MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 885c0db8dce61efe0b93c41f8eaf4e42f0180ba4b9045d8ca6978298d81bebec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 3 Yara 6 Comments

SHA256 hash: 885c0db8dce61efe0b93c41f8eaf4e42f0180ba4b9045d8ca6978298d81bebec
SHA3-384 hash: beeb9f337f8635c184582eea509006585b4438390fbb019525d77bc1bd3fdd066eb89abe08a7977f720fbc820f3fd737
SHA1 hash: 292ac8c75a35f04e86b021e6ca3b284eb27fa870
MD5 hash: ac9fa9d4866f1ac20a24463942ea7189
humanhash: robin-jupiter-comet-violet
File name:GRP Production drawing Order confrimation 0022.exe
Download: download sample
Signature AveMariaRAT
File size:264'192 bytes
First seen:2020-06-30 06:26:48 UTC
Last seen:2020-07-06 07:07:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:iXpcKvbhNMuHkgkoGEpN9n6xMxRqSHjCjVsSDC:iXpcKvbDHkVofbxMUqS+Z9DC
TLSH 0144F135B3A98B56CABEDBB690B050240F77AD1B6530E71D6D50A4CB1AB3B408710F63
Reporter @abuse_ch
Tags:AveMariaRAT exe nVpn RAT


Twitter
@abuse_ch
Malspam distributing unidentified malware:

HELO: sip2-191.nexcess.net
Sending IP: 104.207.255.156
From: Mr. Sarin GRP Industries <file2@proferrin.com>
Subject: Standard Terms and Conditions of Sales and Warranty.
Attachment: GRP Production drawing Order confrimation 0022.rar (contains "GRP Production drawing Order confrimation 0022.exe")

Unknown RAT C2:
anandseamless.ddns.net:7788 (194.5.97.110)

Pointing to nVpn:

% Information related to '194.5.97.0 - 194.5.97.255'

% Abuse contact for '194.5.97.0 - 194.5.97.255' is 'abuse@inter-cloud.tech'

inetnum: 194.5.97.0 - 194.5.97.255
netname: Privacy_Online
remarks: ------------------------------------------------------------------------
remarks: This prefix is used by a non-logging VPN service provider.
remarks: We don't log any user activities.
remarks: We don't host anything else on our servers than VPN software (OpenVPN,
remarks: IKEv1 & 2, WireGuard ...).
remarks: Our customers can open up to 8 Ports (TCP & UDP).
remarks: We support the Tor Project: https://www.torproject.org
remarks: Before sending us potential complaints, please read:
remarks: https://www.torservers.net/abuse.html
remarks:
remarks: We are under constant pressure by Spamhaus.
remarks: Spamhaus issues tons of fake SBL listings in order to destroy our service.
remarks: They use fake identities, violate EU laws and hide outside the EU in
remarks: Andorra to avoid legal consequences.
remarks: Please don't trust this organization.
remarks: If you have any questions related to our service, please contact us
remarks: directly via e-mail: support@inter-cloud.tech
remarks:
remarks: Thank you.
remarks: ------------------------------------------------------------------------
admin-c: RA9926-RIPE
tech-c: RA9926-RIPE
org: ORG-NFAS6-RIPE
country: RU
status: SUB-ALLOCATED PA
mnt-by: inter-cloud-mnt
created: 2018-07-23T09:31:45Z
last-modified: 2020-03-10T21:27:32Z
source: RIPE

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 2
# of downloads 31
Origin country US US
CAPE Sandbox Detection:WarzoneRAT
Link: https://www.capesandbox.com/analysis/16819/
ClamAV SecuriteInfo.com.Generic-EXE.UNOFFICIAL
CERT.PL MWDB Detection:avemaria
Link: https://mwdb.cert.pl/sample/885c0db8dce61efe0b93c41f8eaf4e42f0180ba4b9045d8ca6978298d81bebec/
ReversingLabs :Status:Malicious
Threat name:ByteCode-MSIL.Trojan.Agensla
First seen:2020-06-30 04:46:20 UTC
AV detection:22 of 31 (70.97%)
Threat level:   2/5
Spamhaus Hash Blocklist :Suspicious file
Hatching Triage Score:   7/10
Malware Family:n/a
Link: https://tria.ge/reports/200630-rfrvh5yaxs/
Tags:spyware
VirusTotal:Virustotal results 10.96%

Yara Signatures


Rule name:Cobalt_functions
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:MAL_Envrial_Jan18_1
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:win_ave_maria_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_ave_maria_g0
Author:Slavo Greminger, SWITCH-CERT

File information


The table below shows additional information about this malware sample such as delivery method and external references.

a3b8951243e4062f295a0e2c3f30e8b9

AveMariaRAT

Executable exe 885c0db8dce61efe0b93c41f8eaf4e42f0180ba4b9045d8ca6978298d81bebec

(this sample)

  
Dropped by
MD5 a3b8951243e4062f295a0e2c3f30e8b9
  
Delivery method
Distributed via e-mail attachment

Comments