MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5244d189112fede20a99ed1f7ca814762f9ab52cedaca1c1770c47ed69a6498. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 6

Intelligence 6 IOCs YARA 7 File information Comments

SHA256 hash:	d5244d189112fede20a99ed1f7ca814762f9ab52cedaca1c1770c47ed69a6498
SHA3-384 hash:	b05a770a32c1d2225b5f9657dde241a07792cb54c1d56a3dca343b72710e2d2b833a8c9fb0228f83d40278a9edc9f5ce
SHA1 hash:	7c6aa14f983f2730c7cd0e8b020b08f6b94f4857
MD5 hash:	37cfbff24422ad17b5a1cb3f02679153
humanhash:	april-eleven-nuts-july
File name:	IMG-20200107-024142914208136738390-43910161800291224297.exe
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	825'344 bytes
First seen:	2020-07-02 06:57:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6f4a5db2ce2ae19074b0e088a68b6a05 (4 x AveMariaRAT, 1 x LuminosityLink)
ssdeep	12288:I2TpWuXJM6iiguuUyREh6ZCjdJ2oQZ1DakzZwP4BTNdAL0++:IopW+JMjNZCjXzQZ1DakFBpNuL
Threatray	508 similar samples on MalwareBazaar
TLSH	28052964A3A0C038FAB72AF156ED117D947E7ED11B28A0C752D01DEE5A26AF1EC30717
Reporter	abuse_ch
Tags:	AveMariaRAT exe RAT

abuse_ch

Malspam distributing AveMariaRAT:

HELO: slot0.userrevenue.com
Sending IP: 142.11.240.107
From: Anil kumar .Nuka <postmaster@userrevenue.com>
Reply-To: ayse@rizaaltin.com
Subject: Quote request--urgent
Attachment: IMG-20200107-0241429.xz (contains "IMG-20200107-024142914208136738390-43910161800291224297.exe")

AveMariaRAT C2:
185.19.85.150:5203

% Information related to '185.19.84.0 - 185.19.85.255'

% Abuse contact for '185.19.84.0 - 185.19.85.255' is 'abuse@datawire.ch'

inetnum: 185.19.84.0 - 185.19.85.255
netname: DATAWIRE-DATACENTERS
descr: CUSTOMERS ZG01
country: CH
admin-c: DA4314-RIPE
tech-c: DA4314-RIPE
status: ASSIGNED PA
mnt-by: DATAWIRE-NOC
created: 2013-09-23T14:18:55Z
last-modified: 2013-09-23T14:18:55Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

WarzoneRAT

Link:

https://www.capesandbox.com/analysis/18327/

Detection(s):

PUA.Win.Downloader.Aiis-6803892-0

PUA.Win.Adware.Domaiq-6840275-0

Detection:

avemaria

Link:

https://mwdb.cert.pl/sample/d5244d189112fede20a99ed1f7ca814762f9ab52cedaca1c1770c47ed69a6498/

Threat name:

Win32.Trojan.Avemariarat

Status:

Malicious

First seen:

2020-07-02 06:59:05 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2use2gercl7n4ifjt3i7psubi5rptk2sz3nmuhaxodch5vu2msma._file

Verdict:

malicious

Label(s):

avemaria

AveMariaRAT

25db81a9c27d2c56fb1d168f3416260ae33470a32e8adb3ff15a0b30e43abc6d

AveMariaRAT

7c186a7edf751a516c70679dd03e248eabb14a56497c064c16d43b1133b9b86a

AveMariaRAT

8e2a4af633ffda92d8508e04274bad284ba57cddcdc2ee2c933a68ec6da5d4cd

AveMariaRAT

a6c22328747eaee0b88ce02ad48e8d2860cb275bc2494248a173ccc8bf891563

AveMariaRAT

aa78a6486a07e5063b9d8510f1b483195d0de3affe4de0b87e0b75b615c25e72

AveMariaRAT

b5b64f85cdeb5432018e22087fce4b6dc1e56593e8416335f471d4eac1e2b8cf

AveMariaRAT

da7d4b75bfe7b58a32a24ddc9f97e8b479933a515a20945c81d279dc29206bd8

AveMariaRAT

da8e89fa0cbec2f66ea695865de7a0eb7f9211c10aae3598490bbaec4f83ebfc

AveMariaRAT

f6992d6684eb90b504ae13c3a5159e336005a415c7e50ed2dc7f1420ffa488b1

AveMariaRAT

+ 498 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence

Link:

https://tria.ge/reports/200702-xvl7vd69ss/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

NTFS ADS

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

NTFS ADS

Program crash

Adds Run entry to start application

Loads dropped DLL

Drops startup file

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	win_ave_maria_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_malumpos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com