MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b0ea27d408228d78f3fcc24d21029def84ac27803f89b9015c44f1056da111f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 4 Yara Comments

SHA256 hash: 4b0ea27d408228d78f3fcc24d21029def84ac27803f89b9015c44f1056da111f
SHA3-384 hash: b43708485ef250869523c63b915b1208264cbb58d25c9fcc076e10a14e8b21fb19e8150fa23166a0593f4ab734c3c880
SHA1 hash: 233423b9927d8b12c302932a6f4c8a23d95965ae
MD5 hash: a30f4d30409a9b0c47cce9e5c476bd07
humanhash: oregon-july-wisconsin-aspen
File name:INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.gz
Download: download sample
Signature AveMariaRAT
File size:194'910 bytes
First seen:2020-06-30 13:30:59 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 3072:bTEdwblswRCPV4r0hxDh5PIQRUM3vBvtsys4Q9gOMk0h1o01F3LZ:bAm1CPir2XPIQRP3ZWyI9gR1o0T9
TLSH 5D1423E63CAD4F0EA262B44506551C2F6A0677DBB1F643CD93F0A74EBF550686C05C6C
Reporter @abuse_ch
Tags:AveMariaRAT gz nVpn RAT


Twitter
@abuse_ch
Malspam distributing AveMariaRAT:

HELO: mail.bgesoaeg.ml
Sending IP: 192.227.121.237
From: david@bgesoaeg.ml
Subject: Transfer Remittance 174144 FX Advices Ref:0889
Attachment: INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.gz (contains "INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe")

AveMariaRAT C2:
91.193.75.66:2035

Hosted on nVpn:

% Information related to '91.193.75.0 - 91.193.75.255'

% Abuse contact for '91.193.75.0 - 91.193.75.255' is 'abuse@kgb-vpn.org'

inetnum: 91.193.75.0 - 91.193.75.255
netname: NON-LOGGING-VPN-SERVICE
descr: Please note that we don't store any user data.
descr: Our main effort is not to make money, but to preserve values like the
descr: freedom of expression, the freedom of press, the right to data protection
descr: and informational self-determination.
country: EU
admin-c: KA7109-RIPE
tech-c: KA7109-RIPE
org: ORG-KHd1-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: KGB-MNT
mnt-routes: KGB-MNT
sponsoring-org: ORG-MW1-RIPE
created: 2012-06-04T11:05:55Z
last-modified: 2020-06-12T19:27:12Z
source: RIPE

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 43
Origin country FR FR
ClamAV SecuriteInfo.com.Generic-EXE.UNOFFICIAL
CERT.PL MWDB Detection:n/a
Link: https://mwdb.cert.pl/sample/4b0ea27d408228d78f3fcc24d21029def84ac27803f89b9015c44f1056da111f/
ReversingLabs :Status:Malicious
Threat name:ByteCode-MSIL.Trojan.Agensla
First seen:2020-06-30 13:32:07 UTC
AV detection:24 of 48 (50.00%)
Threat level:   2/5
Spamhaus Hash Blocklist :Malicious file
VirusTotal:No data

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

zip 4b0ea27d408228d78f3fcc24d21029def84ac27803f89b9015c44f1056da111f

(this sample)

  
Dropping
AveMariaRAT
  
Delivery method
Distributed via e-mail attachment

Comments