MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36350904b065500f429e6b2af0c4a1ec835352fed15cad40f07760aede4fcd47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Locky


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36350904b065500f429e6b2af0c4a1ec835352fed15cad40f07760aede4fcd47
SHA3-384 hash: d08fa73e23d655451c92e1c1c0eed26a933466f8df9919be9a38f97123daf2d17f328dd133a6e0371fda2376fbf70b6f
SHA1 hash: b5ba87561a0454498a7b601ecf7a5827459def5d
MD5 hash: f8dd9bb21344d1b810f334d483c07039
humanhash: mars-two-burger-gee
File name:Cdaavuz.exe
Download: download sample
Signature Locky
Create hunting rule
File size:636'418 bytes
First seen:2020-05-12 08:46:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6fdb6582a7ed7bc3a903f8ac6afaa8b6 (2 x GuLoader, 1 x RemcosRAT, 1 x Locky)
ssdeep 12288:RUG6PYmeggdMewpidOBelXEUsYYUV+F70RTjwCtoBSiycf:uUmYdMewpiABqE7YYUVFRTjhtyfycf
Threatray 1'046 similar samples on MalwareBazaar
TLSH D7D47D63F1D08672D03B1979AC1B9FA859267E213E28A84A7FE43E4C4F77381743A157
Reporter abuse_ch
Tags:AveMariaRAT exe Locky nVpn RAT


Avatar
abuse_ch
Malspam distributing AveMariaRAT:

HELO: box.cranny.xyz
Sending IP: 167.172.116.20
From: finance@moneypay.com
Subject: Transaction Info
Attachment: Confirm payment.docm

GuLoader distributing AveMariaRAT

DOCM->GuLoader->AveMariaRAT

AveMariaRAT payload URL:
https://cdn.discordapp.com/attachments/709635566739652668/709635636432207932/Cdaavuz.exe

AveMariaRAT C2:
imagine999.ddns.net:7082 (185.140.53.18)

Pointing to nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@FOS-VPN.org'

inetnum: 185.140.53.0 - 185.140.53.255
netname: Freedom_Of_Speech_VPN
remarks: Before you contact us, please read:
remarks: 185.140.53.0/24 belongs to a NON-LOGGING VPN service.
remarks: We don't log any user activities.
remarks: We believe that the right to informational self-determination and the
remarks: right to privacy are essential to all citizens of all countries.
remarks: We don't host anything else on our servers than VPN software and our
remarks: customers can open a fixed number of Ports.
remarks: Like Public WiFi or Tor Exit Node Operators we cannot be held responsible
remarks: for the actions of our customers, because we simply can't (and to be
remarks: honest: don't want) to control them.
country: EU
org: ORG-SL751-RIPE
admin-c: SL12644-RIPE
tech-c: SL12644-RIPE
status: ASSIGNED PA
mnt-by: FOS-VPN-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-04-06T18:59:49Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
2'019
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-05-12 09:36:35 UTC
File Type:
PE (Exe)
Extracted files:
46
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gy2qsbfqmvia6qu6nmvpbrfb5sbvgux62fok2qhqo5qk5xspzvdq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
1d96c4054a597e4b08abadd77dfea8f43f2ef65737052504b32f6eb8775c136c
Locky
373a778ae1a96ec5470097f7dcda115ac9b48ff1e646f37837a2547c10af2cd3
Locky
8f787ad8df4ea3ee0c0940cf5170cccffa5c5783f065b89581de06c53a20b30c
Locky
9188298a545444368a26d4d1fcc9be1e49ed55660891458d75c3dd5a2981c93b
Locky
935c11f10c7a7c010146c7d289b54c67ed4261e70afdea8522e7af41deaebdf3
Locky
949e65785ee74b4ee36a4ae53e734e8a59df3b0792213589fc17cc7fb48712da
Locky
ab261adafcaa48f8a9472a46e105f3a1a89f6b0291555e14448e445e058b9cc6
Locky
adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e
Locky
f58206c0e3f90670105f3d92f49e4f3e4dd36970697f24de762862f24ea130cf
Locky
fae5d87e8771f0025e306697f68afe511275e9772af23dfd081ffbfc0b56f38d
Locky
+ 1'036 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-njl1tk61za/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Legitimate hosting services abused for malware hosting/C2
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Word file docm e6450c208d98dceb9129c3eefdc9e9db9374e00bcfa212e240ec336f9146ab95

Locky

Executable exe 36350904b065500f429e6b2af0c4a1ec835352fed15cad40f07760aede4fcd47

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/361493/
  
Dropped by
MD5 b1b51f673d7b8b5366c7eeb28754ab05
  
Dropped by
SHA256 e6450c208d98dceb9129c3eefdc9e9db9374e00bcfa212e240ec336f9146ab95
  
Delivery method
Distributed via web download

Comments