MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f0be13909a62a5d257151b140d27dd0902ad758449ea487a04e571a04bc1223. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Maldoc score: 17


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f0be13909a62a5d257151b140d27dd0902ad758449ea487a04e571a04bc1223
SHA3-384 hash: 06a023f9e921360aad8be16656634dbd27705e60e37c68c3a9dd7e89f21b7622cfb86053a5b6cab1ccbd3ac12d7215c6
SHA1 hash: 5044032f8cb5ed5e130890166e5f15913343c376
MD5 hash: c436484afa0bf471003b35a99bff69e9
humanhash: indigo-minnesota-social-colorado
File name:DHL QA-Tracker.doc
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:54'738 bytes
First seen:2021-09-22 05:52:16 UTC
Last seen:Never
File type:Word file doc
MIME type:application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep 768:vvlY2cy1EqtmAuhcTJgYDm8ENFKSu1kopLuFSY1J2SyBUeH1tjN34/itJschF9NH:vvu2cy1Eq0uNsNfqpLwb4rFNZtJPH
TLSH T14F33F20EC3DC9139E2620EBC526EC193F3AE021AEF499CDD6595737889431E7078B997
Reporter abuse_ch
Tags:AveMariaRAT DHL doc

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 17
OLE dump

MalwareBazaar was able to identify 6 sections in this file using oledump:

Section IDSection sizeSection name
A1363 bytesPROJECT
A241 bytesPROJECTwm
A32911 bytesVBA/ThisDocument
A42674 bytesVBA/_VBA_PROJECT
A5522 bytesVBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecDocument_OpenRuns when the Word or Publisher document is opened
SuspiciousOpenMay open a file
SuspiciousWriteMay write to a file (if combined with Open)
SuspiciousADODB.StreamMay create a text file
SuspiciousSaveToFileMay create a text file
SuspiciousShellMay run an executable file or a system command
SuspiciousCreateObjectMay create an OLE object
SuspiciousMicrosoft.XMLHTTPMay download files from the Internet
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all) code and P-code are different, this may have been used to hide malicious code

Intelligence

File Origin
# of uploads :
1
# of downloads :
254
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL QA-Tracker.doc
Verdict:
Malicious activity
Analysis date:
2021-09-22 06:00:05 UTC
Tags:
macros macros-on-open generated-doc trojan stealer rat avemaria
Link:
https://app.any.run/tasks/feba6044-4bdb-4d8c-bb84-3f86be040cfe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/msword
Has a screenshot:
False
Contains macros:
True
Detection(s):
SecuriteInfo.com.Office.Macro-11.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Office.Macro-13.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Macro-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Word File with Macro
Link:
https://app.docguard.net/6f0be13909a62a5d257151b140d27dd0902ad758449ea487a04e571a04bc1223/results/dashboard
Payload URLs
URL
File name
https://il.social.s-msft.com/globalresources/Images/trans.gif?cver=0001
vbaProject.bin
Document image
Image:
Download PNG
Document image
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/6f0be13909a62a5d257151b140d27dd0902ad758449ea487a04e571a04bc1223
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855345
Signature
.NET source code contains potential unpacker
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process drops PE file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 487781 Sample: DHL QA-Tracker.doc Startdate: 22/09/2021 Architecture: WINDOWS Score: 100 36 github.com 2->36 38 avatars.githubusercontent.com 2->38 50 Multi AV Scanner detection for dropped file 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Document exploit detected (drops PE files) 2->54 56 8 other signatures 2->56 9 WINWORD.EXE 306 43 2->9         started        signatures3 process4 dnsIp5 46 us-east-1.route-1.000webhost.awex.io 145.14.145.66, 443, 49167 AWEXUS Netherlands 9->46 48 ghghghfhfhfh.000webhostapp.com 9->48 30 C:\Windows\System32\Server.gif, PE32 9->30 dropped 32 C:\Users\user\...\DHL%20QA-Tracker[1].gif, PE32 9->32 dropped 58 Drops executables to the windows directory (C:\Windows) and starts them 9->58 14 Server.gif 9->14         started        file6 signatures7 process8 signatures9 60 Multi AV Scanner detection for dropped file 14->60 17 chrome.exe 20 467 14->17         started        process10 dnsIp11 34 239.255.255.250 unknown Reserved 17->34 24 C:\Users\user\...\the-real-index. (copy), x86 17->24 dropped 26 C:\Users\user\...\the-real-index (copy), x86 17->26 dropped 28 C:\Users\user\AppData\Local\...\temp-index, x86 17->28 dropped 21 chrome.exe 18 17->21         started        file12 process13 dnsIp14 40 googlehosted.l.googleusercontent.com 142.250.180.193, 443, 49187 GOOGLEUS United States 21->40 42 clients.l.google.com 142.250.180.206, 443, 49169 GOOGLEUS United States 21->42 44 11 other IPs or domains 21->44
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6f0be13909a62a5d257151b140d27dd0902ad758449ea487a04e571a04bc1223/
Threat name:
Script.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 05:24:31 UTC
AV detection:
12 of 45 (26.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n4f6coijuyvf2jlrkgyubut52cicvv2yispkjb5ajzlrubf4cirq._file
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer macro persistence rat spyware stealer
Link:
https://tria.ge/reports/210922-glcccabfb4/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Warzone RAT Payload
Modifies WinLogon for persistence
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
warzonepw.ddns.net:6568
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6f0be13909a62a5d257151b140d27dd0902ad758449ea487a04e571a04bc1223

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Word file doc 6f0be13909a62a5d257151b140d27dd0902ad758449ea487a04e571a04bc1223

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments