MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 563601030d202ab4d9e7890d60ad715915c52f3421add61ac0ebd8301f105db1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 2


Intelligence 2 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 563601030d202ab4d9e7890d60ad715915c52f3421add61ac0ebd8301f105db1
SHA3-384 hash: 5c3ae7e2cbd34280243582a8ed824f4f442794698e4eedc0be526a961afff2cb8e988cb2f25c5a575bdac33fc2a6df38
SHA1 hash: aad068b668a4752e6d12252f8ad8973bd5f1f5b5
MD5 hash: 80b72d143d4b70fc8c7dabfef4daca22
humanhash: speaker-hotel-minnesota-cardinal
File name:Payment_Details.img
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'245'184 bytes
First seen:2020-05-24 07:29:33 UTC
Last seen:Never
File type: img
MIME type:application/x-iso9660-image
ssdeep 6144:efqowCWxrZvjduvkkt+tnSRNnT5UYQvN/7ay2Qo:efqob+ZvJ++tnMNnT5zQvN/Oy
TLSH 5C45D0283B8C4637C66C097470A1110213F65D6A7B93F386BC9DF2AB17BA3DC0525AE3
Reporter abuse_ch
Tags:AveMariaRAT Chase img RAT


Avatar
abuse_ch
Malspam distributing AveMariaRAT:

HELO: slot0.syspostal.pw
Sending IP: 192.119.106.124
From: Chase Bank <postmaster@syspostal.pw>
Subject: Funds has bee Transfered
Attachment: Payment_Details.img (contains "Payment_Details.exe")

AveMariaRAT dropping NanoCore RAT

NanoCore RAT payload URL:
http://mysipro.com/sysaudio.exe

AveMariaRAT C2:
51.89.204.165:52001

NanoCore RAT C2:
216.170.119.19:24980

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-05-23 19:37:25 UTC
File Type:
Binary (Archive)
Extracted files:
5
AV detection:
15 of 31 (48.39%)
Threat level:
  5/5
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

img 563601030d202ab4d9e7890d60ad715915c52f3421add61ac0ebd8301f105db1

(this sample)

NanoCore

Executable exe 644a0403a3c8254a3846b8c07aa7fdeb2cfe21aa5630ca3100949869f60ae407

AveMariaRAT

Executable exe a8744a3ac642e71bfd57f1476bb54d94aee2d6f80ad4b41548931685debec08e

  
URLhaus
https://urlhaus.abuse.ch/url/367447/
  
Dropping
MD5 5c7b2174792679ffe2ae09dd23e27474
  
Dropping
AveMariaRAT
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 a8744a3ac642e71bfd57f1476bb54d94aee2d6f80ad4b41548931685debec08e

Comments