#AveMariaRAT
The email pretends to be a letter about a meeting between Consul General of Republic of Kazakhstan and Ministry of Foreign Relations of the Astrakhan region.

- The email contains a vhdx attachment.
- The attachment contains a lnk and an archive file (decoy pdf).

- The lnk downloads the AveMaria payload using curl and executes it.

Тезисы.pdf.vhdx
56d1e9d11a8752e1c06e542e78e9c3e4

Download url:
http://45.61.137.32/www.exe

#AveMariaRAT
2300a4eb4bf1216506900e6040820843

C2:
hbfyewtuvfbhsbdjhjwebfy[.]net
193.188.20.163

Operation “Armor Piercer:” Targeted attacks in the Indian subcontinent using commercial RATs - By Asheer Malhotra, Vanja Svajcer and Justin Thattil.

Cisco Talos is tracking a c... http://feedproxy.google.com/~r/feedburner/Talos/~3/q-HOEjOIE_U/operation-armor-piercer.html #avemariarat #warzonerat #malware #netwire #securex #maldoc #apt #rat