MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d57c3d6e33edb58a5552013f71e76758f25f690e62707ebb26a9e34159269cfc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d57c3d6e33edb58a5552013f71e76758f25f690e62707ebb26a9e34159269cfc
SHA3-384 hash: 43048ceed91843d5e44d554a6b0cca19fbf614a499a640b60330b11c1c44a9674195ad321e84a25676c0470f007837fa
SHA1 hash: fb8c92bb40ff628df8a38d001cef3ae8eceb2838
MD5 hash: 1afdcab5c561f512ac2097fc189fc2b3
humanhash: bulldog-mockingbird-butter-delta
File name:New order 090FjEl5Bj836ZH.zip
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:263'750 bytes
First seen:2020-08-05 08:35:29 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 6144:EqeJ+p50cQUCU38VMQM6NZSFwJlHUU5w/EBN33:EqeJSWTU3JQEUs/a33
TLSH 984423C19537121B233E62AFA0D2BB9D7932A64D33A061F4696CBB420456DE3B11B74F
Reporter abuse_ch
Tags:AveMariaRAT nVpn RAT zip


Avatar
abuse_ch
Malspam distributing AveMariaRAT:

HELO: ganadorme.com
Sending IP: 80.85.157.189
From: Ken - Ganadorme Intl ltd <Sales@ganadorme.com>
Subject: New requirments / Inquuiry Sales Order specs 7402 istanbul bound consignee
Attachment: New order 090FjEl5Bj836ZH.zip (contains "New order 090FjEl5Bj836ZH.exe")

AveMairaRAT C2:
bar2020.ddns.net:5757 (79.134.225.5)

Pointing to nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
56
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d57c3d6e33edb58a5552013f71e76758f25f690e62707ebb26a9e34159269cfc/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 08:37:05 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2v6d23rt5w2yuvksae7xdz3hldzf62iomjyh5ozgvhrucwjgtt6a._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d57c3d6e33edb58a5552013f71e76758f25f690e62707ebb26a9e34159269cfc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

zip d57c3d6e33edb58a5552013f71e76758f25f690e62707ebb26a9e34159269cfc

(this sample)

AveMariaRAT

Executable exe de4c58d6778afedc71c7df851b18de746b45829a4370cf28a64094a0ac27ef6b

  
Dropping
MD5 5f280ba0026bcb36c9c165d3a2f9593e
  
Dropping
AveMariaRAT
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 de4c58d6778afedc71c7df851b18de746b45829a4370cf28a64094a0ac27ef6b

Comments