MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66db4f35414c834c5f144a668c804e75149ed55d81dcae4a02494a817332f4f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 66db4f35414c834c5f144a668c804e75149ed55d81dcae4a02494a817332f4f3
SHA3-384 hash: 0a4fb477a060500d0f0318a058e5a61a97ea7d364a28d10cb49e108feec31e8f8e912469973e2eea96badb5c83545190
SHA1 hash: 8ef29dfb8031bcdcffb47ae11489657d68dc2499
MD5 hash: 0c81cd0295f86f1813203d2676a16220
humanhash: angel-friend-robin-single
File name:MTS New%0A Order#611703.xlsx
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'382'653 bytes
First seen:2023-12-12 15:42:45 UTC
Last seen:Never
File type:Excel file xlsx
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 24576:M8eaKrtq10Yh+VqzW3Xqy8Aaq++oTuEwvAQNujlpRrVGdoGBCoTwwE:2/mzh+VeWnmh+oTudNujlrVGdimwwE
TLSH T16355338E61137917E4045370C6EE62219125EBE1CADDCD886CBBC7B7050366ABF3E5B8
TrID 60.1% (.XLSX) Excel Microsoft Office Open XML Format document (34000/1/7)
30.9% (.ZIP) Open Packaging Conventions container (17500/1/4)
7.0% (.ZIP) ZIP compressed archive (4000/1)
1.7% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter malwarelabnet
Tags:AveMariaRAT CVE-2017-11882 WarzoneRAT xlsx

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump

MalwareBazaar was able to identify 3 sections in this file using oledump:

Section IDSection sizeSection name
A11681395 bytesOlE10NaTive
A20 bytesbgTAJqHARRpfd3kyoSyHBbxIV

Intelligence

File Origin
# of uploads :
1
# of downloads :
958
Origin country :
CA CA
Vendor Threat Intelligence
Verdict:
Legit
File type:
application/octet-stream
Has a screenshot:
False
Contains macros:
False
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/466665/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for synchronization primitives
Launching a process
DNS request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Creating a process from a recently created file
Result
Verdict:
Malicious
File Type:
OOXML Excel File with Embedding Objects
Link:
https://app.docguard.net/66db4f35414c834c5f144a668c804e75149ed55d81dcae4a02494a817332f4f3/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/65787f8cda3178d99ce304bf/reports/d6fcb7dc-674b-49bf-8a95-20075979be9a/overview
Verdict:
Malicious
Labled as:
CVE-2017-11882
Link:
https://www.hybrid-analysis.com/sample/66db4f35414c834c5f144a668c804e75149ed55d81dcae4a02494a817332f4f3
Label:
Malicious
Suspicious Score:
9.8/10
Score Malicious:
99%
Score Benign:
1%
Link:
https://www.malware.ai/gui/files/?id=0da85289-53b4-4958-b7cd-826dbb818d95
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/66db4f35414c834c5f144a668c804e75149ed55d81dcae4a02494a817332f4f3
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1360377
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Malicious sample detected (through community Yara rule)
Office equation editor establishes network connection
Shellcode detected
Sigma detected: EQNEDT32.EXE connecting to internet
Behaviour
Behavior Graph:
Download SVG
Detection:
cve-2017-11882-shellcode
Create hunting rule
Link:
https://mwdb.cert.pl/sample/66db4f35414c834c5f144a668c804e75149ed55d81dcae4a02494a817332f4f3/
Threat name:
Document-Office.Exploit.CVE-2017-11882
Create hunting rule
Status:
Malicious
First seen:
2023-12-12 12:34:14 UTC
File Type:
Document
Extracted files:
16
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m3nu6nkbjsbuyxyujjtizacooukj5vk5qhok4sqcjffic4zs6tzq._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/231212-s5xm6sffbr/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Launches Equation Editor
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/66db4f35414c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/66db4f35414c834c5f144a668c804e75149ed55d81dcae4a02494a817332f4f3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/466665/

Comments