MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a524b17edc79f1cacd57f9a07becfd24df6d0ef893d11620cb3c300c86c327ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a524b17edc79f1cacd57f9a07becfd24df6d0ef893d11620cb3c300c86c327ed
SHA3-384 hash: fa246eb7b4e40c91f3961d196b7aede3b509585423b2dfec4aaa68197404b1f8bbd243ec0aaaf6d05264d79e2656985a
SHA1 hash: 26d8b5eec451ed68f3a61f4f69b4fadffb736d22
MD5 hash: 8fb67950eee24c33116c5c8ae87bbde1
humanhash: spaghetti-mississippi-december-fillet
File name:IdDetails.ppam
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:16'646 bytes
First seen:2021-07-12 14:58:24 UTC
Last seen:Never
File type:PowerPoint file ppam
MIME type:application/vnd.openxmlformats-officedocument.presentationml.presentation
ssdeep 384:oS48n13LEl6VqqOTY/ImRPzrM3a6cLlc84oDI:o/K12qvgmRPzro2lKoDI
TLSH T11E72C044BB13604AC66DACF2CE5999DF6493A8073C73866E26A4D2B21ED4AD30513B98
Reporter abuse_ch
Tags:AveMariaRAT ppam RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Bad-VBA.lc.11535.29777.UNOFFICIAL
Create hunting rule

Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/a524b17edc79f1cacd57f9a07becfd24df6d0ef893d11620cb3c300c86c327ed
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Macro with DLL Reference
Detected macro logic that will load additional functionality from Dynamically Linked Libraries (DLLs). While not explicitly malicious, this is a common tactic for accessing APIs that are not otherwised exposed via Visual Basic for Applications (VBA).
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/814985
Signature
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a scheduled task launching mshta.exe (likely to bypass HIPS)
Creates processes via WMI
Document exploit detected (process start blacklist hit)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious PowerShell Command Line
Sigma detected: WScript or CScript Dropper
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected MSILLoadEncryptedAssembly
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 447400 Sample: IdDetails.ppam Startdate: 12/07/2021 Architecture: WINDOWS Score: 100 108 Malicious sample detected (through community Yara rule) 2->108 110 Yara detected Powershell download and execute 2->110 112 Yara detected AveMaria stealer 2->112 114 9 other signatures 2->114 8 mshta.exe 2->8         started        12 mshta.exe 25 2->12         started        14 POWERPNT.EXE 501 25 2->14         started        16 8 other processes 2->16 process3 dnsIp4 94 www.blogger.com 8->94 102 2 other IPs or domains 8->102 138 Creates a scheduled task launching mshta.exe (likely to bypass HIPS) 8->138 18 powershell.exe 8->18         started        22 schtasks.exe 8->22         started        96 www.blogger.com 12->96 104 2 other IPs or domains 12->104 140 Writes or reads registry keys via WMI 12->140 142 Writes registry values via WMI 12->142 24 powershell.exe 12->24         started        27 powershell.exe 12->27         started        29 schtasks.exe 12->29         started        31 mshta.exe 2 55 14->31         started        98 www.blogger.com 16->98 100 www.blogger.com 16->100 106 15 other IPs or domains 16->106 33 powershell.exe 16->33         started        35 schtasks.exe 16->35         started        37 2 other processes 16->37 signatures5 process6 dnsIp7 72 ia601403.us.archive.org 207.241.227.123, 443, 49818 INTERNET-ARCHIVEUS United States 18->72 116 Writes to foreign memory regions 18->116 118 Injects a PE file into a foreign processes 18->118 39 MSBuild.exe 18->39         started        53 2 other processes 18->53 43 conhost.exe 22->43         started        74 archive.org 207.241.224.2, 443, 49776, 49784 INTERNET-ARCHIVEUS United States 24->74 76 ia601401.us.archive.org 207.241.227.121, 443, 49782 INTERNET-ARCHIVEUS United States 24->76 82 3 other IPs or domains 24->82 66 PowerShell_transcr....20210712171910.txt, UTF-8 24->66 dropped 68 C:\Users\Public\nolub.vbs, ASCII 24->68 dropped 55 2 other processes 24->55 78 ia801403.us.archive.org 207.241.228.143, 443, 49768, 49783 INTERNET-ARCHIVEUS United States 27->78 45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        80 blogspot.l.googleusercontent.com 172.217.168.65, 443, 49735, 49750 GOOGLEUS United States 31->80 84 6 other IPs or domains 31->84 120 Uses schtasks.exe or at.exe to add and modify task schedules 31->120 122 Creates a scheduled task launching mshta.exe (likely to bypass HIPS) 31->122 124 Writes or reads registry keys via WMI 31->124 126 Writes registry values via WMI 31->126 57 3 other processes 31->57 49 conhost.exe 33->49         started        51 conhost.exe 35->51         started        file8 signatures9 process10 dnsIp11 86 normanaman.duckdns.org 103.153.76.164, 3009, 49811, 49824 TWIDC-AS-APTWIDCLimitedHK unknown 39->86 128 Contains functionality to inject threads in other processes 39->128 130 Contains functionality to steal Chrome passwords or cookies 39->130 132 Contains functionality to steal e-mail passwords 39->132 136 2 other signatures 39->136 134 Creates processes via WMI 55->134 88 73cceb63-7ecd-45e2-9eab-f8d98aab177f.usrfiles.com 57->88 90 ia601509.us.archive.org 207.241.227.119, 443, 49813 INTERNET-ARCHIVEUS United States 57->90 92 7 other IPs or domains 57->92 70 PowerShell_transcr....20210712171850.txt, UTF-8 57->70 dropped 60 conhost.exe 57->60         started        62 conhost.exe 57->62         started        64 conhost.exe 57->64         started        file12 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a524b17edc79f1cacd57f9a07becfd24df6d0ef893d11620cb3c300c86c327ed/
Threat name:
Document-Office.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-12 14:59:07 UTC
AV detection:
3 of 46 (6.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uuslc7w4phy4vtkx7gqhx3h5etpw2dxyspirmiglhqyazbwde7wq._file
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer rat
Link:
https://tria.ge/reports/210712-lspdteb3re/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Process spawned suspicious child process
Blocklisted process makes network request
Process spawned unexpected child process
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
normanaman.duckdns.org:3009
Dropper Extraction:
https://ia801508.us.archive.org/34/items/Coxes/Coxes.txt
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a524b17edc79f1cacd57f9a07becfd24df6d0ef893d11620cb3c300c86c327ed

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

PowerPoint file ppam a524b17edc79f1cacd57f9a07becfd24df6d0ef893d11620cb3c300c86c327ed

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments