MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de966245d2120df80add0bc610965487383a27ca6434abb2a41d3fb6447ee0cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de966245d2120df80add0bc610965487383a27ca6434abb2a41d3fb6447ee0cf
SHA3-384 hash: 90da06c66d23f4ce74095298b6507df88e4fa1ffdbd5007df83fba823b2b3ae98b833bd3fed957dfbe4415764a2d7f29
SHA1 hash: 266d6a85ee7710af7aa332073c60f7f20ea99fb4
MD5 hash: f73357e33004df738b81c40201dfeb57
humanhash: harry-freddie-oranges-charlie
File name:BIDAKIS DOO PONUDA PROIZVODA.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:208'600 bytes
First seen:2020-10-08 12:51:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:MBd7+9ln46KvZ7ZbZ7Z6Z7ZbZ7Z6Z7ZbZ7Z6Z7ZbZ7Z6Z7ZbZ7Z6Z7ZbZ7Z6Z7Zt:MBdxJ
Threatray 459 similar samples on MalwareBazaar
TLSH BD146F019292D414ECBB5BB1E8E98DF80A767DA7E870E52F07003EACB6B3580557375B
Reporter abuse_ch
Tags:AveMariaRAT exe RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69242/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Sending a UDP request
DNS request
Sending a custom TCP request
Adding an access-denied ACE
Unauthorized injection to a recently created process
Launching the default Windows debugger (dwwin.exe)
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/485452
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 295273 Sample: BIDAKIS DOO PONUDA PROIZVODA.exe Startdate: 08/10/2020 Architecture: WINDOWS Score: 100 58 Malicious sample detected (through community Yara rule) 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 10 other signatures 2->64 7 BIDAKIS DOO PONUDA PROIZVODA.exe 18 4 2->7         started        12 BIDAKIS DOO PONUDA PROIZVODA.exe 2->12         started        14 BIDAKIS DOO PONUDA PROIZVODA.exe 2->14         started        16 3 other processes 2->16 process3 dnsIp4 54 pastebin.com 104.23.99.190, 443, 49732, 49747 CLOUDFLARENETUS United States 7->54 46 C:\Users\...\BIDAKIS DOO PONUDA PROIZVODA.exe, PE32 7->46 dropped 48 BIDAKIS DOO PONUDA...exe:Zone.Identifier, ASCII 7->48 dropped 70 Creates an undocumented autostart registry key 7->70 72 Hides threads from debuggers 7->72 74 Injects a PE file into a foreign processes 7->74 18 BIDAKIS DOO PONUDA PROIZVODA.exe 3 2 7->18         started        22 WerFault.exe 23 9 7->22         started        24 timeout.exe 1 7->24         started        76 Creates autostart registry keys with suspicious names 12->76 78 Creates multiple autostart registry keys 12->78 80 Allocates memory in foreign processes 12->80 26 timeout.exe 14->26         started        56 104.23.98.190, 443, 49741, 49742 CLOUDFLARENETUS United States 16->56 28 timeout.exe 1 16->28         started        30 timeout.exe 16->30         started        32 timeout.exe 16->32         started        34 4 other processes 16->34 file5 signatures6 process7 dnsIp8 50 178.170.138.163, 4554, 49733 ETOP-ASPL Netherlands 18->50 66 Increases the number of concurrent connection per server for Internet Explorer 18->66 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->68 52 192.168.2.1 unknown unknown 22->52 36 conhost.exe 24->36         started        38 conhost.exe 26->38         started        40 conhost.exe 28->40         started        42 conhost.exe 30->42         started        44 conhost.exe 32->44         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de966245d2120df80add0bc610965487383a27ca6434abb2a41d3fb6447ee0cf/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 12:34:39 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=32lgeroscig7qcw5bpdbbfsuq44duj6kmq2kxmvedu73mrd64dhq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
15441eeb20d70b9245b9c70958ba8b05ce42d7ee9bd579e975c681084b108e22
AveMariaRAT
27f672cbea21c2a96f66db3d2e2e8b16f4f4fc06ed2abed9df62421c2800379c
AveMariaRAT
622c48a052fbbc1859678ec8a5f604ff9a1a368df282758e60b766c96c2555fb
AveMariaRAT
7370c46c9179d161c378f38edfda3340faf8fa289a75f16e9334279535000970
AveMariaRAT
b09ba0422073d096874e13104b4709f379468dd324eb85dcb84cd112a6609f1b
AveMariaRAT
d0730147283a7764f29031afd0b03018a1f921cbb25f25d4560b126ca31e326b
AveMariaRAT
d30b949fc05b15b611b3fe420b6883062c5bb2b270c769540c48f703a46cbbf3
AveMariaRAT
dfd5ce8b88495b71a5945f5fe2a623103fa3b1f9cfc29eb5120630e3eaec3b69
AveMariaRAT
e0e3ae47b7e48c3c81724d0a63f5f6f8033bb516d97c538ea52349a102a0e1b6
AveMariaRAT
f95f37e58a070a22f391183ebf07c1a0a48c16419a0654981186e6642f6cd2d6
AveMariaRAT
+ 449 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/201008-wsh4edn5ha/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
de966245d2120df80add0bc610965487383a27ca6434abb2a41d3fb6447ee0cf
MD5 hash:
f73357e33004df738b81c40201dfeb57
SHA1 hash:
266d6a85ee7710af7aa332073c60f7f20ea99fb4
Link:
https://www.unpac.me/results/e17cd7b9-0ff3-4c2b-9017-b0f6998ef566/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/de966245d2120df80add0bc610965487383a27ca6434abb2a41d3fb6447ee0cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/69242/

Comments