MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7666f3d19250bc9b6d75e1b081407ea6a71c81f22a2c027d85b6445a65a0f247. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 7


Maldoc score: 11


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7666f3d19250bc9b6d75e1b081407ea6a71c81f22a2c027d85b6445a65a0f247
SHA3-384 hash: 9a40a715e235ed1cb21ea8df13eb496e3a8cc2368b12f00f1e38554d87b5c98e3b732c45b7999604a375084f7e38f658
SHA1 hash: d23b57b25096e93d33da65481246f15d0de0dbb7
MD5 hash: 2945ec5ca668fee27e326ab8c0043e2a
humanhash: sweet-friend-pluto-high
File name:7666f3d19250bc9b6d75e1b081407ea6a71c81f22a2c027d85b6445a65a0f247
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:343'040 bytes
First seen:2021-05-28 15:11:46 UTC
Last seen:Never
File type:Word file docx
MIME type:application/msword
ssdeep 6144:b3nW0Y1k9q1JV+EzZpig9gH+EVBpsSp/H0g2Pgnf8:bnWvgqjhpig9DBc/H0g2Pgf
TLSH C57406036918CB93E06982F4BE434E9C2B176F0C998279EF11527E8F7E746624DCD52E
Reporter Anonymous
Tags:AveMariaRAT maldoc vbastomped

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 11
Application name is Microsoft Office Word
Office document is in OLE format
Office document contains VBA Macros
OLE dump

MalwareBazaar was able to identify 12 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
24096 bytesDocumentSummaryInformation
34096 bytesSummaryInformation
47161 bytes1Table
5309204 bytesData
6426 bytesMacros/PROJECT
771 bytesMacros/PROJECTwm
83062 bytesMacros/VBA/NewMacros
9768 bytesMacros/VBA/ThisDocument
102928 bytesMacros/VBA/_VBA_PROJECT
11572 bytesMacros/VBA/dir
124096 bytesWordDocument
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecAutoOpenRuns when the Word document is opened
SuspiciousRunMay run an executable file or a system command
SuspiciousCreateObjectMay create an OLE object
SuspiciousChrMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all) code and P-code are different, this may have been used to hide malicious code

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Carrier Rate confirmation.doc
Verdict:
No threats detected
Analysis date:
2021-05-26 16:12:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e9c2f63c-e518-4215-aeb1-7fe9d11e1c13

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/vnd.openxmlformats-officedocument.wordprocessingml.document
Has a screenshot:
False
Contains macros:
True
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
Malicious
File Type:
Legacy Word File with Macro
Link:
https://app.docguard.net/7666f3d19250bc9b6d75e1b081407ea6a71c81f22a2c027d85b6445a65a0f247/results/dashboard
Document image
Image:
Download PNG
Document image
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/7666f3d19250bc9b6d75e1b081407ea6a71c81f22a2c027d85b6445a65a0f247
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Document With Few Pages
Document contains between one and three pages of content. Most malicious documents are sparse in page count.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
evad.phis.troj.spyw.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/793908
Signature
Allocates memory in foreign processes
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Document contains an embedded VBA with empty source code in macro
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process drops PE file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 426304 Sample: E4T88Y4IMi.doc Startdate: 28/05/2021 Architecture: WINDOWS Score: 100 67 Document contains an embedded VBA with empty source code in macro 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 9 other signatures 2->73 9 EXCEL.EXE 4 25 2->9         started        14 Nivwgy.exe 13 2->14         started        16 Nivwgy.exe 13 2->16         started        18 WINWORD.EXE 46 42 2->18         started        process3 dnsIp4 53 179.43.140.150, 49711, 80 PLI-ASCH Panama 9->53 55 bit.do 54.83.52.76, 443, 49710 AMAZON-AESUS United States 9->55 43 C:\Users\user\AppData\Local\...\gim[1].exe, PE32 9->43 dropped 45 C:\ProgramData\poc.exe, PE32 9->45 dropped 87 Document exploit detected (creates forbidden files) 9->87 89 Document exploit detected (UrlDownloadToFile) 9->89 20 poc.exe 1 23 9->20         started        57 162.159.129.233, 443, 49723 CLOUDFLARENETUS United States 14->57 59 cdn.discordapp.com 14->59 91 Writes to foreign memory regions 14->91 93 Allocates memory in foreign processes 14->93 95 Creates a thread in another existing process (thread injection) 14->95 25 logagent.exe 4 14->25         started        61 192.168.2.1 unknown unknown 16->61 63 cdn.discordapp.com 16->63 97 Machine Learning detection for dropped file 16->97 99 Injects a PE file into a foreign processes 16->99 27 mobsync.exe 4 16->27         started        file5 signatures6 process7 dnsIp8 47 cdn.discordapp.com 162.159.134.233, 443, 49714, 49715 CLOUDFLARENETUS United States 20->47 41 C:\Users\Public41ivwgy41ivwgy.exe, PE32 20->41 dropped 75 Machine Learning detection for dropped file 20->75 77 Writes to foreign memory regions 20->77 79 Allocates memory in foreign processes 20->79 85 2 other signatures 20->85 29 dialer.exe 3 4 20->29         started        33 cmd.exe 1 20->33         started        49 adebaree.duckdns.org 25->49 81 Tries to steal Mail credentials (via file access) 25->81 83 Tries to harvest and steal browser information (history, passwords, etc) 25->83 51 adebaree.duckdns.org 27->51 file9 signatures10 process11 dnsIp12 65 adebaree.duckdns.org 173.44.55.155, 49719, 49725, 49726 ASN-QUADRANET-GLOBALUS United States 29->65 101 Tries to steal Mail credentials (via file access) 29->101 103 Increases the number of concurrent connection per server for Internet Explorer 29->103 105 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->105 35 cmd.exe 1 33->35         started        37 conhost.exe 33->37         started        signatures13 process14 process15 39 conhost.exe 35->39         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7666f3d19250bc9b6d75e1b081407ea6a71c81f22a2c027d85b6445a65a0f247/
Threat name:
Document-Office.Trojan.Alien
Create hunting rule
Status:
Malicious
First seen:
2021-05-26 18:08:30 UTC
AV detection:
6 of 47 (12.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oztphumskc6jw3lv4gyicqd6u2trzapsfiwae7mfwzcfuzna6jdq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
macro macro_on_action xlm
Link:
https://tria.ge/reports/210528-evknb2v96a/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Drops file in Windows directory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7666f3d19250bc9b6d75e1b081407ea6a71c81f22a2c027d85b6445a65a0f247

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Word file docx 7666f3d19250bc9b6d75e1b081407ea6a71c81f22a2c027d85b6445a65a0f247

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments