MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df6b12e28602092e6841be50355a76684b5333b236cf9b8441dd73fc1abbf4ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df6b12e28602092e6841be50355a76684b5333b236cf9b8441dd73fc1abbf4ae
SHA3-384 hash: 79ec802d519723b10dafc2a2a801feef0ae1c78d2f3432349e77d5f0fd92dd4157702862a15967f935c4537ea28ddb40
SHA1 hash: ee8ee337bbf0c316d937ab39c474fb44a9c2284f
MD5 hash: d5b0e55b8f079ecb68617895537b90a5
humanhash: uniform-queen-magazine-uranus
File name:DOC1118364.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:623'048 bytes
First seen:2020-09-15 07:09:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:m4MonJCQ0qK69NpmP/zwhh93B4+N4nMMAtbcMIBMXSblAJF:m4dnk09NwMhz3H4MMKMqJF
Threatray 426 similar samples on MalwareBazaar
TLSH 18D4F059C949C6D2FC9A72FC65003340DBB44C1A8A5EA8B737B4BBFDAA711803F57A05
Reporter GovCERT_CH
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/60149/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.20823.10730.18968.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Adding an access-denied ACE
Creating a file
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Setting a keyboard event handler
Creating a file in the %AppData% directory
Deleting a recently created file
Reading critical registry keys
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/466219
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Contains functionality to create processes via WMI
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Creates files in alternative data streams (ADS)
Creates processes via WMI
Drops script or batch files to the startup folder
Hides threads from debuggers
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 285522 Sample: DOC1118364.exe Startdate: 15/09/2020 Architecture: WINDOWS Score: 100 69 Malicious sample detected (through community Yara rule) 2->69 71 Multi AV Scanner detection for dropped file 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 7 other signatures 2->75 10 DOC1118364.exe 1 2->10         started        14 cmd.exe 2->14         started        process3 file4 59 C:\Users\user\AppData\...\DOC1118364.exe.log, ASCII 10->59 dropped 85 Drops script or batch files to the startup folder 10->85 87 Contains functionality to inject threads in other processes 10->87 89 Contains functionality to steal Chrome passwords or cookies 10->89 91 3 other signatures 10->91 16 DOC1118364.exe 4 8 10->16         started        20 DOC1118364.exe 10->20         started        22 DOC1118364.exe 10->22         started        28 2 other processes 10->28 24 WMIC.exe 14->24         started        26 conhost.exe 14->26         started        signatures5 process6 file7 51 C:\ProgramData\images.exe, PE32 16->51 dropped 53 C:\ProgramData:ApplicationData, PE32 16->53 dropped 55 C:\Users\user\AppData\...\programs.bat:start, ASCII 16->55 dropped 57 2 other malicious files 16->57 dropped 63 Creates files in alternative data streams (ADS) 16->63 65 Increases the number of concurrent connection per server for Internet Explorer 16->65 30 images.exe 1 16->30         started        33 powershell.exe 25 16->33         started        67 Creates processes via WMI 24->67 signatures8 process9 signatures10 93 Multi AV Scanner detection for dropped file 30->93 95 Machine Learning detection for dropped file 30->95 97 Hides threads from debuggers 30->97 35 images.exe 4 30->35         started        39 images.exe 30->39         started        41 conhost.exe 33->41         started        process11 dnsIp12 61 51.143.13.25, 4400, 49718 MICROSOFT-CORP-MSN-AS-BLOCKUS United Kingdom 35->61 77 Tries to steal Mail credentials (via file access) 35->77 79 Writes to foreign memory regions 35->79 81 Allocates memory in foreign processes 35->81 83 2 other signatures 35->83 43 powershell.exe 24 35->43         started        45 cmd.exe 35->45         started        signatures13 process14 process15 47 conhost.exe 43->47         started        49 conhost.exe 45->49         started       
Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/df6b12e28602092e6841be50355a76684b5333b236cf9b8441dd73fc1abbf4ae/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-09-14 23:21:27 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=35vrfyugaies42cbxzidkwtwnbfvgm5sg3hzxbcb3vz7ygv36sxa._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
02b9bc3c8ac2cea4764860f49e6be78b8fad956c7bbf28d4260671bb5260568d
AveMariaRAT
37d250d71a687db0e2c094fd5932bd32a6198a94b86553580d495cbb592d0f96
AveMariaRAT
578df50c34d2f8f3146e5c4a457c4e9eac639070d3766ba202c84af6a790d4a7
AveMariaRAT
885c0db8dce61efe0b93c41f8eaf4e42f0180ba4b9045d8ca6978298d81bebec
AveMariaRAT
8c74c79cb7ab3a130b3ad8f31fa7bb79f85bc9788d9e0c60e798f29050c51785
AveMariaRAT
9d71c01a2e63e041ca58886eba792d3fc0c0064198d225f2f0e2e70c6222365c
AveMariaRAT
aec7bb752bfb4fb49d6d363db8393e84a05da72cd3b54a9b368bc43adcd3f08d
AveMariaRAT
c9ce595dbe32bfc8a1e4efab61e6e465400b68ad701dbc7f4eaa0dc3f80bf036
AveMariaRAT
d30b949fc05b15b611b3fe420b6883062c5bb2b270c769540c48f703a46cbbf3
AveMariaRAT
e97d4cbbbb923b04cee8f87235ad15ab83a7cba51984422cdfdcfefa7e81d457
AveMariaRAT
+ 416 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200915-45v487ngds/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
JavaScript code in executable
Adds Run key to start application
JavaScript code in executable
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Executes dropped EXE
ServiceHost packer
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/df6b12e28602092e6841be50355a76684b5333b236cf9b8441dd73fc1abbf4ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

rar 352c88e20cb88151e685058b23e85c22c7e607f9dbc610a9f091af6018899c70

AveMariaRAT

Executable exe df6b12e28602092e6841be50355a76684b5333b236cf9b8441dd73fc1abbf4ae

(this sample)

  
Dropped by
MD5 227c9b832032b41913ad7cc3878256c7
  
Dropped by
SHA256 352c88e20cb88151e685058b23e85c22c7e607f9dbc610a9f091af6018899c70
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/60149/

Comments