MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37d250d71a687db0e2c094fd5932bd32a6198a94b86553580d495cbb592d0f96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 3 Yara 7 Comments

SHA256 hash: 37d250d71a687db0e2c094fd5932bd32a6198a94b86553580d495cbb592d0f96
SHA3-384 hash: fa793f00826ffd9cfbaea2809f88b95a1769eacffeef4d0c7c1e353e98ad60d78832f78362c7c41afe36419dfdaf0a14
SHA1 hash: 4b8c9a275dcf3992839703a95d03e3acb75ac5a5
MD5 hash: 05865820025c38359bb2f51c1e6a5ce6
humanhash: texas-pip-lemon-foxtrot
File name:Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe
Download: download sample
Signature AveMariaRAT
File size:264'192 bytes
First seen:2020-06-30 06:40:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:Bv2S5ZAwL4dmRKgMLfBUCTcDvDnkHHHjCjVsSDC:Bv2S5ZrLdRPMLS0HH+Z9DC
TLSH 6644F136A7B89B26D9FE9BB9447010111FF57C072530E21EAEA476CA1DB7B409721F23
Reporter @abuse_ch
Tags:AveMariaRAT exe nVpn RAT


Twitter
@abuse_ch
Malspam distributing AveMariaRAT:

HELO: [185.234.219.109]
Sending IP: 185.234.219.109
From: Eng. Mejanur Rahman <info@cae-bd.com>
Subject: 58 (iv) Qty 45,000 KG (CuZn 30)
Attachment: Product Specification 58 iv Qty 45,000 KG CuZn 30.cab (contains "Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe")

AveMariaRAT C2:
caebd.ddns.net:8822 (194.5.98.129)

Pointing to nVpn:

% Information related to '194.5.98.0 - 194.5.98.255'

% Abuse contact for '194.5.98.0 - 194.5.98.255' is 'abuse@inter-cloud.tech'

inetnum: 194.5.98.0 - 194.5.98.255
netname: Privacy_Online
descr: Longyearbyen, Svalbard und Jan Mayen
country: SJ
admin-c: RA9926-RIPE
tech-c: RA9926-RIPE
org: ORG-NFAS6-RIPE
status: ASSIGNED PA
mnt-by: inter-cloud-mnt
created: 2019-04-26T16:42:54Z
last-modified: 2020-03-13T23:11:55Z
source: RIPE

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 29
Origin country FR FR
CAPE Sandbox Detection:WarzoneRAT
Link: https://www.capesandbox.com/analysis/16837/
ClamAV SecuriteInfo.com.Generic-EXE.UNOFFICIAL
CERT.PL MWDB Detection:avemaria
Link: https://mwdb.cert.pl/sample/37d250d71a687db0e2c094fd5932bd32a6198a94b86553580d495cbb592d0f96/
ReversingLabs :Status:Malicious
Threat name:ByteCode-MSIL.Trojan.Grp
First seen:2020-06-30 06:42:05 UTC
AV detection:20 of 31 (64.52%)
Threat level:   2/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   8/10
Malware Family:n/a
Link: https://tria.ge/reports/200630-ndh5bwhppx/
Tags:persistence spyware
VirusTotal:Virustotal results 12.50%

Yara Signatures


Rule name:Cobalt_functions
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:MAL_Envrial_Jan18_1
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:win_ave_maria_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_malumpos_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information


The table below shows additional information about this malware sample such as delivery method and external references.

b2191aa61faca11b38fb912b01bd0cd1

AveMariaRAT

Executable exe 37d250d71a687db0e2c094fd5932bd32a6198a94b86553580d495cbb592d0f96

(this sample)

  
Dropped by
MD5 b2191aa61faca11b38fb912b01bd0cd1
  
Delivery method
Distributed via e-mail attachment

Comments