MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8dbc896602791f2398a1af843abb3fba4927066b1b0c47228646354c6150fec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 3


Intelligence 3 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8dbc896602791f2398a1af843abb3fba4927066b1b0c47228646354c6150fec
SHA3-384 hash: 856005fb35c93313145b05cd003fae3bf8afac161d1f12fee3f61a769f75c0321ae717ea3ca0e26d13cff66b66388d67
SHA1 hash: 6032c7a6133894e1c3528b91f778bc2b72e3b874
MD5 hash: 64d64f35ec0ffb03a41a70b026aace2f
humanhash: lima-washington-nebraska-football
File name:64d64f35ec0ffb03a41a70b026aace2f.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:829'952 bytes
First seen:2020-06-29 19:24:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 40976bd0dfb9d8835690180f02eb563a (3 x RemcosRAT, 2 x FormBook, 1 x NetWire)
ssdeep 12288:9HDP+feVTP9D8jFUnohgvBsMWwo1fkR3CcYs6z7x/J1NMwb:1LVR9gjF8ohgvBfo9kchz1H
Threatray 186 similar samples on MalwareBazaar
TLSH CA058E62F2915A3BD0321B7C8D1B53985926FD112D2C9D866FF89F4C5F3A3817C292A3
Reporter abuse_ch
Tags:AveMariaRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/16570/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.AI.Packer.7BA51BF319.27257.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d8dbc896602791f2398a1af843abb3fba4927066b1b0c47228646354c6150fec/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-06-29 19:26:05 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
03dcc84a1b2387ef18e82b9deeaa45da311890d27b3d28d022d43924201b7bcc
AveMariaRAT
1c6c9635f0c01cc93b504293351215058cf9ef8b62ca38ce71012a4875fbe0a4
AveMariaRAT
38d3f45c15d354a76eaa73d2da717165dee22b8207fa87088685486019ff482d
AveMariaRAT
65463a82bb20ec1f2d53e93c9e51538d55fff2844c746afc36e7a1c43cce36e4
AveMariaRAT
9519395df08cc1e952c5d7bd57b705f105dcbe6a59a09f4ae6163873cd75c9bb
AveMariaRAT
9b6c23ee51101f9e2542bb697e7b218e0a57d51ac6b577998cba351581aa7491
AveMariaRAT
a4a3167ca8c35a365a3f308cebf6169b1f771eb5094a77de23e6b0799794f135
AveMariaRAT
a9a117ae98fd5a5f90a2058461be2dc525bde25a920d9acaeae2490633587392
AveMariaRAT
b2a87b6ad43bda8ae0b7cb4a182abfd355da89ce3fc328eddd2ca3c0557b9999
AveMariaRAT
fd63723645c61765202d3ebb6aef59ff6dba68005323e8b493b1a9dff9de84e5
AveMariaRAT
+ 176 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/200629-67hgy63hy6/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run entry to start application
Legitimate hosting services abused for malware hosting/C2
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AveMariaRAT

Executable exe d8dbc896602791f2398a1af843abb3fba4927066b1b0c47228646354c6150fec

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/16570/
  
URLhaus
https://urlhaus.abuse.ch/url/404421/
  
Delivery method
Distributed via web download

Comments