MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17cd87bcd8cd457fc30877dfaf5dcfa395117cdc99f573c8572526d9edbf4b58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17cd87bcd8cd457fc30877dfaf5dcfa395117cdc99f573c8572526d9edbf4b58
SHA3-384 hash: a8d9e84412f148542d94061f86e64894192cfe740a81244644d61531adec90ef65a6e1f977ce318bd728134f7c1b78d3
SHA1 hash: 7d76c39a7b3718087e9f1d78d834e9b7c8960452
MD5 hash: 2134d079a050b94ed95026d324566ba2
humanhash: solar-yellow-whiskey-social
File name:Purchase Orders jtc tools PDF.ppam
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:9'962 bytes
First seen:2021-12-15 09:41:21 UTC
Last seen:Never
File type:PowerPoint file ppam
MIME type:application/vnd.openxmlformats-officedocument.presentationml.presentation
ssdeep 192:n7UhPk4EpHAwfYu6qS1WJHC9XNAZeEDkhhoh43OPW:nwhPkZpADxBVAk7q4gW
TLSH T16D229E5EC20837B7DD93C53D75660999FEBFB184B86092472D8103EC1CD46B7E68DA28
Reporter abuse_ch
Tags:AveMariaRAT ppam


Avatar
abuse_ch
Payload URL:
https://ia601506.us.archive.org/21/items/decembersho2/3.html)

Intelligence

File Origin
# of uploads :
1
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
TwinWave.EvilDoc.DOCXRSTRGOOD.MSHTA.REV.200317.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.CROHeadGames.20200320.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXSTRGOOD.//
Create hunting rule

TwinWave.EvilDoc.AutoTriggerEvilMrFantasy.20200627.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.AutoTriggerEvilMrFantasy.20200705.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.AutoTriggerEvilMrFantasyM3.20200721.UNOFFICIAL
Create hunting rule

TwinWave.CROJokerAndTheThiefFinalHour.20210420.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.CROIndirectionGamesLeave.20210428.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.CROMiscreantNeuralLinkExtraTerra.M2.20210721.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD.MSHTA.REV.210901.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.TakeMeHomeTonight.20210923.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXSTRGOOD.\WINDOWS\.REV.210420.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXSTRGOOD.PTTH.210526.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
File Type:
Legacy PowerPoint File with Macro
Link:
https://app.docguard.net/17cd87bcd8cd457fc30877dfaf5dcfa395117cdc99f573c8572526d9edbf4b58/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
macros macros-on-open powershell
Link:
https://www.filescan.io/uploads/61b9b86e45ca64e57f1125a9/reports/d37a5571-0935-4763-bdef-1c1fa205afab/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/17cd87bcd8cd457fc30877dfaf5dcfa395117cdc99f573c8572526d9edbf4b58
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
InQuest Machine Learning
An InQuest machine-learning model classified this macro as potentially malicious.
Result
Threat name:
AveMaria UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/907722
Signature
Bypasses PowerShell execution policy
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates an autostart registry key pointing to binary in C:\Windows
Creates processes via WMI
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA with many string operations indicating source code obfuscation
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious MSHTA Process Patterns
Suspicious powershell command line found
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected obfuscated html page
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 540204 Sample: Purchase Orders jtc tools P... Startdate: 15/12/2021 Architecture: WINDOWS Score: 100 56 Malicious sample detected (through community Yara rule) 2->56 58 Yara detected UACMe UAC Bypass tool 2->58 60 Yara detected obfuscated html page 2->60 62 8 other signatures 2->62 7 powershell.exe 12 7 2->7         started        11 OUTLOOK.EXE 509 16 2->11         started        13 powershell.exe 7 2->13         started        15 5 other processes 2->15 process3 dnsIp4 54 greatuplandrental.com 45.148.122.161, 49169, 49172, 49174 SKB-ENTERPRISENL Netherlands 7->54 76 Writes to foreign memory regions 7->76 78 Injects a PE file into a foreign processes 7->78 17 aspnet_compiler.exe 3 2 7->17         started        21 powershell.exe 6 11->21         started        23 aspnet_compiler.exe 13->23         started        25 cmd.exe 15->25         started        27 cmd.exe 15->27         started        29 POWERPNT.EXE 6 4 15->29         started        31 aspnet_compiler.exe 15->31         started        signatures5 process6 dnsIp7 46 97.107.136.48, 4424 LINODE-APLinodeLLCUS United States 17->46 64 Contains functionality to inject threads in other processes 17->64 66 Contains functionality to steal Chrome passwords or cookies 17->66 68 Contains functionality to steal e-mail passwords 17->68 70 2 other signatures 17->70 33 mshta.exe 5 11 21->33         started        38 mshta.exe 10 25->38         started        40 mshta.exe 27->40         started        signatures8 process9 dnsIp10 48 j.mp 67.199.248.16, 443, 49167 GOOGLE-PRIVATE-CLOUDUS United States 33->48 50 ia801502.us.archive.org 207.241.228.152, 443, 49168 INTERNET-ARCHIVEUS United States 33->50 42 C:\Users\user\AppData\Local\...\13[1].html, HTML 33->42 dropped 72 Creates an autostart registry key pointing to binary in C:\Windows 33->72 74 Creates processes via WMI 33->74 52 ia601506.us.archive.org 207.241.227.116, 443, 49170, 49171 INTERNET-ARCHIVEUS United States 38->52 44 C:\Users\user\AppData\Local\...\3[1].html, HTML 38->44 dropped file11 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/17cd87bcd8cd457fc30877dfaf5dcfa395117cdc99f573c8572526d9edbf4b58/
Threat name:
Document-Office.Downloader.EncDoc
Create hunting rule
Status:
Malicious
First seen:
2021-12-15 09:42:09 UTC
File Type:
Document
Extracted files:
17
AV detection:
16 of 43 (37.21%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c7gyppgyzvcx7qyio7p26xopuokrc7g4th2xhscxeutnt3n7jnma._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/211215-lpb8zahbh6/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Drops file in Windows directory
Drops file in System32 directory
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://hahahahhasd@j.mp/ceeieurierjshdwqwid
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/17cd87bcd8cd457fc30877dfaf5dcfa395117cdc99f573c8572526d9edbf4b58

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments