MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df70b7f1c190951daadb981dddb42d7e7ace1d6cba158dbfa983035398ef61aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 8 Comments

SHA256 hash: df70b7f1c190951daadb981dddb42d7e7ace1d6cba158dbfa983035398ef61aa
SHA3-384 hash: 7f7dada9b9e8137b2ef22038ce20b3c62483c07dfba08acaff587d011864cba5f830acc5f0c89dfbd419f8f519423ef2
SHA1 hash: 27a89f3e6a0f6e472f144c8bb52948245171c6f9
MD5 hash: 54ed627847f3f9b113c1651e52433637
humanhash: december-solar-hamper-single
File name:Pdf.exe
Download: download sample
Signature AveMariaRAT
File size:1'398'272 bytes
First seen:2020-06-16 13:51:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9222d372923baed7aa9dfa28449a94ea
ssdeep 24576:CqAHnh+eWsN3skA4RV1Hom2KXMmHaT+t4Nt75HksQU:C9h+ZkldoPK8YaT+tWHksQU
TLSH 4655AF42B391C075FEA793B34A66F61001BD3D6D4573C11F22A83D3A7BB22A2157EA53
Reporter @abuse_ch
Tags:AveMariaRAT exe RAT


Twitter
@abuse_ch
AveMariaRAT C2:
u871246.nvpn.to:9419 (194.5.98.234)

Hosted on nVpn:

% Information related to '194.5.98.0 - 194.5.98.255'

% Abuse contact for '194.5.98.0 - 194.5.98.255' is 'abuse@inter-cloud.tech'

inetnum: 194.5.98.0 - 194.5.98.255
netname: Privacy_Online
descr: Longyearbyen, Svalbard und Jan Mayen
country: SJ
admin-c: RA9926-RIPE
tech-c: RA9926-RIPE
org: ORG-NFAS6-RIPE
status: ASSIGNED PA
mnt-by: inter-cloud-mnt
created: 2019-04-26T16:42:54Z
last-modified: 2020-03-13T23:11:55Z
source: RIPE

Intelligence


File Origin
# of uploads :
1
# of downloads :
28
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Hacktool.Binder
Status:
Malicious
First seen:
2020-06-16 13:53:04 UTC
AV detection:
30 of 31 (96.77%)
Threat level
  1/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
NTFS ADS
Suspicious use of SetThreadContext
Adds Run entry to start application
Loads dropped DLL
Drops startup file
Executes dropped EXE

Yara Signatures


Rule name:Cobalt_functions
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Malware_QA_update
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:MAL_Envrial_Jan18_1
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:win_ave_maria_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_malumpos_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe df70b7f1c190951daadb981dddb42d7e7ace1d6cba158dbfa983035398ef61aa

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments