#avemaria_rat_200720

1. #IOC #OptiData #VR #avemaria #rat #RAR #EXE
2.  
3. https://pastebin.com/LV9NKUiy
4.  
5. previous_contact:
6. 17/02/20 https://pastebin.com/DCPutqaR
7.  
8. FAQ: https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria
9.  
10. attack_vector
11. --------------
12. email URL > .z(RAR) > exe > C2 > drop dll > dism > ...
13.  
14. email_headers
15. --------------
16. Received: from slot0.brookvvoodcos.com (slot0.brookvvoodcos.com [45.95.170.152])
17. From: Purchase A. S <info@brookvvoodcos.com>
18. To: user00@victim77.com
19. Subject: Re: New Supplier enquiry-PO/Contract Brookswoods
20. Date: 20 Jul 2020 01:00:22 -0700
21. Return-Path: info@brookvvoodcos.com
22.  
23. files
24. --------------
25. SHA-256 5a458dda2000f0d7d0f5e821765933191f15bfabbff7618fc761ef37ba1f0398
26. File name New Supplier inquiry 0720THAMZ_ doc.z [RAR archive data, v1d, os: Win32]
27. File size 294.40 KB (301467 bytes)
28.  
29. SHA-256 5da3ddb36051056f35b74336c9f548557bcfc118adf8a8f454124bc7a986b7f9
30. File name New Supplier inquiry 0720THAMZ_ doc.exe [ .NET executable ]
31. File size 762.97 KB (781280 bytes)
32.  
33. activity
34. **************
35. PL_SCR
36. https://onedrive.live.com/download?cid=1B9A2752AF248CE2&resid=1B9A2752AF248CE2%21109&authkey=AFxFOCOUl8etxDU
37.  
38. C2
39. 87.98.158.105:6080 [divine.awsmppl.com]
40.  
41. netwrk
42. --------------
43. [tcp]
44. 87.98.158.105 50071 → 6080
45.  
46. comp
47. --------------
48. New Supplier inquiry 0720THAMZ_ doc.exe 4044 TCP 87.98.158.105 6080 ESTABLISHED
49.  
50. proc
51. --------------
52. C:\Users\operator\Desktop\New Supplier inquiry 0720THAMZ_ doc.exe
53. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Get-MpPreference -verbose
54. C:\Users\operator\Desktop\New Supplier inquiry 0720THAMZ_ doc.exe
55. C:\Users\operator\Desktop\New Supplier inquiry 0720THAMZ_ doc.exe
56. C:\Users\operator\Desktop\New Supplier inquiry 0720THAMZ_ doc.exe
57. C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\pkgmgr.exe" /n:%temp%\ellocnak.xml
58. "C:\Windows\SysWOW64\pkgmgr.exe" /n:%temp%\ellocnak.xml
59. "C:\Windows\SysWOW64\dism.exe" /online /norestart /apply-unattend:"C:\Users\support\AppData\Local\Temp\ellocnak.xml"
60.  
61. persist
62. --------------
63. n/a
64.  
65. drop
66. --------------
67. C:\tmp\nss3.dll
68. C:\tmp\msvcp140.dll
69. C:\tmp\freebl3.dll
70. C:\tmp\freebl3.dll
71. C:\tmp\mozglue.dll
72. C:\tmp\vcruntime140.dll
73. C:\tmp\dismcore.dll
74. C:\tmp\ellocnak.xml
75.  
76. ellocnak.xml
77. --------------
78. <?xml version="1.0" encoding="utf-8"?>
79. <unattend xmlns="urn:schemas-microsoft-com:unattend">
80. <servicing>
81. <package action="install">
82. <assemblyIdentity name="Package_1_for_KB929761" version="6.0.1.1" language="neutral" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35"/>
83. <source location="%configsetroot%\Windows6.0-KB929761-x86.CAB" />
84. </package>
85. </servicing>
86. </unattend>
87.  
88. # # #
89. URL
90. https://www.virustotal.com/gui/url/575fe79e424c56a9366f7bbfd821caa5e052ee46f8bfb15b0da6295eef0ceaba/details
91.  
92. RAR
93. https://www.virustotal.com/gui/file/5a458dda2000f0d7d0f5e821765933191f15bfabbff7618fc761ef37ba1f0398/details
94.  
95. EXE
96. https://www.virustotal.com/gui/file/5da3ddb36051056f35b74336c9f548557bcfc118adf8a8f454124bc7a986b7f9/details
97.  
98. https://analyze.intezer.com/analyses/5d1b6409-beaf-4714-87ff-af387246ebc5
99.  
100. VR