Loading... Additional Content is being loaded
Windows Analysis Report catalogue_2021_samples_list_revise_ol.doc
Overview
General Information
| Sample Name: | catalogue_2021_samples_list_revise_ol.doc |
| Analysis ID: | 492615 |
| MD5: | 84c45c2b0e94b8d1d064e739150ba84c |
| SHA1: | f6a98ac4e50a89495626b5eaebb85d1116554faa |
| SHA256: | 7b5572ae246bcd3f6ee0375e1e7a8c8d4287dae4ca1803d72ae427d8ecc93a32 |
| Tags: | AveMariaRATdoc |
| Infos: | |
|
Most interesting Screenshot:  |
|
Detection
AveMaria UACMe
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Document exploit detected (drops PE files)
Yara detected AntiVM3
Document exploit detected (creates forbidden files)
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Powershell download and execute file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Multi AV Scanner detection for dropped file
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Powershell drops PE file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Uses schtasks.exe or at.exe to add and modify task schedules
Microsoft Office creates scripting files
Office process drops PE file
Injects files into Windows application
Increases the number of concurrent connection per server for Internet Explorer
Bypasses PowerShell execution policy
Contains functionality to hide user accounts
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: PowerShell DownloadFile
Tries to download and execute files (via powershell)
Suspicious powershell command line found
Contains functionality to steal e-mail passwords
Contains functionality to steal Chrome passwords or cookies
.NET source code contains very large strings
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Found suspicious RTF objects
Contains functionality to create new users
Antivirus or Machine Learning detection for unpacked file
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to enumerate running services
Sigma detected: Verclsid.exe Runs COM Object
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to download and execute PE files
Contains functionality to retrieve information about pressed keystrokes
Dropped file seen in connection with other malware
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Sigma detected: Windows PowerShell Web Request
Enables debug privileges
Installs a raw input device (often for capturing keystrokes)
Sigma detected: PowerShell Download from URL
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and launch executables
Uses Microsoft's Enhanced Cryptographic Provider
Potential document exploit detected (performs HTTP gets)
Classification
AV Detection: |
  |
|---|
| Antivirus detection for URL or domain |
| Source: |
Avira URL Cloud: |
||
| Found malware configuration |
| Source: |
Malware Configuration Extractor: |
||
| Multi AV Scanner detection for submitted file |
| Source: |
Virustotal: |
Perma Link | ||
| Source: |
ReversingLabs: |
|||
| Yara detected AveMaria stealer |
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Multi AV Scanner detection for dropped file |
| Source: |
ReversingLabs: |
||
| Source: |
ReversingLabs: |
||
| Source: |
ReversingLabs: |
||
| Machine Learning detection for dropped file |
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Antivirus or Machine Learning detection for unpacked file |
| Source: |
Avira: |
||
Cryptography: |
|
|---|
| Uses Microsoft's Enhanced Cryptographic Provider |
| Source: |
Code function: |
14_2_0040B15E | |
| Source: |
Code function: |
14_2_0040CAFC | |
| Source: |
Code function: |
14_2_0040CC54 | |
| Source: |
Code function: |
14_2_0040CCB4 | |
| Source: |
Code function: |
14_2_0040A632 | |
| Source: |
Code function: |
14_2_0040CF58 | |
Exploits: |
|
|---|
| Yara detected UACMe UAC Bypass tool |
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
Directory created: |
Jump to behavior | ||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Code function: |
14_2_0041002B | |
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
Code function: |
14_2_00409DF6 | |
| Source: |
Code function: |
14_2_0040FF27 | |
Software Vulnerabilities: |
|
|---|
| Document exploit detected (drops PE files) |
| Source: |
File created: |
Jump to dropped file | ||
| Document exploit detected (creates forbidden files) |
| Source: |
File created: |
Jump to behavior | ||
| Source: |
File created: |
Jump to behavior | ||
| Document exploit detected (process start blacklist hit) |
| Source: |
Process created: |
||
| Potential document exploit detected (unknown TCP traffic) |
| Source: |
TCP traffic: |
||
| Potential document exploit detected (performs HTTP gets) |
| Source: |
TCP traffic: |
||
Networking: |
|
|---|
| Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) |
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| C2 URLs / IPs found in malware configuration |
| Source: |
URLs: |
||
| HTTP GET or POST without a user agent |
| Source: |
HTTP traffic detected: |
||
| Downloads executable code via HTTP |
| Source: |
HTTP traffic detected: | ||