MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fb4306a36b61be977dfc6f56443542c9d70273bb97b55d5049cd86608aa0f68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 11


Maldoc score: 9


Intelligence 11 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7fb4306a36b61be977dfc6f56443542c9d70273bb97b55d5049cd86608aa0f68
SHA3-384 hash: bbf9be28915fadd143620675f49006449f9d69180ef3afaaaf36414529df749a9aab187d6f2c2de702472ac1f2aae95d
SHA1 hash: fc83f1d3acb53009cbaa7b9df57676274fc561a1
MD5 hash: 1812b0ee6924f6188269c65494e580e8
humanhash: twenty-shade-princess-twenty
File name:HAN HII PAYMENT-USD.doc
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:72'192 bytes
First seen:2024-04-30 05:42:02 UTC
Last seen:2025-05-30 06:03:30 UTC
File type:Word file doc
MIME type:application/msword
ssdeep 768:Dpwxw+tCmFeFahP8nmwyd04aCF+Fas0Mxw+tq:DSxrtCmFeFahP81CF+FasZxrt
TLSH T154634E09B399CD5AE2174E324DD7DAEA7B29BC59AF46821B72403F2FBE306708D11711
TrID 52.6% (.DOC) Microsoft Word document (30000/1/2)
33.3% (.DOC) Microsoft Word document (old ver.) (19000/1/2)
14.0% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter abuse_ch
Tags:AveMariaRAT doc onedrive-59261C7E41B6478A

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 9
OLE dump

MalwareBazaar was able to identify 32 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
2280 bytesDocumentSummaryInformation
3400 bytesSummaryInformation
47742 bytes1Table
54096 bytesData
6417 bytesMacros/PROJECT
771 bytesMacros/PROJECTwm
83672 bytesMacros/VBA/NewMacros
9946 bytesMacros/VBA/ThisDocument
102822 bytesMacros/VBA/_VBA_PROJECT
111925 bytesMacros/VBA/__SRP_0
12122 bytesMacros/VBA/__SRP_1
13347 bytesMacros/VBA/__SRP_2
14156 bytesMacros/VBA/__SRP_3
15571 bytesMacros/VBA/dir
16114 bytesObjectPool/_1750712440/CompObj
176 bytesObjectPool/_1750712440/ObjInfo
184096 bytesObjectPool/_1750712440/DocumentSummaryInformation
194096 bytesObjectPool/_1750712440/SummaryInformation
207171 bytesObjectPool/_1750712440/1Table
21419 bytesObjectPool/_1750712440/Macros/PROJECT
2271 bytesObjectPool/_1750712440/Macros/PROJECTwm
237095 bytesObjectPool/_1750712440/Macros/VBA/NewMacros
241074 bytesObjectPool/_1750712440/Macros/VBA/ThisDocument
252814 bytesObjectPool/_1750712440/Macros/VBA/_VBA_PROJECT
261771 bytesObjectPool/_1750712440/Macros/VBA/__SRP_0
27122 bytesObjectPool/_1750712440/Macros/VBA/__SRP_1
28347 bytesObjectPool/_1750712440/Macros/VBA/__SRP_2
29156 bytesObjectPool/_1750712440/Macros/VBA/__SRP_3
30569 bytesObjectPool/_1750712440/Macros/VBA/dir
314096 bytesObjectPool/_1750712440/WordDocument
324096 bytesWordDocument
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecAutoOpenRuns when the Word document is opened
IOCp.exeExecutable file name
SuspiciousoutputMay write to a file (if combined with Open)
SuspiciousShellMay run an executable file or a system command
SuspiciousChrMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
7
# of downloads :
386
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
avemaria
Create hunting rule
ID:
1
File name:
7fb4306a36b61be977dfc6f56443542c9d70273bb97b55d5049cd86608aa0f68.doc
Verdict:
Malicious activity
Analysis date:
2024-04-30 05:49:21 UTC
Tags:
macros macros-on-open rat avemaria remote bazaloader loader warzone
Link:
https://app.any.run/tasks/e208ae11-0d1f-4371-9dca-17c2f458e3c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/msword
Has a screenshot:
False
Contains macros:
False
Detection(s):
TwinWave.EvilDoc.AutoTriggerEvilMrFantasyM3.20200721.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXSTRGOOD._IEX.210408.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.TastesLikeVenom20230822.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Creating a process with a hidden window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Launching a process
Searching for synchronization primitives
Creating a process from a recently created file
Running batch commands
Unauthorized injection to a recently created process
Launching a process by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
Legacy Word File with Macro
Link:
https://app.docguard.net/7fb4306a36b61be977dfc6f56443542c9d70273bb97b55d5049cd86608aa0f68/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
Msoffice/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7fb4306a36b61be977dfc6f56443542c9d70273bb97b55d5049cd86608aa0f68
Gathering data
Result
Threat name:
AveMaria, PrivateLoader
Create hunting rule
Detection:
malicious
Classification:
expl.evad.phis.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1433841
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates multiple autostart registry keys
Document contains an embedded VBA with hexadecimal encoded strings
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document exploit detected (process start blacklist hit)
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected PrivateLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1433841 Sample: HAN HII PAYMENT-USD.doc Startdate: 30/04/2024 Architecture: WINDOWS Score: 100 103 web.fe.1drv.com 2->103 105 onedrive.live.com 2->105 107 5 other IPs or domains 2->107 125 Snort IDS alert for network traffic 2->125 127 Found malware configuration 2->127 129 Malicious sample detected (through community Yara rule) 2->129 131 24 other signatures 2->131 10 WINWORD.EXE 141 477 2->10         started        13 Update.pif 2->13         started        16 Update.pif.pif.pif 2->16         started        18 9 other processes 2->18 signatures3 process4 dnsIp5 91 C:\Users\user\AppData\Local\...\~WRO0000.doc, Composite 10->91 dropped 21 powershell.exe 15 22 10->21         started        26 splwow64.exe 10->26         started        153 Multi AV Scanner detection for dropped file 13->153 155 Found evasive API chain (may stop execution after checking mutex) 13->155 157 Contains functionality to hide user accounts 13->157 161 3 other signatures 13->161 28 cmd.exe 13->28         started        36 2 other processes 13->36 30 cmd.exe 16->30         started        38 4 other processes 16->38 109 192.168.2.4, 138, 443, 4821 unknown unknown 18->109 111 192.168.2.16 unknown unknown 18->111 113 5 other IPs or domains 18->113 159 Loading BitLocker PowerShell Module 18->159 32 cmd.exe 18->32         started        34 cmd.exe 18->34         started        40 19 other processes 18->40 file6 signatures7 process8 dnsIp9 115 dual-spov-0006.spov-msedge.net 13.107.137.11, 443, 49819, 49832 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 21->115 77 C:\Users\Public\Update.exe, PE32 21->77 dropped 79 C:\Users\Public\C.dll, PE32 21->79 dropped 81 C:\Users\user\A.inf, Windows 21->81 dropped 135 Drops PE files to the user root directory 21->135 137 Powershell drops PE file 21->137 42 Update.exe 21->42         started        49 2 other processes 21->49 139 Uses cmd line tools excessively to alter registry or file data 28->139 51 2 other processes 28->51 53 2 other processes 30->53 55 2 other processes 32->55 57 2 other processes 34->57 83 C:\Users\user\Documents\Update.pif.pif, PE32 36->83 dropped 141 Contains functionality to hide user accounts 36->141 45 conhost.exe 36->45         started        85 C:\Users\user\...\Update.pif.pif.pif.pif, PE32 38->85 dropped 47 conhost.exe 38->47         started        117 plus.l.google.com 142.250.191.174, 443, 49771 GOOGLEUS United States 40->117 119 www.google.com 172.217.2.36, 443, 49740, 49741 GOOGLEUS United States 40->119 121 apis.google.com 40->121 87 C:\Users\user\...\Update.pif.pif.pif.pif.pif, PE32 40->87 dropped 89 C:\Users\user\Documents\Update.pif.pif.pif, PE32 40->89 dropped 59 11 other processes 40->59 file10 signatures11 process12 signatures13 143 Antivirus detection for dropped file 42->143 145 Multi AV Scanner detection for dropped file 42->145 147 Contains functionality to hide user accounts 42->147 149 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 42->149 61 Update.exe 42->61         started        66 cmd.exe 42->66         started        68 cmd.exe 42->68         started        151 Creates multiple autostart registry keys 57->151 process14 dnsIp15 123 45.137.22.105, 4821, 49835 ROOTLAYERNETNL Netherlands 61->123 93 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 61->93 dropped 95 C:\Users\user\AppData\Local\Temp\nss3.dll, PE32 61->95 dropped 97 C:\Users\user\AppData\Local\...\mozglue.dll, PE32 61->97 dropped 101 3 other files (1 malicious) 61->101 dropped 163 Tries to steal Mail credentials (via file / registry access) 61->163 165 Tries to harvest and steal browser information (history, passwords, etc) 61->165 167 Increases the number of concurrent connection per server for Internet Explorer 61->167 169 Hides that the sample has been downloaded from the Internet (zone.identifier) 61->169 171 Drops PE files to the document folder of the user 66->171 173 Uses cmd line tools excessively to alter registry or file data 66->173 175 Drops PE files with a suspicious file extension 66->175 70 reg.exe 66->70         started        73 conhost.exe 66->73         started        99 C:\Users\user\Documents\Update.pif, PE32 68->99 dropped 75 conhost.exe 68->75         started        file16 signatures17 process18 signatures19 133 Creates multiple autostart registry keys 70->133
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7fb4306a36b61be977dfc6f56443542c9d70273bb97b55d5049cd86608aa0f68/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-04-30 01:04:14 UTC
File Type:
Document
Extracted files:
44
AV detection:
16 of 37 (43.24%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p62da2rwwyn6s567y32wiq2ufsoxajz3xf5vlviettmgmcfkb5ua._file
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat agilenet collection infostealer macro macro_on_action persistence rat spyware stealer
Link:
https://tria.ge/reports/240430-gd11qsec7w/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Warzone RAT payload
Process spawned unexpected child process
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
45.137.22.105:4821
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7fb4306a36b6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7fb4306a36b61be977dfc6f56443542c9d70273bb97b55d5049cd86608aa0f68

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:Office_AutoOpen_Macro
Create hunting rule
Author:Florian Roth
Description:Detects an Microsoft Office file that contains the AutoOpen Macro function
Rule name:Office_AutoOpen_Macro
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an Microsoft Office file that contains the AutoOpen Macro function
Rule name:office_document_vba
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Office document with embedded VBA
Reference:https://github.com/jipegit/
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:TA505_Maldoc_21Nov_2
Create hunting rule
Author:Arkbird_SOLG
Description:invitation (1).xls
Reference:https://twitter.com/58_158_177_102/status/1197432303057637377

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

zip 67dda85b8fcccfa131d203c066116de63e431fd9d2b2cb4651260f426a0d24de

AveMariaRAT

Word file doc 7fb4306a36b61be977dfc6f56443542c9d70273bb97b55d5049cd86608aa0f68

(this sample)

  
Dropped by
SHA256 67dda85b8fcccfa131d203c066116de63e431fd9d2b2cb4651260f426a0d24de
  
Dropped by
MD5 6c3e20f16bb359fb22557004478366f9

Comments