MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49235a707a23701651de637ce90e530247dcf6877001f416aa459a9bb0a22daa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash: 49235a707a23701651de637ce90e530247dcf6877001f416aa459a9bb0a22daa
SHA3-384 hash: b1b14c2cfa0fcc4670afdb894da3dbed90ecb1a337871978c8a6ed4c5018220a031c767db57bde69b17754851b28bab7
SHA1 hash: f7dab7f7f3556fe38a001dba46c9e93d4ffbf32b
MD5 hash: ae55aaa571fd4f87839cb1ebc9706d32
humanhash: magazine-chicken-lima-lithium
File name:New Order ( MY 01-22-DTHI .doc
Download: download sample
Signature AveMariaRAT
File size:11'198 bytes
First seen:2022-08-05 11:43:13 UTC
Last seen:Never
File type:Word file doc
MIME type:application/octet-stream
ssdeep 192:a6VFXWgf93ef3FZr2aZmnJfiMll+bZXe9uZwVtDvwFiNS+NS6CLcFS6s:a6VFXWgf93et0dJfVll+bZXe9uUFwEAd
TLSH T12132077CC04B4AD8CFC962F89A0A7E5550687A6CE3C9B4237A7CB3752796D3E6207434
Reporter @cocaman
Tags:AveMariaRAT doc


Twitter
@cocaman
Malicious email (T1566.001)
From: ""Musthaq Hassim" <Musthaq.Hassim@fluiconnecto.ae>" (likely spoofed)
Received: "from fluiconnecto.ae (unknown [45.137.22.120]) "
Date: "05 Aug 2022 13:42:50 +0200"
Subject: "RE: Urgent quote required - Oman"
Attachment: "New Order ( MY 01-22-DTHI .doc"

Intelligence


File Origin
# of uploads :
1
# of downloads :
284
Origin country :
CH CH
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
CVE-2017-11882 exploit javascript
Result
Verdict:
MALICIOUS
Result
Threat name:
AveMaria, UACMe
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Found stalling execution ending in API Sleep call
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is an obfuscated RTF file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Threat name:
Win32.Exploit.CVE-2017-11882
Status:
Malicious
First seen:
2022-08-05 00:42:28 UTC
File Type:
Document
Extracted files:
4
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:INDICATOR_RTF_MalVer_Objects
Author:ditekSHen
Description:Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Rule name:SUSP_RTF_Header_Anomaly_RID2F7F
Author:Florian Roth
Description:Detects malformed RTF header often used to trick mechanisms that check for a full RTF header
Reference:https://twitter.com/ItsReallyNick/status/975705759618158593

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Word file doc 49235a707a23701651de637ce90e530247dcf6877001f416aa459a9bb0a22daa

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments