MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8fbdfebce02c75b83f14b5706f8b874435c33d48cc868bf046f13fe3dfad98d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 4 Yara 5 Comments

SHA256 hash: c8fbdfebce02c75b83f14b5706f8b874435c33d48cc868bf046f13fe3dfad98d
SHA3-384 hash: 25921f2ab7f0d479d73cf7263e60a0f56bf56c5630fe39e6f7f3fc7425899358657ca9c8e91cad708711fabad1c6dcde
SHA1 hash: ee91492d04556958af32986a5f235a4c528c9178
MD5 hash: 0b89e3e11d64e96a9eb841c297c3e795
humanhash: grey-helium-johnny-beryllium
File name:INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
Download: download sample
Signature AveMariaRAT
File size:228'352 bytes
First seen:2020-06-30 13:31:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 3072:vVi9wSsUnRsLjSPnwluFn1/mfer5JTjc6HCtek6wo16eCAL3XFZdRhwUMtSwEVoJ:9ilWLan1/mKQ6v/X16Ir9RVvwEVoMJi
TLSH 2D24F03973B88B66D6F9D7F110B194010FB26D1B7A20E31EAD5865CF1AB3B508211F67
Reporter @abuse_ch
Tags:AveMariaRAT exe nVpn RAT


Twitter
@abuse_ch
Malspam distributing AveMariaRAT:

HELO: mail.bgesoaeg.ml
Sending IP: 192.227.121.237
From: david@bgesoaeg.ml
Subject: Transfer Remittance 174144 FX Advices Ref:0889
Attachment: INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.gz (contains "INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe")

AveMariaRAT C2:
91.193.75.66:2035

Hosted on nVpn:

% Information related to '91.193.75.0 - 91.193.75.255'

% Abuse contact for '91.193.75.0 - 91.193.75.255' is 'abuse@kgb-vpn.org'

inetnum: 91.193.75.0 - 91.193.75.255
netname: NON-LOGGING-VPN-SERVICE
descr: Please note that we don't store any user data.
descr: Our main effort is not to make money, but to preserve values like the
descr: freedom of expression, the freedom of press, the right to data protection
descr: and informational self-determination.
country: EU
admin-c: KA7109-RIPE
tech-c: KA7109-RIPE
org: ORG-KHd1-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: KGB-MNT
mnt-routes: KGB-MNT
sponsoring-org: ORG-MW1-RIPE
created: 2012-06-04T11:05:55Z
last-modified: 2020-06-12T19:27:12Z
source: RIPE

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 35
Origin country FR FR
CAPE Sandbox Detection:n/a
Link: https://www.capesandbox.com/analysis/17224/
ClamAV SecuriteInfo.com.Generic-EXE.UNOFFICIAL
CERT.PL MWDB Detection:avemaria
Link: https://mwdb.cert.pl/sample/c8fbdfebce02c75b83f14b5706f8b874435c33d48cc868bf046f13fe3dfad98d/
ReversingLabs :Status:Malicious
Threat name:ByteCode-MSIL.Trojan.Agensla
First seen:2020-06-30 13:32:07 UTC
AV detection:19 of 30 (63.33%)
Threat level:   2/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   8/10
Malware Family:n/a
Link: https://tria.ge/reports/200630-32fyp3mbsj/
Tags:persistence spyware
VirusTotal:Virustotal results 17.81%

Yara Signatures


Rule name:Cobalt_functions
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:MAL_Envrial_Jan18_1
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:win_ave_maria_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Executable exe c8fbdfebce02c75b83f14b5706f8b874435c33d48cc868bf046f13fe3dfad98d

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments