MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe7dc35391c88f2001b6637186c2fa677bb5f1a08cfdafcfc95a1e1fc2f026a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 3 Yara 7 Comments

SHA256 hash: fe7dc35391c88f2001b6637186c2fa677bb5f1a08cfdafcfc95a1e1fc2f026a9
SHA3-384 hash: 1099ae20582e2c8768f564ce96a5686885f34fa6e0dec18fbd422f4f181070b2eb33b658365686e9fd9600c8b9e5f98e
SHA1 hash: 8ddbf9383d58c23a93ec8a24ec77a432ec3d63ac
MD5 hash: 3b366485eba8147bf73fc3020d09c947
humanhash: uncle-london-missouri-dakota
File name:Purchase Order and Sample Drawings.exe
Download: download sample
Signature AveMariaRAT
File size:841'216 bytes
First seen:2020-06-30 17:57:37 UTC
Last seen:2020-07-02 14:46:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 51cb4bf20368163b9b5ba9dfae264bd6
ssdeep 6144:ALks/FExIhrRSckdA+6Rj9eIzkYCHlOdZyadeXIBiN5lbMCZU+08tkDkt8n/YrnJ:ALI6WdA+ACuZO09mJ1
TLSH 1D05187326826F91C6F74DF0C52EBFDF3D297A519800A076C39E537E48E21A4151CAAB
Reporter @abuse_ch
Tags:AveMariaRAT exe RAT


Twitter
@abuse_ch
Malspam distributing AveMariaRAT:

HELO: gmail.com
Sending IP: 107.173.177.159
From: Harbert Rick <pacificresourceventures@gmail.com>
Reply-To: pacificresourceventures@gmail.com
Subject: Supply Inquiry
Attachment: Purchase Order and Sample Drawings.rar (contains "Purchase Order and Sample Drawings.exe")

AveMariaRAT C2:
chibykewarzonedns.ddns.net:40952 (185.19.85.137)


% Information related to '185.19.84.0 - 185.19.85.255'

% Abuse contact for '185.19.84.0 - 185.19.85.255' is 'abuse@datawire.ch'

inetnum: 185.19.84.0 - 185.19.85.255
netname: DATAWIRE-DATACENTERS
descr: CUSTOMERS ZG01
country: CH
admin-c: DA4314-RIPE
tech-c: DA4314-RIPE
status: ASSIGNED PA
mnt-by: DATAWIRE-NOC
created: 2013-09-23T14:18:55Z
last-modified: 2013-09-23T14:18:55Z
source: RIPE

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 3
# of downloads 42
Origin country US US
CAPE Sandbox Detection:WarzoneRAT
Link: https://www.capesandbox.com/analysis/17504/
ClamAV PUA.Win.Downloader.Aiis-6803892-0
CERT.PL MWDB Detection:avemaria
Link: https://mwdb.cert.pl/sample/fe7dc35391c88f2001b6637186c2fa677bb5f1a08cfdafcfc95a1e1fc2f026a9/
ReversingLabs :Status:Malicious
Threat name:Win32.Trojan.Kryptik
First seen:2020-06-30 17:59:03 UTC
AV detection:26 of 31 (83.87%)
Threat level:   5/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   8/10
Malware Family:n/a
Link: https://tria.ge/reports/200630-hp8bmp8x1x/
Tags:spyware persistence
VirusTotal:Virustotal results 56.16%

Yara Signatures


Rule name:Cobalt_functions
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:MAL_Envrial_Jan18_1
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:win_ave_maria_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_malumpos_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information


The table below shows additional information about this malware sample such as delivery method and external references.

90592ad87bbf40ecb0e777cb7e6a9676

AveMariaRAT

Executable exe fe7dc35391c88f2001b6637186c2fa677bb5f1a08cfdafcfc95a1e1fc2f026a9

(this sample)

  
Dropped by
MD5 90592ad87bbf40ecb0e777cb7e6a9676
  
Delivery method
Distributed via e-mail attachment

Comments