MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c44f241eb6a6d9904d1cfd5f750124d56174e25ca2691a7028b32224b36911db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 4

Intelligence 4 IOCs YARA 4 File information Comments

SHA256 hash:	c44f241eb6a6d9904d1cfd5f750124d56174e25ca2691a7028b32224b36911db
SHA3-384 hash:	74373606f0ec052ba89c8f83182892d94e3c1c0d1277895fc1930262addca738527881ff2e841a6b72351aac5e0af390
SHA1 hash:	73593bd233e41c1024591994d8ca0855e2653463
MD5 hash:	b49e3202160974dd86b1c85eba22ed19
humanhash:	uranus-lamp-artist-mississippi
File name:	c44f241eb6a6d9904d1cfd5f750124d56174e25ca2691a7028b32224b36911db
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	64'288 bytes
First seen:	2020-06-29 07:51:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ae7d0bf9c619b111b6a98d55dfb55af3 (5 x AveMariaRAT)
ssdeep	768:9DmqvcQWXqb2yV55uCyx4HunAxOfK5y/OsN39CNqGa0RmRCec6S/s/e5fdoPwTdU:hRvAXANxyiHVWEE7HAA4rff6PwZ5dERH
Threatray	424 similar samples on MalwareBazaar
TLSH	8B53D126DFE1B471C9DD8A30E36B4A2B4244779403A9644DE93463E78DB0B8C6DF498F
Reporter	JAMESWT_WT
Tags:	AveMariaRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Warzone

Link:

https://www.capesandbox.com/analysis/15984/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Maria.4.17072.22484.UNOFFICIAL

SecuriteInfo.com.Trojan.PWS.Maria.3.30306.22950.UNOFFICIAL

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c44f241eb6a6d9904d1cfd5f750124d56174e25ca2691a7028b32224b36911db/

Threat name:

Win32.Trojan.Ursnif

Status:

Malicious

First seen:

2020-06-25 21:42:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

31 of 31 (100.00%)

Threat level:

5/5

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

4d6cac6b50fd6a9ef2d2e81e96174dd95d8f869ea7539a9525a6d4a11945c978

AveMariaRAT

5dd2674c9f116740c0132fca0553257cd52d8785a7ff47dd6d361b30a9634189

AveMariaRAT

7b7b7e7ad9b106a5508583f1b60e3a3d7385bf0d6592ca816839f6633f5e8045

AveMariaRAT

7c7fbeb0b90a27a56ddbd1adee5627396a0d3f4639bea0d8675687a66064b6c8

AveMariaRAT

7f29131cb5f28ccbd60dbdf39b6b3c79a974d4a3950aac1d1c0f7edd68193c03

AveMariaRAT

7f62e5e2d0cfbe0740718588465b71a701fe3e188a8a4755baacbdc6fb41d52c

AveMariaRAT

94c5bf5ba01bdb8b028fe00eca0d805b8150c3639ce9e3cf0b86670061d66196

AveMariaRAT

a445a5bc6990861c07657cc70e85253ff73cd88e6d7f040e00fb03ffbce5764b

AveMariaRAT

e43d34170181b3e9b5baf550d70b27fdbcfcc8e974694352d77e5e52e8866a2d

AveMariaRAT

+ 414 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/200629-jc82arsyde/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Program crash

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/15984/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample