#avemaria_rat_170220

1. #IOC #OptiData #VR #avemaria #rat #rtf #ole
2.  
3. https://pastebin.com/DCPutqaR
4.  
5. previous_contact: n/a
6.  
7. FAQ: https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria
8.  
9. attack_vector
10. --------------
11. email attach .RAR (RTF) > OLE > WINWORD/PowerShell GET1 > exe > inject > GET2 > C2
12.  
13. email_headers
14. --------------
15. n/a
16.  
17. files
18. --------------
19. SHA-256 a4463283f5a3ab502255c7fec9bee784ef59c60cfb6403c3e9fa70f2f8907002
20. File name PO.rar [RAR archive data, v9, flags: Archive volume, Commented, Solid, os: OS/2]
21. File size 21.17 KB (21679 bytes)
22.  
23. SHA-256 c7cb63136bf492c95a8287d68d9c87bf691f61a78d5e5aa3d58330aa4994b14c
24. File name PO.rtf [Rich Text Format data, version 1, unknown character set]
25. File size 227.91 KB (233378 bytes)
26.  
27. SHA-256 cec74536b20d20fd5c2efa88ed6acd0b1dc30e3468b0210f77d3dc61e13be813
28. File name onedrive.exe (War.exe) [PE32 executable for MS Windows (GUI) Intel 80386 32-bit]
29. File size 56.00 KB (57344 bytes)
30.  
31. SHA-256 8a1d35e9d6a89dae14913e3a6f5cd1e076265200b6964a6b2c7525609a14e351
32. File name WAR000_encrypted_826437F.bin [data]
33. File size 101.06 KB (103488 bytes)
34.  
35.  
36. activity
37. **************
38. PL_SCR 111.90.146.85
39.  
40. C2 79.134.225.103:5216
41.  
42.  
43. netwrk
44. --------------
45. [http]
46. 111.90.146.85 GET /War.exe HTTP/1.1 Mozilla/4.0
47.  
48. [ssl]
49. 172.217.16.14 drive.google.com Client Hello
50. 216.58.215.97 doc-0o-a0-docs.googleusercontent.com Client Hello
51.  
52. https://drive.google.com/uc?export=download&id=1MH7ScDeCxiVx_HqUd0pCXym7fK2nwhw0
53.  
54. https://doc-0o-a0-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/b20lm8o33hdvcadejmau7msvqvalgj7d/1582110000000/02764085834106481668/*/1MH7ScDeCxiVx_HqUd0pCXym7fK2nwhw0?e=download
55.  
56.  
57. comp
58. --------------
59. WINWORD.EXE 3124 TCP localhost 52482 111.90.146.85 80 ESTABLISHED
60. ieinstal.exe 3284 TCP localhost 52484 216.58.215.97 443 ESTABLISHED
61. ieinstal.exe 3284 TCP localhost 52483 172.217.16.14 443 ESTABLISHED
62. ieinstal.exe 3284 TCP localhost 52487 79.134.225.103 5216 SYN_SENT
63.  
64.  
65. proc
66. --------------
67. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
68. C:\ProgramData\War.exe
69. C:\Program Files (x86)\internet explorer\ieinstal.exe | C:\Users\operator\Desktop\War.exe
70.  
71.  
72. persist
73. --------------
74. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 17.02.2020 1:08
75. Startup key KDEBREVEVA commensur
76. c:\users\operator\subfolder1\onedrive.exe 25.04.2008 0:48
77.  
78.  
79. drop
80. --------------
81. C:\ProgramData\War.exe
82. C:\ProgramData\hrjytrj.cmd | data%\War.exe
83. C:\Users\operator\subfolder1\OneDrive.exe
84.  
85. # # #
86. RAR
87. https://www.virustotal.com/gui/file/a4463283f5a3ab502255c7fec9bee784ef59c60cfb6403c3e9fa70f2f8907002/details
88. RTF
89. https://www.virustotal.com/gui/file/c7cb63136bf492c95a8287d68d9c87bf691f61a78d5e5aa3d58330aa4994b14c/details
90. URL
91. https://www.virustotal.com/gui/url/f67dcc537c121cb573d4367bca2bddb0bcac2d88d4af2d56e60df93758221038/details
92. EXE
93. https://www.virustotal.com/gui/file/cec74536b20d20fd5c2efa88ed6acd0b1dc30e3468b0210f77d3dc61e13be813/details
94. https://analyze.intezer.com/#/analyses/6ed63295-54de-4f53-a496-8aa8f4634a27
95.  
96. data
97. https://www.virustotal.com/gui/file/8a1d35e9d6a89dae14913e3a6f5cd1e076265200b6964a6b2c7525609a14e351/details
98.  
99. VR