MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 9989f56522f74833b209e3db7b0d44420bea16890a7b48e9e70d66221e9cd0db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AveMariaRAT
Vendor detections: 3
| SHA256 hash: | 9989f56522f74833b209e3db7b0d44420bea16890a7b48e9e70d66221e9cd0db |
|---|---|
| SHA3-384 hash: | e55bb5618a20842ac59c73e81dfb48766cddfdadcc61388a87a992cbfe618cf9055bb37c6e2a2de54daea3cff8cbcb8b |
| SHA1 hash: | d9ccf2ae2e32ac546060df488d81faff2d714d56 |
| MD5 hash: | 404a3e292a15a44240636fb66bb69d38 |
| humanhash: | cup-whiskey-pennsylvania-coffee |
| File name: | Revised DWG original copy for confirmation.cab |
| Download: | download sample |
| Signature | AveMariaRAT |
| File size: | 286'263 bytes |
| First seen: | 2020-07-29 07:48:11 UTC |
| Last seen: | Never |
| File type: | cab |
| MIME type: | application/vnd.ms-cab-compressed |
| ssdeep | 6144:7K1JYgUjr90hvwalNK87y8EHG1KibAaxvnxWJ:7KzYg+5GLKsSaxvsJ |
| TLSH | F85423DD059802B12067D9B662C41B31D93C74821532FDE29E5AFEA9E7363F4A8DC43D |
| Reporter |  abuse_ch |
| Tags: | AveMariaRAT cab nVpn RAT |
abuse_ch
Malspam distributing unidentified malware:HELO: mgrenewables.ge
Sending IP: 45.137.22.87
From: sales <lopota@mgrenewables.ge>
Subject: Revised DWG original copy for confirmation
Attachment: Revised DWG original copy for confirmation.cab (contains "Revised DWG original copy for confirmation.exe")
Unknown RAT C2:
bestgrace.mywire.org:2442 (185.165.153.203)
Pointing to nVpn:
% Information related to '185.165.153.0 - 185.165.153.255'
% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacyfirst.sh'
inetnum: 185.165.153.0 - 185.165.153.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU2
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2020-07-28T20:37:37Z
source: RIPE
Intelligence
File Origin
# of uploads :
1
# of downloads :
65
Origin country :
n/a
Vendor Threat Intelligence
Threat name:
ByteCode-MSIL.Spyware.BtcWare
Status:
Malicious
First seen:
2020-07-29 07:50:07 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
2/5
Detection(s):
Suspicious file
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
exe Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.