MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9360394c3444d2bb96d0039ceff9ee5af3225ea06c034c76577f0fea54a911d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Maldoc score: 23


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9360394c3444d2bb96d0039ceff9ee5af3225ea06c034c76577f0fea54a911d1
SHA3-384 hash: 6b071ee406c12adbabafdbcf19d5eac6bb55624b63d34e43d48b4602cbc7753001fca8657ee37ccaa60e8f70f67dba14
SHA1 hash: 3efa63cd1369a53c1a4c7090cfd920c8d4511861
MD5 hash: 791a899fe3e63563ae4434bceba5e5e3
humanhash: november-lithium-lion-virginia
File name:pagoXswift.xls
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:59'392 bytes
First seen:2022-05-06 15:32:42 UTC
Last seen:Never
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 1536:1rxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAVwI7PKIcjOUydx:1rxEtjPOtioVjDGUU1qfDlaGGx+cL2QF
TLSH T1104306627685C86ADA4847760CE6D6DA3623FC56AF7B43073244F32E2E76390CD1361B
TrID 46.5% (.XLS) Microsoft Excel sheet (alternate) (56500/1/4)
26.7% (.XLS) Microsoft Excel sheet (32500/1/3)
20.1% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2)
6.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter lowmal3
Tags:AveMariaRAT xls

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 23
OLE dump

MalwareBazaar was able to identify 19 sections in this file using oledump:

Section IDSection sizeSection name
1107 bytesCompObj
2244 bytesDocumentSummaryInformation
3208 bytesSummaryInformation
432552 bytesWorkbook
5631 bytes_VBA_PROJECT_CUR/PROJECT
6128 bytes_VBA_PROJECT_CUR/PROJECTwm
7968 bytes_VBA_PROJECT_CUR/VBA/Module1
8985 bytes_VBA_PROJECT_CUR/VBA/Sheet1
9985 bytes_VBA_PROJECT_CUR/VBA/Sheet2
10985 bytes_VBA_PROJECT_CUR/VBA/Sheet3
116401 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
125172 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
131540 bytes_VBA_PROJECT_CUR/VBA/__SRP_0
14262 bytes_VBA_PROJECT_CUR/VBA/__SRP_1
15408 bytes_VBA_PROJECT_CUR/VBA/__SRP_2
16220 bytes_VBA_PROJECT_CUR/VBA/__SRP_3
1784 bytes_VBA_PROJECT_CUR/VBA/__SRP_4
18104 bytes_VBA_PROJECT_CUR/VBA/__SRP_5
19612 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecWorkbook_OpenRuns when the Excel Workbook is opened
SuspiciousOpenMay open a file
SuspiciousWriteMay write to a file (if combined with Open)
Suspiciousadodb.streamMay create a text file
SuspiciousSaveToFileMay create a text file
SuspiciousShellMay run an executable file or a system command
SuspiciousWScript.ShellMay run an executable file or a system command
SuspiciousCreateObjectMay create an OLE object
SuspiciousShell.ApplicationMay run an application (if combined with CreateObject)
Suspiciousmicrosoft.xmlhttpMay download files from the Internet
SuspiciousChrMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
292
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
pagoXswift.xls
Verdict:
Malicious activity
Analysis date:
2022-05-06 15:35:25 UTC
Tags:
macros macros-on-open maldoc-5
Link:
https://app.any.run/tasks/ffe64b17-0551-400d-ae27-6aeab13d226f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
True
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269099/
Detection(s):
TwinWave.EvilDoc.StatusIsLikeAFriend.20210201.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Office.Macro-13.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Office.Macro-11.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.ShoulderOfOrion.20220121.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Creating a window
Сreating synchronization primitives
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/9360394c3444d2bb96d0039ceff9ee5af3225ea06c034c76577f0fea54a911d1/results/dashboard
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
macros macros-on-open packed
Link:
https://www.filescan.io/uploads/62753ff692de4ecac40b807d/reports/0ecb984a-ae1e-48ca-bac8-13fd6d4db3eb/overview
Gathering data
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/9360394c3444d2bb96d0039ceff9ee5af3225ea06c034c76577f0fea54a911d1
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro with File System Write
Detected macro logic that can write data to the file system.
Shell.Application Object
Detected the instantiation of Shell Application object within the macro.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Document With Minimal Content
Document contains less than 1 kilobyte of semantic information.
Result
Threat name:
AveMaria UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/989151
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Detected unpacking (changes PE section rights)
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with hexadecimal encoded strings
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain checking for user administrative privileges
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office process drops PE file
PE file contains section with special chars
PE file has nameless sections
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 621647 Sample: pagoXswift.xls Startdate: 06/05/2022 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic 2->55 57 Multi AV Scanner detection for domain / URL 2->57 59 Found malware configuration 2->59 61 19 other signatures 2->61 9 EXCEL.EXE 8 19 2->9         started        14 hdimages.exe 2->14         started        process3 dnsIp4 39 e-eykairies.gr 51.15.17.195, 443, 49171 OnlineSASFR France 9->39 41 www.e-eykairies.gr 9->41 33 C:\Users\user\AppData\...behaviorgraphBZWFEPH.exe, PE32 9->33 dropped 35 C:\Users\user\...\bizbbxixgdfafac[1].exe, PE32 9->35 dropped 75 Document exploit detected (creates forbidden files) 9->75 16 GBZWFEPH.exe 9->16         started        77 Injects a PE file into a foreign processes 14->77 19 hdimages.exe 4 14->19         started        file5 signatures6 process7 dnsIp8 43 Detected unpacking (changes PE section rights) 16->43 45 Machine Learning detection for dropped file 16->45 47 Contains functionality to inject threads in other processes 16->47 53 3 other signatures 16->53 22 GBZWFEPH.exe 5 4 16->22         started        37 topimoiofnfiomog.freedynamicdns.org 37.0.14.206, 49172, 5207 WKD-ASIE Netherlands 19->37 49 Tries to steal Mail credentials (via file / registry access) 19->49 51 Tries to harvest and steal browser information (history, passwords, etc) 19->51 signatures9 process10 file11 31 C:\ProgramData\hdimages.exe, PE32 22->31 dropped 63 Increases the number of concurrent connection per server for Internet Explorer 22->63 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->65 26 hdimages.exe 22->26         started        signatures12 process13 signatures14 67 Detected unpacking (changes PE section rights) 26->67 69 Found evasive API chain (may stop execution after checking mutex) 26->69 71 Machine Learning detection for dropped file 26->71 73 5 other signatures 26->73 29 hdimages.exe 1 26->29         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9360394c3444d2bb96d0039ceff9ee5af3225ea06c034c76577f0fea54a911d1/
Threat name:
Script-Macro.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-05-06 14:16:17 UTC
File Type:
Document
Extracted files:
28
AV detection:
17 of 26 (65.38%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=snqdstbuitjlxfwqaooo76pollzsexvanqbuy5sxp4h6uvfjchiq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
macro macro_on_action
Link:
https://tria.ge/reports/220506-sy6x9saaf8/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Program crash
Suspicious use of SetThreadContext
Downloads MZ/PE file
Executes dropped EXE
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9360394c3444/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9360394c3444d2bb96d0039ceff9ee5af3225ea06c034c76577f0fea54a911d1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

Excel file xls 9360394c3444d2bb96d0039ceff9ee5af3225ea06c034c76577f0fea54a911d1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/269099/

Comments