MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ff0d69b30d3e33c6505dda5095ea67ec48d310b853536ae99b915ae965b1e59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ff0d69b30d3e33c6505dda5095ea67ec48d310b853536ae99b915ae965b1e59
SHA3-384 hash: e4242664f5c58d1b264982d8c1d504c2e9b295dbf95b93906bf3b4bbe7b5e30d723ea850026ad3afaea12e7e39248f7b
SHA1 hash: e9da3d9b0972fbee47912b4ab454350924945367
MD5 hash: eab7acd6d1fa1d3190eb8fa3269f678b
humanhash: thirteen-nebraska-hawaii-bakerloo
File name:Ordine R20 T40567, pdf.xz
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:149'149 bytes
First seen:2020-10-27 13:05:17 UTC
Last seen:Never
File type: xz
MIME type:application/x-rar
ssdeep 3072:oa1nBvew1y9T3bM5tfumPvrGQYx0ZLTtvaWNcCb55dDRiwJ+a:XBfy9DQDGmPvKILT8mcU5dzga
TLSH FCE312D27C81510019428F06445F4AB151CF7BA9891D38EB6164AFAFABFCFC53EB24A7
Reporter abuse_ch
Tags:AveMariaRAT nVpn RAT xz


Avatar
abuse_ch
Malspam distributing AveMariaRAT:

HELO: mail.nipponcarsrl.com.ar
Sending IP: 200.114.86.103
From: info@filtertechnics.it
Subject: ***SPAM*** Ordine R20-T40567
Attachment: Ordine R20 T40567, pdf.xz (contains "Ordine R20 T40567, pdf.exe")

AveMariaRAT C2:
graceland777.ddns.net:7773 (185.140.53.129)

Pointing to nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@privacyfirst.sh'

inetnum: 185.140.53.0 - 185.140.53.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-BE
country: BE
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-10-02T20:59:33Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27342.RarHeur.v5.HideExt.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ff0d69b30d3e33c6505dda5095ea67ec48d310b853536ae99b915ae965b1e59/
Threat name:
ByteCode-MSIL.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-10-27 08:21:58 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l7ynngzq2prtyzif3wsqsxvgp3ci2milqu2tnluzxek25fs3dzmq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ff0d69b30d3e33c6505dda5095ea67ec48d310b853536ae99b915ae965b1e59

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

xz 5ff0d69b30d3e33c6505dda5095ea67ec48d310b853536ae99b915ae965b1e59

(this sample)

AveMariaRAT

Executable exe 26cb5d17b635e301745c56300a842e86e30bd871bbe945a639b767c75687a579

  
Dropping
MD5 93e962f3c77383ada03169b14273fc62
  
Dropping
AveMariaRAT
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 26cb5d17b635e301745c56300a842e86e30bd871bbe945a639b767c75687a579

Comments