MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69120c433d9c14e1373990235851fb9456cb856da71e34f79ae2559de8c420df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69120c433d9c14e1373990235851fb9456cb856da71e34f79ae2559de8c420df
SHA3-384 hash: 1c39e0608a7512b88e7ae8c971b5a3c8a495db93ee425528b982b9875a450ea7a0a505c7da65bada4fb101cabb76fe31
SHA1 hash: f81d6e992366cdbd3d3d39721e42167a35217d9f
MD5 hash: 8c8d2f7ce1997f73481aa1b54f3e6306
humanhash: hydrogen-tennessee-avocado-india
File name:Order specification drawing.rar
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:335'045 bytes
First seen:2021-02-17 13:31:12 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 6144:LJZS4Mq5ldMA6P2m3y1j4tnbs22MFPbiGLRHM/db9jhl+qFsohzpYobQBCTfya:NZQq5ldE2/cVbzUdJL+/oh9bbQMTKa
TLSH 9D64238149562D666688623F173C696447F187764C03E3A728F3074FE35B2F90E272E7
Reporter abuse_ch
Tags:AveMariaRAT nVpn rar RAT


Avatar
abuse_ch
Malspam distributing AveMariaRAT:

HELO: llsa987-a17.servidoresdns.net
Sending IP: 82.223.190.28
From: manuel.aviles <manuel.aviles@tecnomed2000.com>
Subject: Request for order quotation
Attachment: Order specification drawing.rar (contains "Zv3r4M6NeJOSoDQ.exe")

AveMariaRAT C2:
iyhto.ddns.net:8044 (194.5.98.26)

Pointing to nVpn:

% Information related to '194.5.98.0 - 194.5.98.255'

% Abuse contact for '194.5.98.0 - 194.5.98.255' is 'abuse@privacyfirst.sh'

inetnum: 194.5.98.0 - 194.5.98.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-NO
country: NO
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-04-26T16:42:54Z
last-modified: 2020-10-07T21:35:29Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/69120c433d9c14e1373990235851fb9456cb856da71e34f79ae2559de8c420df/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-02-17 13:32:06 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nejayqz5tqkocnzzsarvqup3srlmxblnu4pdj5424jkz32geedpq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

rar 69120c433d9c14e1373990235851fb9456cb856da71e34f79ae2559de8c420df

(this sample)

AveMariaRAT

Executable exe 4c65b9e49af0ac895cb7cbe2099df2897989de14251326355890db7238a1d340

  
Dropping
MD5 1965ca635ff28862279965a6182d9b8c
  
Dropping
AveMariaRAT
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 4c65b9e49af0ac895cb7cbe2099df2897989de14251326355890db7238a1d340

Comments