File name:	PO-20190218.doc
Full analysis:	https://app.any.run/tasks/09cf24c2-106a-4574-b58f-bd866016fda7
Verdict:	Malicious activity
Threats:	WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	February 18, 2019, 14:05:40
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	ole-embedded opendir loader trojan stealer rat avemaria
Indicators:
MIME:	text/rtf
File info:	Rich Text Format data, unknown version
MD5:	F5AF325C95B02D317E274390C7C43A65
SHA1:	7A9D98DDF23CF296B066D27F583137ECC859670A
SHA256:	8539733DCBD902E903832E7522F99CFD49649A82FF4B373999B9D73B81F844F2
SSDEEP:	96:RZ4ABacBfXPBo08WZLkkUWwwrV4wPWw/J:oofJBo0VxkORV49wx


(PID) Process:	(1660) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	write	Name:	gs<
Value: 67733C007C060000010000000000000000000000
(PID) Process:	(1660) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: Off
(PID) Process:	(1660) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: On
(PID) Process:	(1660) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:	write	Name:	WORDFiles
Value: 1313996842
(PID) Process:	(1660) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:	write	Name:	ProductFiles
Value: 1313996926
(PID) Process:	(1660) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:	write	Name:	ProductFiles
Value: 1313996927
(PID) Process:	(1660) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:	write	Name:	MTTT
Value: 7C06000066029F1793C7D40100000000
(PID) Process:	(1660) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	write	Name:	4y<
Value: 34793C007C06000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:	(1660) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	delete value	Name:	4y<
Value: 34793C007C06000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:	(1660) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1

PID	Process	Filename		Type
1660	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR6BE7.tmp.cvr		—
		MD5:—	SHA256:—
1660	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3BDF7694-B665-4811-8E89-EB67C9CB0233}.tmp		—
		MD5:—	SHA256:—
1660	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{12FCF90E-861B-47B6-B0E4-B5BB5B0E16C5}.tmp		—
		MD5:—	SHA256:—
1660	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{591C13D4-40AA-4C0C-BBC1-81EACD27F8FE}.tmp		—
		MD5:—	SHA256:—
1660	WINWORD.EXE	C:\Users\admin\Desktop\~$-20190218.doc		pgc
		MD5:—	SHA256:—
1660	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\Abctfhghghghghg.sct		binary
		MD5:—	SHA256:—
1660	WINWORD.EXE	C:\Users\admin\AppData\Roaming\fin2.exe		executable
		MD5:—	SHA256:—
1660	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat		text
		MD5:—	SHA256:—
1660	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\fin2[1].exe		executable
		MD5:—	SHA256:—
1660	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\PO-20190218.LNK		lnk
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1660	WINWORD.EXE	GET	200	66.85.47.43:80	http://zalmikog.com/PDF/fin2.exe	US	executable	868 Kb	suspicious
2420	sensitises.exe	GET	404	140.82.118.3:443	https://github.com/solmyr1/nothingtoseehere/raw/master/msvcp140.dll	US	html	126 Kb	malicious
2420	sensitises.exe	GET	404	140.82.118.3:443	https://github.com/solmyr1/nothingtoseehere/raw/master/softokn3.dll	US	html	126 Kb	malicious
2420	sensitises.exe	GET	404	140.82.118.3:443	https://github.com/solmyr1/nothingtoseehere/raw/master/vcruntime140.dll	US	html	126 Kb	malicious
2420	sensitises.exe	GET	404	140.82.118.3:443	https://github.com/solmyr1/nothingtoseehere/raw/master/mozglue.dll	US	html	126 Kb	malicious
2420	sensitises.exe	GET	404	140.82.118.3:443	https://github.com/solmyr1/nothingtoseehere/raw/master/freebl3.dll	US	html	126 Kb	malicious
2420	sensitises.exe	GET	404	140.82.118.3:443	https://github.com/solmyr1/nothingtoseehere/raw/master/nss3.dll	US	html	126 Kb	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
2420	sensitises.exe	91.192.100.13:2012	badnulls.warzonedns.com	SOFTplus Entwicklungen GmbH	CH	malicious
1660	WINWORD.EXE	66.85.47.43:80	zalmikog.com	Host4Geeks LLC	US	suspicious
2420	sensitises.exe	140.82.118.3:443	github.com	—	US	malicious

Domain	IP	Reputation
zalmikog.com	66.85.47.43	suspicious
badnulls.warzonedns.com	91.192.100.13	malicious
github.com	140.82.118.3 140.82.118.4	malicious

PID	Process	Class	Message
1660	WINWORD.EXE	Potentially Bad Traffic	ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
1660	WINWORD.EXE	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2420	sensitises.exe	A Network Trojan was detected	MALWARE [PTsecurity] RAT.Win32.AveMaria

General Info

PO-20190218.doc

F5AF325C95B02D317E274390C7C43A65

7A9D98DDF23CF296B066D27F583137ECC859670A

8539733DCBD902E903832E7522F99CFD49649A82FF4B373999B9D73B81F844F2

96:RZ4ABacBfXPBo08WZLkkUWwwrV4wPWw/J:oofJBo0VxkORV49wx

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Executable content was dropped or overwritten

Unusual execution from Microsoft Office

Requests a remote executable file from MS Office

Changes the autorun value in the registry

AVEMARIA was detected

Connects to CnC server

Stealing of credential data

Changes settings of System certificates

SUSPICIOUS

Unusual connect from Microsoft Office

Reads Internet Cache Settings

Executable content was dropped or overwritten

Starts MSHTA.EXE for opening HTA or HTMLS files

Creates files in the user directory

Starts itself from another location

Connects to unusual port

INFO

Reads the machine GUID from the registry

Reads Microsoft Office registry keys

Reads internet explorer settings

Creates files in the user directory

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings