MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb5b36b887116b5aa12cb5609d9d2e132829e325b2c3e16133299696460a0e92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb5b36b887116b5aa12cb5609d9d2e132829e325b2c3e16133299696460a0e92
SHA3-384 hash: 0fc5385d080b1fb29aba2dec9d59bb8193dc2a56c1e981143db108d6ac075f9acc2d3437d91c54f6454e23b021bbaa25
SHA1 hash: c5541a30011d42999fdc795f59d7f985c21b40e9
MD5 hash: 11d648a9d7958bef6921898e130f483d
humanhash: network-ink-early-skylark
File name:BV10013 (Rev A).scr
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:81'920 bytes
First seen:2020-07-31 07:11:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2db883c6c5ead9d3305e3a7b71ba878b (1 x AveMariaRAT)
ssdeep 768:ii4Y2krWDlLMLnUpix4UIL7WFiwDtwc5St7NjyYcS4aF01+DHa:L4Y2kKlgLnVx4UIL7WFpDtwcO7D/6s6
Threatray 701 similar samples on MalwareBazaar
TLSH 87833A12A5E4E633F7A6C1B01F353B9B417B7C3089508E0B659A391F6B7EB46D09431B
Reporter abuse_ch
Tags:AveMariaRAT RAT scr


Avatar
abuse_ch
Malspam distributing AveMariaRAT:

HELO: vps.hond-red.xyz
Sending IP: 45.95.169.93
From: info@hond-red.xyz
Reply-To: info@hond-red.xyz
Subject: Quote#CON-071720-EB
Attachment: Templates_RoHS_Rev.zip (contains "BV10013 (Rev A).scr")

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35916/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Launching a service
Launching a process
Unauthorized injection to a recently created process
Setting a single autorun event
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun for a service
Forced shutdown of a system process
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/404707
Signature
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Drops PE files with a suspicious file extension
Hides threads from debuggers
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 254593 Sample: BV10013 (Rev A).scr Startdate: 31/07/2020 Architecture: WINDOWS Score: 64 51 Yara detected GuLoader 2->51 53 Drops PE files with a suspicious file extension 2->53 55 Contains functionality to hide a thread from the debugger 2->55 8 BV10013 (Rev A).exe 1 2 2->8         started        11 wscript.exe 2->11         started        13 wscript.exe 2->13         started        process3 signatures4 59 Creates autostart registry keys with suspicious values (likely registry only malware) 8->59 61 Hides threads from debuggers 8->61 15 BV10013 (Rev A).exe 4 8->15         started        19 fil.scr 2 11->19         started        21 fil.scr 2 13->21         started        process5 file6 35 C:\Users\user\AppData\Local\Temp\...\fil.scr, PE32 15->35 dropped 37 C:\Users\user\AppData\Local\Temp\...\fil.vbs, ASCII 15->37 dropped 47 Hides threads from debuggers 15->47 23 fil.scr 2 15->23         started        26 fil.scr 7 19->26         started        29 fil.scr 7 21->29         started        signatures7 process8 dnsIp9 57 Hides threads from debuggers 23->57 31 fil.scr 7 23->31         started        39 seedwellresources.xyz 26->39 41 seedwellresources.xyz 29->41 signatures10 process11 dnsIp12 43 192.168.2.1 unknown unknown 31->43 45 seedwellresources.xyz 31->45 49 Hides threads from debuggers 31->49 signatures13
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/eb5b36b887116b5aa12cb5609d9d2e132829e325b2c3e16133299696460a0e92/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-07-31 07:13:04 UTC
AV detection:
29 of 48 (60.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5nntnoehcfvvvijmwvqj3hjocmuctyzfwlb6cyjtfgljmrqkb2ja._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
10e5aba7f34c9acff9ff3bd7d959fd719ca6327dc09f5dbdd976167ad6304f9c
AveMariaRAT
1d117728ec260d80f6c6a347c4c32c965c69ff10bd4f08444fc70e82eebb1094
AveMariaRAT
1dfc1867ced521cbf61f7bbe647e8a6e5bdd3a05e22c05dcee20660e236d5812
AveMariaRAT
5c86fcf32d1f15a745dd2f39989630ac310d1aee52af7b5f762f75f8855879ab
AveMariaRAT
99393e1166875494914abf480cc23a76bb52769eea1aa15dc35c9195efc4d28b
AveMariaRAT
9cbe5097d40713390439b736ac90f7ac008db11188a9b8d0ad40fec39d5cff12
AveMariaRAT
bdd1e58d7a15e88b1f6400fa7aff3d021a3b944dde54e0b156b5d90c71e1f553
AveMariaRAT
ccfc389f6dd3e6d9974b6cd4bb2a2efa5eb060f48e784aabd21a723cb58ff063
AveMariaRAT
d7aef406cc623d210aa08b240098e0976b28d745685385b8aee5df41e78e5e4e
AveMariaRAT
ddf6f04276c1d976e62e199e6c928fb7a3d7aaec455a1859f8d8f605c89ffc64
AveMariaRAT
+ 691 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200731-7p7hjcatws/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: LoadsDriver
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Drops file in Program Files directory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Modifies service
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Modifies service
Suspicious use of SetThreadContext
Drops file in System32 directory
Adds Run key to start application
Modifies WinLogon
JavaScript code in executable
Modifies WinLogon
JavaScript code in executable
Adds Run key to start application
Reads user/profile data of web browsers
Loads dropped DLL
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Sets DLL path for service in the registry
Executes dropped EXE
Sets DLL path for service in the registry
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb5b36b887116b5aa12cb5609d9d2e132829e325b2c3e16133299696460a0e92

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip cec48db9ac62885f0543b3bed752b43d62d41e89face0accc085660e81ba5079

AveMariaRAT

Executable exe eb5b36b887116b5aa12cb5609d9d2e132829e325b2c3e16133299696460a0e92

(this sample)

  
Dropped by
MD5 20326a7f6966cd59d980ce2691477412
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/35916/
  
Dropped by
SHA256 cec48db9ac62885f0543b3bed752b43d62d41e89face0accc085660e81ba5079

Comments