Edit tour

Windows Analysis Report
DHL_29028263 documento de recibo de la compra,pdf.exe

Overview

General Information

Sample Name:	DHL_29028263 documento de recibo de la compra,pdf.exe
Analysis ID:	626596
MD5:	87a264aa9aec9ce66f4b092363dd5adc
SHA1:	64a0954e622afb6d5e2a0256f179d14f112ec723
SHA256:	eab5b352e41de89be099054e396f61a942401ab1518186496bc11be1c857242f
Tags:	AveMariaRATDHLexeRAT
Infos:

Detection

AveMaria, UACMe

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected UACMe UAC Bypass tool

Yara detected AveMaria stealer

Multi AV Scanner detection for dropped file

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Increases the number of concurrent connection per server for Internet Explorer

Contains functionality to hide user accounts

Contains functionality to steal e-mail passwords

Machine Learning detection for sample

Allocates memory in foreign processes

Binary or sample is protected by dotNetProtector

Contains functionality to steal Chrome passwords or cookies

Machine Learning detection for dropped file

Executable has a suspicious name (potential lure to open the executable)

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Contains functionality to inject threads in other processes

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Found decision node followed by non-executed suspicious APIs

Contains functionality to create new users

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains functionality to enumerate running services

Contains functionality to dynamically determine API calls

Creates processes with suspicious names

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Installs a raw input device (often for capturing keystrokes)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Contains functionality to download and execute PE files

Contains functionality to download and launch executables

Checks if the current process is being debugged

Contains functionality to retrieve information about pressed keystrokes

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

DHL_29028263 documento de recibo de la compra,pdf.exe (PID: 7092 cmdline: "C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe" MD5: 87A264AA9AEC9CE66F4B092363DD5ADC)

DHL_29028263 documento de recibo de la compra,pdf.exe (PID: 6600 cmdline: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe MD5: 87A264AA9AEC9CE66F4B092363DD5ADC)

cmd.exe (PID: 6632 cmdline: C:\Windows\System32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 2208 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\window defender\window defender.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 4992 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\window defender\window defender.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)

cmd.exe (PID: 6716 cmdline: cmd.exe" /C copy "C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe" "C:\Users\user\AppData\Roaming\window defender\window defender.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

window defender.exe (PID: 3668 cmdline: C:\Users\user\AppData\Roaming\window defender\window defender.exe MD5: 87A264AA9AEC9CE66F4B092363DD5ADC)

cleanup

Malware Configuration

Threatname: AveMaria

{"C2 url": "37.0.14.197", "port": 1997}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000000.417195755.000000000054F000.00000040.00000400.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
00000003.00000000.417195755.000000000054F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x150e8:$a1: \Opera Software\Opera Stable\Login Data 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x172dd:$r1: Classes\Folder\shell\open\command 0x17300:$k1: DelegateExecute
00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x16ce4:$s1: RDPClip 0x173cc:$s2: Grabber 0x16ee0:$s3: Ave_Maria Stealer OpenSource 0x16fe0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x16d16:$s5: @\cmd.exe 0x14850:$s8: warzone160
00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp	AveMaria_WarZone	unknown	unknown	0x17230:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1700c:$str2: MsgBox.exe 0x1729c:$str4: \System32\cmd.exe 0x16ee0:$str6: Ave_Maria 0x16778:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15a78:$str8: SMTP Password 0x14d58:$str11: \Google\Chrome\User Data\Default\Login Data 0x16744:$str12: \sqlmap.dll
00000003.00000000.416662895.000000000054F000.00000040.00000400.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
00000003.00000000.416662895.000000000054F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x150e8:$a1: \Opera Software\Opera Stable\Login Data 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x172dd:$r1: Classes\Folder\shell\open\command 0x17300:$k1: DelegateExecute
00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x16ce4:$s1: RDPClip 0x173cc:$s2: Grabber 0x16ee0:$s3: Ave_Maria Stealer OpenSource 0x16fe0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x16d16:$s5: @\cmd.exe 0x14850:$s8: warzone160
00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp	AveMaria_WarZone	unknown	unknown	0x17230:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1700c:$str2: MsgBox.exe 0x1729c:$str4: \System32\cmd.exe 0x16ee0:$str6: Ave_Maria 0x16778:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15a78:$str8: SMTP Password 0x14d58:$str11: \Google\Chrome\User Data\Default\Login Data 0x16744:$str12: \sqlmap.dll
00000003.00000003.431594632.00000000012CF000.00000004.00000020.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x7c0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x35c8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x7c0:$c1: Elevation:Administrator!new: 0x35c8:$c1: Elevation:Administrator!new:
00000003.00000003.431594632.00000000012CF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000003.00000003.426962811.00000000012E1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.426962811.00000000012E1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x18e10:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x18e10:$c1: Elevation:Administrator!new:
00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000003.00000003.431623764.00000000012F4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.431623764.00000000012F4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000003.00000002.622879575.000000000054F000.00000040.00000400.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
00000003.00000002.622879575.000000000054F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000003.00000003.431671478.00000000012F4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.431671478.00000000012F4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000003.00000003.426948480.00000000012CF000.00000004.00000020.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x7c0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x35c8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x7c0:$c1: Elevation:Administrator!new: 0x35c8:$c1: Elevation:Administrator!new:
00000003.00000003.426948480.00000000012CF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000003.00000003.431567861.00000000012F4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.431567861.00000000012F4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000003.00000000.418334237.000000000054F000.00000040.00000400.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
00000003.00000000.418334237.000000000054F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x150e8:$a1: \Opera Software\Opera Stable\Login Data 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x172dd:$r1: Classes\Folder\shell\open\command 0x17300:$k1: DelegateExecute
00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x16ce4:$s1: RDPClip 0x173cc:$s2: Grabber 0x16ee0:$s3: Ave_Maria Stealer OpenSource 0x16fe0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x16d16:$s5: @\cmd.exe 0x14850:$s8: warzone160
00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp	AveMaria_WarZone	unknown	unknown	0x17230:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1700c:$str2: MsgBox.exe 0x1729c:$str4: \System32\cmd.exe 0x16ee0:$str6: Ave_Maria 0x16778:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15a78:$str8: SMTP Password 0x14d58:$str11: \Google\Chrome\User Data\Default\Login Data 0x16744:$str12: \sqlmap.dll
00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x150e8:$a1: \Opera Software\Opera Stable\Login Data 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x172dd:$r1: Classes\Folder\shell\open\command 0x17300:$k1: DelegateExecute
00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x16ce4:$s1: RDPClip 0x173cc:$s2: Grabber 0x16ee0:$s3: Ave_Maria Stealer OpenSource 0x16fe0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x16d16:$s5: @\cmd.exe 0x14850:$s8: warzone160
00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp	AveMaria_WarZone	unknown	unknown	0x17230:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1700c:$str2: MsgBox.exe 0x1729c:$str4: \System32\cmd.exe 0x16ee0:$str6: Ave_Maria 0x16778:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15a78:$str8: SMTP Password 0x14d58:$str11: \Google\Chrome\User Data\Default\Login Data 0x16744:$str12: \sqlmap.dll
00000003.00000000.417884328.000000000054F000.00000040.00000400.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
00000003.00000000.417884328.000000000054F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x150e8:$a1: \Opera Software\Opera Stable\Login Data 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x172dd:$r1: Classes\Folder\shell\open\command 0x17300:$k1: DelegateExecute
00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x16ce4:$s1: RDPClip 0x173cc:$s2: Grabber 0x16ee0:$s3: Ave_Maria Stealer OpenSource 0x16fe0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x16d16:$s5: @\cmd.exe 0x14850:$s8: warzone160
00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp	AveMaria_WarZone	unknown	unknown	0x17230:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1700c:$str2: MsgBox.exe 0x1729c:$str4: \System32\cmd.exe 0x16ee0:$str6: Ave_Maria 0x16778:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
DHL_29028263 documento de recibo de la compra,pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: AveMaria

Yara Signatures

Memory Dumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DHL_29028263 documento de recibo de la compra,pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: AveMaria

Yara Signatures

Memory Dumps

Windows Analysis Report
DHL_29028263 documento de recibo de la compra,pdf.exe