MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a70b579c505fba86c9800eb63ce84bbccdbab86cda95c24020e0b6c319db8d85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a70b579c505fba86c9800eb63ce84bbccdbab86cda95c24020e0b6c319db8d85
SHA3-384 hash: b331eeffc5f2719185c22b67583af7e91eab4cc4d53f9ddb72b1b3938bbc73fab5f99f5a4b99816ba511417630db2dbb
SHA1 hash: a3b9ae2286070760c1537754f34739f1254bca1b
MD5 hash: 97c11590597ce14be912305ba2f80192
humanhash: glucose-spring-jupiter-magazine
File name:Performa Invoice.img
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'245'184 bytes
First seen:2020-07-09 12:14:07 UTC
Last seen:Never
File type: img
MIME type:application/x-iso9660-image
ssdeep 6144:+/tGKQ+ufstR4lkW3/HSlP/C0RvaOTpTmDulCmhL9J0l68iGgl3R:+gPOzW3eZacTaulCSRO63
TLSH 7545F1F973AC0F22FA744BF4593454804FF9781B14A6E66EBD8C20CA2B71F945A54A33
Reporter abuse_ch
Tags:AveMariaRAT img nVpn RAT


Avatar
abuse_ch
Malspam distributing AveMariaRAT:

HELO: hwsrv-749673.hostwindsdns.com
Sending IP: 192.236.193.181
From: sales_dept@bmgt.com
Subject: As you specified
Attachment: Performa Invoice.img (contains "Performa Invoice.exe")

AveMairaRAT C2:
mitty.ultraddns.com:1994 (91.193.75.54)

Pointing to nVpn:

% Information related to '91.193.75.0 - 91.193.75.255'

% Abuse contact for '91.193.75.0 - 91.193.75.255' is 'abuse@kgb-vpn.org'

inetnum: 91.193.75.0 - 91.193.75.255
netname: NON-LOGGING-VPN-SERVICE
descr: Please note that we don't store any user data.
descr: Our main effort is not to make money, but to preserve values like the
descr: freedom of expression, the freedom of press, the right to data protection
descr: and informational self-determination.
country: EU
admin-c: KA7109-RIPE
tech-c: KA7109-RIPE
org: ORG-KHd1-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: KGB-MNT
mnt-routes: KGB-MNT
sponsoring-org: ORG-MW1-RIPE
created: 2012-06-04T11:05:55Z
last-modified: 2020-06-12T19:27:12Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Fareit-FWJ834CFF3F1C76.24214.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a70b579c505fba86c9800eb63ce84bbccdbab86cda95c24020e0b6c319db8d85/
Threat name:
ByteCode-MSIL.Trojan.Masslogger
Create hunting rule
Status:
Malicious
First seen:
2020-07-09 12:16:07 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u4fvphcql65insmab23dz2clxtg3vodm3kk4eqba4c3mggo3rwcq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

img a70b579c505fba86c9800eb63ce84bbccdbab86cda95c24020e0b6c319db8d85

(this sample)

AveMariaRAT

Executable exe 5f9d0a3f1053e6159f628438ac08f66063ad443e44dcbb12dfaf0edbc06ba96b

  
Dropping
MD5 834cff3f1c76173eac93288a912a059c
  
Dropping
AveMariaRAT
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 5f9d0a3f1053e6159f628438ac08f66063ad443e44dcbb12dfaf0edbc06ba96b

Comments