

9ce5eb576c72ecc29eabbbece917f1873bf4f5782485b22549dfbb6ff1d56f58

AveMariaRAT

a6969df5b378c0ac923dfceaac03c45afc9588c8a5a11ed9d74e78db61b04a13

AveMariaRAT

b38f7cacc56a97f122827cc2e89c55c9747ad790f7649b6078cedca83659b4dc

AveMariaRAT

c44f241eb6a6d9904d1cfd5f750124d56174e25ca2691a7028b32224b36911db

AveMariaRAT

c9d35153c2220d608ca08a3e4b26bd01a105e9e99c2bbc6c464f629f6ab472cb

AveMariaRAT

+ 414 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/200629-d9eff6t7vn/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Program crash

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/15985/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample