MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0b9f076b033271dd497a1c9e9bcc7de3116c165876ffdac2119d4b952ad8254. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0b9f076b033271dd497a1c9e9bcc7de3116c165876ffdac2119d4b952ad8254
SHA3-384 hash: c6c3d7f1d85d53cc6105b8740b2c53f66f7964391d52a5c2d54d83498934c4f131b430ab653c5ceff232971fc2f42139
SHA1 hash: b9e7f910055aeb692bb55e01650cc9b46e88d45c
MD5 hash: fa7d1f9af9babb3db11c65ff9703a920
humanhash: iowa-island-edward-london
File name:HSBC-0419.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:477'184 bytes
First seen:2020-11-05 09:40:46 UTC
Last seen:2020-11-05 11:52:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:4OaKNg0yUzYCo3eefjITHqpDKRHUSnptF:4OatJYYCKeeL+qnoptF
Threatray 101 similar samples on MalwareBazaar
TLSH 9BA49F23A82D84BADF39533D00154CC5A1F51D8D26C9B61A53B9BE3CC93C9265E1FE2E
Reporter abuse_ch
Tags:AveMariaRAT exe HSBC


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: internet.pacifik.cl
Sending IP: 190.121.26.139
From: Westpac <account@ptssyndicate.com>
Subject: Incoming Payment Notification - HSBC
Attachment: HSBC-0419.iso (contains "HSBC-0419.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/83173/
Detection(s):
SecuriteInfo.com.ArtemisFA7D1F9AF9BA.52.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %temp% directory
Running batch commands
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
69 / 100
Link:
https://www.joesandbox.com/analysis/521213
Signature
.NET source code contains very large array initializations
Contains functionality to hide user accounts
Creates an autostart registry key pointing to binary in C:\Windows
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Add file from suspicious location to autostart registry
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 309706 Sample: HSBC-0419.exe Startdate: 05/11/2020 Architecture: WINDOWS Score: 69 31 Multi AV Scanner detection for dropped file 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected AveMaria stealer 2->35 37 5 other signatures 2->37 7 HSBC-0419.exe 1 7 2->7         started        10 pcalua.exe 1 1 2->10         started        12 pcalua.exe 1 2->12         started        14 OpenWith.exe 2->14         started        process3 file4 23 C:\Users\user\AppData\Roaming\r3ds, PE32 7->23 dropped 25 C:\Users\user\...\r3ds:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\...\HSBC-0419.exe.log, ASCII 7->27 dropped 29 C:\Users\user\AppData\Local\...\mscorsvw.exe, PE32 7->29 dropped 16 cmd.exe 1 7->16         started        process5 process6 18 reg.exe 1 1 16->18         started        21 conhost.exe 16->21         started        signatures7 39 Creates an autostart registry key pointing to binary in C:\Windows 18->39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e0b9f076b033271dd497a1c9e9bcc7de3116c165876ffdac2119d4b952ad8254/
Threat name:
ByteCode-MSIL.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-05 04:11:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
23 of 29 (79.31%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4c47a5vqgmtr3vexuhe6tpgh3yyrnqlfq5x73lbbdhklsuvnqjka._file
Verdict:
unknown
Similar samples:
16a4855bceb4df02e0478cd72972a6e7f144f2278fedb239c2cb696cf6bf7199
AveMariaRAT
2a98548d44123e8fd77535fd77d107c0fb675cd269bdd82a95e8c5127c62fcc8
AveMariaRAT
4e95c73aa926d5ba8380028f4a5c874ce76b249bd2f1d8535abf8b6d5a067cc5
AveMariaRAT
6e89832e1d4e59b88c4731a606567eb52d8037af54c44aa484a5699b32261bbb
AveMariaRAT
74ee80ac61ce369a23feac3296a825873aa257282d5dd0f9c35c385e3d6766cf
AveMariaRAT
991bf10fb169668bbe0d84c3b9f00d14df500caea2cee208bbdcc63313f335a0
AveMariaRAT
acdef12ec35b82f310c535d3cf08f81d60f1090a25e243772ac5086992104421
AveMariaRAT
dcdf9338be399d3f441d940e06370af20cff1719876d62774f0eff3254265d1d
AveMariaRAT
de58e1d7b0e5c521b19573877574ec166cafcae7150b77fb87f7865de7f79912
AveMariaRAT
ef0d4bf082291155c82f86ebda948f3fafed56b2d167463f6b59a1a964e7ccfb
AveMariaRAT
+ 91 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
agilenet persistence
Link:
https://tria.ge/reports/201105-3apq15t3mj/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Adds Run key to start application
Obfuscated with Agile.Net obfuscator
Unpacked files
SH256 hash:
e0b9f076b033271dd497a1c9e9bcc7de3116c165876ffdac2119d4b952ad8254
MD5 hash:
fa7d1f9af9babb3db11c65ff9703a920
SHA1 hash:
b9e7f910055aeb692bb55e01650cc9b46e88d45c
Link:
https://www.unpac.me/results/085b239a-8fc7-4998-afa2-bf659aca7744/
SH256 hash:
021d01fe3793879f57a2942664fc7c096710e94e87ad13dc21467c12edf61546
MD5 hash:
ad9fd1564dd1c6be54747e84444b8f55
SHA1 hash:
001495af4af443265200340a08b5e07dc2a32553
Link:
https://www.unpac.me/results/085b239a-8fc7-4998-afa2-bf659aca7744/
Parent samples :
41b6843f504506bfe5a47155873b5e8d4a10382e6bcbbaadf069bc5d216c8b53
273c7d66a2746646c43e4c870ea99def6bfb8d7210cafac4eeda64c50b2f8e83
0105bafb9a326de3ee23e8d01a0b0bd3216a3de3906e28c10c3cfa4825939161
426bb510c18d37da520b953e633c1dca9d950b2d8fc06e550cd9cbd1e08d7b2c
4df8c432a1d5153c687b60c3031648c6ac198cf96b44cb15f1d28f758aa213e5
57bcf0394886e8bd03578d317aebab8af7195e007dd1636b266073b282b43848
95a91cc096986a40b10a03f3376eb7de4b3c83e7742b667f7c2f6bef13ccdeb9
661435185812c66992daa150269ffbd8661c06a6d0847cf8b5e49dbdcffb677f
9fc23786a7059b7e7bfb19582fd5f96b91c86812ccc32aa9c7722e85e16590f8
d18059bfd5e9a4d0e07a953fb8c86101ecdf77f9b7e9e80cf6099fb40506bea9
a579e6d169f7af0c31de4c24bd4a8d3e05f46145a5d219850124fd1e11628349
9b550290b925e68da43d0254e187f3bd53d73778e2fec286ebe66db8da1a5dd5
4966546ac0b90d093d0e2ef5666566b76cebae4b6e02f5a6b9f24a56b7ab049f
963750cdc4a1d1586b16d85a4853a5a48d64b5a79d740895ed8aa33afe95f5c4
000dd50b2f3df84aa499e38e8a88994b92c14556c517cd26237eacede1130c3b
c5a55dd1ecb98f43122a554288baa4e7e0ecdb81e30557db4c19fd833f145107
9b91ef0fbd1439f0e7b13a7d234d0574c6db6a07ea1e2842fbe7d2e4ab4042a9
f4e31d0e6efa4955d4023413ce6658406decbb31b954e822b92d31e3c12956de
447263ca2619e641d0a52b475b2de64ae9c852048415e31897bccbcb615c4927
a3980c5f653e99fe53dc88f60a9ca1b4954b8cee932085ea57b1f46b9c7ab4c1
3c36d574e4005d919706e2945a25f6704d48ea69b5960bdc544e59cc4e3295cc
59ee15056c8ca8f240ba10fe20a523e3dc315cc0304f1f1abcb2913d701d4f23
01dbf52c9a79ce268fa7b5ab876ab6c8a8e6d5d5de70ccfacd11ca169e83908a
46a870926fb693596e4fea1ff6ed4bd228d8cc63a9e285997ded48b1484ab3f5
89e0d97c3f6b79962f97e02152cff003f17d940f973d762874576dab2bc3a312
c8731f7db8cff30881c306796850704a66edb90501fad4952822bb09624db618
d2d549d6dd5d017ce1b853932513ec389de11e6443fe466487b2ed2e1528b857
31b26582627d2978052cdce87ae338c2e78a029f7676365e1583c05528afada0
80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66
913377afa6c3d7afb49a491f830d52a33353349819f0e91157a01dc8336ac5b3
7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c
198c5a845975abb97bec91f98df18522db41489cf5b972445600b2c0e3faa828
13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310
2eefb5dc5aae0ca14290ded3490ec8ae44c88fafdac0b062bacd8b9bd1497eb3
32d376bc206926ca6f299e97d04644b68e6a863ac4975bf4a804bd120e82aeab
decfb2acfa48419eb5c32541e8b99aa142ed856a2969012374c2a30f8bd7db70
dd1fa6cb67aa97468e62afeec6bfa9c1cb52f5acf029ab77a0fdd2e34cd50a21
19dba570adb979d9063882d8dd6d880d1f37f25e600cc07097646946ebc947a2
de492c6384df2afd8c36f3f8ca910d93a21a2981b3c3a80e8a858d643122d488
0246d4eb99473ba449b98548167d0767b68b075749a8962d0573851f505689b5
bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a
3e4da5132877e955fb455e58e300b56033c07a6d2709b386fdc5c43a88e1c499
d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e
7c6c180635f5329b270bfa6fd56ec15604cca270687d0a0bc2fc5edd78dc4c9c
90f4e7731fc41021b7ce9f9d15704c9849cf3215161585721a370745f7392e71
61a8d6678098ddfa8d1b418cc5d851823d6b09bd5bb4fcf68f0f0797abe61873
6f00f39f32bb3556f024b6e877337a8e6ba5a2feda5d1187e85684de23471ff7
037165fd0435a477539e437c28f25a2e188d0da72b7573aa7d85b26eb34feef7
dbf293d123fe98900bda70549ce336f08f5ff99372d5f8dca4869376bf068416
d677958e05d8e8a3424225fd62da4a68c9401aa13658ecb9d6dbff18372aca85
2e5f3807db334c44e20f17624cfa529304327387e4795c561374379725acde6c
a6c7f1f1e73b612bf2c34e4b6193dd41f75ec0298c694e3600756a79da348152
f9ce9a047b096cb954193ac49049ccb28a476aa8c202f09aea38eae3cb283387
6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4
44337a866f639a40a3730a29a44dfebc9f6828148b409c057969c27987c84dbd
e9d0af516a8d65649c6850b69ff15e65cba280f8d44dbc505882dd16cf922320
f9ebef99fedb86176dafbdecb67a9f600be7f6acb1299deeeb40d4a689018f1c
f901f4b9437419d09352abcdec1a1e7bb1b511adbee059c42695753575b2b77c
91d4c54eb5e24448922894a73d0a3ca2b0a84caa3d2a5526e57098791ad75f73
2769012a5682a98b6f68e4e50157077fef4dc0853654c68986837f17b1c6451b
7ebbd7733c41e5d8d4071ac4bccca6f76577d8dda2ef2a6723b90414f444454a
e492ab74db73fb05a78112868596383e27ad49d8a2aa82a34611eea44a23a1ef
9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b
e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6
4813a5905b2003965fe10155c8daf3cdbb57017af02483a53a2d5ca11a9270f7
f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d
5483462ebe9bc5efca3315a9f2ce6a82f0469980e164aa16afecac9ebf13b57d
ea48def5335b8e664304ae54ff020858a1cb8a804d21f1c474c21e4ef2213073
3e90bab5c79be10c283f3752091122910f7c5b9f35428a37eb0250d244d01f94
5f51bf583798f714b2c84e3b6ba30b32b15a12ac308a52efbc950ae406216ad8
e797bb75f04bcac68e688769585623a306a0442a5614f28cb1a38d4232f525ec
066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40
325be1d623422763b0e16bc3c294cc5c006f6fb2ff8ddbf9eb0e45f8d8ac6853
3790861e8c62040dbb2dd3c290d1a2738cef6b04fd38de2d37ba58708838ddab
2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242
f3165a426e73b3dce639c5f44c0c6dca403a363fa07abf4458e61f7a61d7d880
cc0fdb6946afd11917588ce448b752e3f49debcd09d2e4d6c6d04cc1dc774e92
eb2ecf9b7aaa6a3d36d66aac6cc107c09c0518a06272f27ae17f2430c1d7a70f
8711c0444e0e2869118f577b3e28776c75d0845691bac42cb92005cc97c62b8a
99257e66c5904573be6b6316fbace99d9cb4ac2806b88c6e1e1c04787a2f4bd3
1f6feae633a783cf6ef08eee6b65049fe5b692c8a743af8967984e2e212a06b5
4fbea9806312eece3dd8523cf6c9509cedda1abe14fdc55bf793606dffe6c053
044ff15e8d3c9534c11c3719bd88a8302611c697ae888b23c768cec52f1970b6
aaae2a95d3c2054414d9b4cd55405563c1059ac881d9252ce338ecef1a25f857
bd2104c458f1c7197b830efb636df4741232585d55334fcdb6e37e8657571c24
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
c3dc5d9c25e3ef368835ad761bc9b0650170a018d70f93869608105375b73019
b20f2f7de684b2b10149825c4b86e14fadc7e19d5d41cb7b180bee28a1def030
bfb1b045ee5fc2bc3e4ca29683d695c36cc033ed43c0071385907400bc09c7f6
4f52022aa6286c18573e79cb079d5c9a01382bf1b4685a5a0dcc72cd6307b277
ce69de794ef8654455e9323c8dd184a507c39bb319b9c1b34fce460deca631bf
e784a1f8667b80617e5e26ab23f4b101286dd5bddb9629ca59d272ee3267e3ca
37aad7dc61ea841a62ed160802b822c35a0110f3e0be393b0c43a7fae8e96c65
1b9e1710ba83325c36ba9496bb3ff924a69326d07f62afec79ef74adbfcf27f2
3e3fc0ee150a9b3e97a1306c1929076d637f3c6ce3dbddcf30570330e40bf609
efed6ec2f8d3190bbf49a8c62a73c80878a4b7968baabfcff38cd0c3b06d4cff
d14140f160c6659a0848ec2b808bd37739af9b8a28d6d8cd7fc607ab845ab026
7f7089400087e55dbe741b1b137a6712f22d80b67c28215000b8f15787322dc2
429aed088fe3b2dc4cf969687d3eb7412bc387a9f6a7c68b832613630e8c527f
93fbcce3b23629eef2b3ed15e67b61cd5ba82f6a4cf4933b05ee3a1cb17b0523
ba63290ef5e3c1d1e2881879708f9fc793792f1f8ad36bcc8d2cdda9dc3e7ec8
7d784959adbb08754d954aee02c959a1a7318c54d04bccee906952cdbf090ea6
89389da3d32117ac9a495120372591cd36bff66f55ffc0e2e53ed8d64458d433
52c5297a7066438d5ec5ce3e897b7fe3eb642dca0b30aba3cc28866cbb05d96d
21ab6c559c1f1c445e9450f180e252e78799374ebd5d3b0e6384afd3eeeee20e
796364acf14011fa3902103655be7328eef8e3c5bd8635cac4820b5757ec9d13
c8f5d3f153fab81b07f3e666e13bcbd01d696a7efa4ae0c8dc81c054443e5b67
a3d362e58a6aa1b9d9d9ff542c65dccef0423e52dc8d11df2a515be8258ff3ac
090d906fa847c480583c96b467272b407e6c820d0d64b454e6e53dd51d113b03
90da1d87ebf79eefc2a035cc6311b9a26ff17804d6561c9f8253f4189d1c1f57
c33a5d3fd76760bd1657a2007d5ae2ba55155c0fd3ef9bb7e771e41c084158e5
237358a60a6aeaf9e2f5247fdf1c2cc04e3e3c0ff57e2c03b799d10b770361f7
cd4b8eb7fa51767c3cc1942e3523e99026062f95dfcb0428033dd7b706db8481
c90e5c5f118bfc7417e1a43d8ec7a1d6e91a730f336a47799b81f16a0fd6d69c
614f6326a378a9c583fc7de320ea6a60a78706283ec087afcb349ca75c083807
f19253d1e2423e2613b27354b1d8670fc63ffbb2d194ebf00e2323f712141648
93ddcee5487885a9825538b723ba30214b827617f85aef5558d232545171e8f6
2921a0fa40963ad342875ba6fc57c1629caa800f834ebf516a6cf6a59f467212
d371d9409cca4b22d1e90df46524f7112e06bf74a90f65f236957b63fdad2c1b
4822c68976983fb6be04a489ecb0ee85233585040f94599ae1f40e91a815d3d3
12a6b979da40489d768e28882836de2434009bcb436c2901772bed7633d88770
SH256 hash:
63a36171ce87a4991e2b3d1d191b4c0f1059d5c723531261162c5963e6737bb3
MD5 hash:
978a3907ed008d06a579f1367e6b0164
SHA1 hash:
07a236ff9c84439f5b5d04eb58b744e4c8eceb43
Link:
https://www.unpac.me/results/085b239a-8fc7-4998-afa2-bf659aca7744/
SH256 hash:
21f0cb5625ba519b16112be3c2f8458731b32dbf1e56efcf48ac9d234f1e8448
MD5 hash:
f1220039fced3e32ca13725edc57700b
SHA1 hash:
25ffe8fc04868d8fb2bbef9addef5fef8d0f420d
Link:
https://www.unpac.me/results/085b239a-8fc7-4998-afa2-bf659aca7744/
SH256 hash:
fc0c90044b94b080f307c16494369a0796ac1d4e74e7912ba79c15cca241801c
MD5 hash:
6b906764a35508a7fd266cdd512e46b1
SHA1 hash:
2a943b5868de4facf52d4f4c1b63f83eacd882a2
Link:
https://www.unpac.me/results/085b239a-8fc7-4998-afa2-bf659aca7744/
SH256 hash:
bea6ad2b6d070e540b091d87bc42f1384c33ddd44a09a5215cce283fba794633
MD5 hash:
e5f5fb503adad83d348b91f963f22db6
SHA1 hash:
4a7c02fb9e36571345062783b8f005905084dc0f
Link:
https://www.unpac.me/results/085b239a-8fc7-4998-afa2-bf659aca7744/
SH256 hash:
8df869844f9bdf1592b69dc658fea09f50235881d1ec830b61e9614718cd91c1
MD5 hash:
69663b35360e7127da2e6ab5d17b4b18
SHA1 hash:
4db655e6c12d4c21ae43458ff80367ff0fb1afe1
Link:
https://www.unpac.me/results/085b239a-8fc7-4998-afa2-bf659aca7744/
SH256 hash:
e6ff7a51b500b699015fc8e84fabfc43444c0c82dbd1cfc9e9b976fec29b1e31
MD5 hash:
2aeb3e6e7d2213dcfcfc196e1be3265a
SHA1 hash:
6b90e92877dfd504bf3edaf990fb8c81ec55ed05
Link:
https://www.unpac.me/results/085b239a-8fc7-4998-afa2-bf659aca7744/
SH256 hash:
f39e0a99baf9a6628489d4f31d33730c5686a8662e75a03e51460d51d8cc6f6a
MD5 hash:
ec1c0790c14297fdb07037598c58d4c5
SHA1 hash:
c4cea29459433a1f359368b050f85df2b8ab7e2d
Link:
https://www.unpac.me/results/085b239a-8fc7-4998-afa2-bf659aca7744/
SH256 hash:
f5a372b822669e9d665d4f7ad8c6ef5107b60eea7ed3f05b89c03ebfa10b2a51
MD5 hash:
775a1b0cfd742ae6a10eac0c48b553c7
SHA1 hash:
d4dae74e01d72c2aac1abff2d6593234db8c9d96
Detections:
win_ave_maria_g0
Create hunting rule
win_ave_maria_auto
Create hunting rule
Link:
https://www.unpac.me/results/085b239a-8fc7-4998-afa2-bf659aca7744/
Parent samples :
e0b9f076b033271dd497a1c9e9bcc7de3116c165876ffdac2119d4b952ad8254
00395714d69de889f1e3e178bd5d25e9ba3f9f8f353b6ccc4acc1580e80a1bf1
37f94ddaafa35ab11b9eb4f7cf2f16e41ec6e8bd02ec543411fa5ed5e3af60bb
90951c565539e5a0688a20b7eb41991851666bf3defc80ca4414dc39ebf9590e
cd0948866c760383fa48516292b3682d7560d89554e23a8b026c5867836c77fe
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

c32dc959939ee25ab1a3a9d997b1d1fd

AveMariaRAT

Executable exe e0b9f076b033271dd497a1c9e9bcc7de3116c165876ffdac2119d4b952ad8254

(this sample)

  
Dropped by
MD5 c32dc959939ee25ab1a3a9d997b1d1fd
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/83173/

Comments