MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bec0fd02d4c6cc5da2d88a5bf2a53b8d3ad5cfc1d40a8c62852629d7de06ebd8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bec0fd02d4c6cc5da2d88a5bf2a53b8d3ad5cfc1d40a8c62852629d7de06ebd8
SHA3-384 hash: 8a7a1292f284f369c81bcef496ae25b0011c6b965456c384f953f892755379f63c31cec3d24f3306f4e2ce686a805465
SHA1 hash: e5ddb0937f4893c2765ecebf1cd9f72a71a03694
MD5 hash: 0e64ae0e43dabae0bb7316413ee8dca0
humanhash: alanine-florida-speaker-queen
File name:HSBCIT0419.EXE
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:27'048 bytes
First seen:2020-10-30 12:55:10 UTC
Last seen:2020-11-03 10:09:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 384:Vc/HCI/cI725Mrvhy988+OBREcBJg8DDgf2hI:Vc/H5/cI7AMrvEXvkEUf2hI
Threatray 533 similar samples on MalwareBazaar
TLSH 4CC20DAB77050D21D63C953461F718B5ABFAB84A3FBEC001ACC4629D56DF3782A297C4
Reporter cocaman
Tags:AveMariaRAT exe

Code Signing Certificate

Organisation:Microsoft Windows
Issuer:Microsoft Windows
Algorithm:sha256WithRSAEncryption
Valid from:Oct 30 11:03:24 2020 GMT
Valid to:Oct 30 11:03:24 2021 GMT
Serial number: B85323B541123E0656D2B4A0DA5EBF0E
Thumbprint Algorithm:SHA256
Thumbprint: 18A2672166A6FE7221798AB1AA595F71B2841E0C59FBD401EB84E5C5DABBD878
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
9
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/81225/
Detection(s):
SecuriteInfo.com.Gen.NN.ZemsilF.34590.biX@ayiNiAg.21395.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Launching a process
Adding an access-denied ACE
Creating a file
Using the Windows Management Instrumentation requests
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Unauthorized injection to a system process
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/516951
Signature
Allocates memory in foreign processes
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 307578 Sample: HSBCIT0419.EXE Startdate: 30/10/2020 Architecture: WINDOWS Score: 100 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 8 other signatures 2->54 7 HSBCIT0419.EXE 18 4 2->7         started        12 HSBCIT0419.EXE 2->12         started        14 HSBCIT0419.EXE 2 2->14         started        16 3 other processes 2->16 process3 dnsIp4 46 hastebin.com 104.24.127.89, 443, 49743, 49760 CLOUDFLARENETUS United States 7->46 40 C:\Users\user\AppData\...\HSBCIT0419.EXE, PE32 7->40 dropped 64 Creates an undocumented autostart registry key 7->64 66 Drops PE files to the startup folder 7->66 68 Writes to foreign memory regions 7->68 70 Contains functionality to hide a thread from the debugger 7->70 18 aspnet_state.exe 3 2 7->18         started        22 WerFault.exe 23 9 7->22         started        72 Creates autostart registry keys with suspicious names 12->72 74 Creates multiple autostart registry keys 12->74 76 Allocates memory in foreign processes 12->76 24 aspnet_state.exe 12->24         started        26 WerFault.exe 12->26         started        78 Hides threads from debuggers 14->78 80 Injects a PE file into a foreign processes 14->80 28 aspnet_state.exe 14->28         started        30 aspnet_state.exe 14->30         started        32 WerFault.exe 14->32         started        34 aspnet_state.exe 16->34         started        36 5 other processes 16->36 file5 signatures6 process7 dnsIp8 42 efiigbo9.duckdns.org 185.140.53.130, 49755, 8800 DAVID_CRAIGGG Sweden 18->42 56 Contains functionality to inject threads in other processes 18->56 58 Contains functionality to steal Chrome passwords or cookies 18->58 60 Contains functionality to steal e-mail passwords 18->60 62 2 other signatures 18->62 44 192.168.2.1 unknown unknown 22->44 38 WerFault.exe 24->38         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bec0fd02d4c6cc5da2d88a5bf2a53b8d3ad5cfc1d40a8c62852629d7de06ebd8/
Threat name:
ByteCode-MSIL.Trojan.Masson
Create hunting rule
Status:
Malicious
First seen:
2020-10-30 12:57:03 UTC
File Type:
PE (.Net Exe)
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x3ap2awuy3gf3iwyrjn7fjj3ru5nlt6b2qfiyyufeyu5pxqg5pma._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
18ec681c471f185edf3ab8e23b52b4ea2a87162f9957b4d5d10ac0e2bc008405
AveMariaRAT
2850ddcebc7ed468cb0db271e54956468f0c93dd57a233665646d28cb1139373
AveMariaRAT
285f4e79ae946ef179e45319caf11bf0c1cdaa376924b83bfbf82ed39361911b
AveMariaRAT
5b92d7f869973b50de0c707ce58afacd6f1202364283c7dffa6ffd79a41a93eb
AveMariaRAT
aae06c61ea30fd920db8caa7e32eefe1b74842affe3fa6d53ce6765f49783ed5
AveMariaRAT
b8ab1b11519bc6b1e834b01d385b9b15a297d05533eec1ea6f89fa0576370f24
AveMariaRAT
c805a81435618323cd34e9729b058df78e9c496d1d6c752cc3e5c7cb30f26613
AveMariaRAT
c838da7346e7f3373f9f1a84a073c248f785e82be48db979cdb339460402de06
AveMariaRAT
ebbc6c8a9394818874d649441f0644f42f52fd0aac5090212a9908b4b8889d6e
AveMariaRAT
fc4b29f54e0b3ed0493ba85310a2665ab47e5143f3cb3ce09686f0560dd1ed04
AveMariaRAT
+ 523 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/201030-x6n3z2nqk2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Warzone RAT Payload
Modifies WinLogon for persistence
WarzoneRat, AveMaria
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

iso cc32c27f09045af46bef527b915c8bf8b2afd91a9e043d15e34196f9d036bcac

AveMariaRAT

Executable exe bec0fd02d4c6cc5da2d88a5bf2a53b8d3ad5cfc1d40a8c62852629d7de06ebd8

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/81225/
  
Dropped by
SHA256 cc32c27f09045af46bef527b915c8bf8b2afd91a9e043d15e34196f9d036bcac

Comments