1. Executive Summary A. Fingerprinting MD5: 459aad8cc95d9fe2bd1d3199966289f7 SHA256: eb22d542b3b6e69a98801ff7843fa6981b13ca8628a5382cfdc0f713cdb72cba VirusTotal Report: https://www.virustotal.com/gui/file/eb22d542b3b6e69a98801ff7843fa6981b13ca8628a5382cfdc0f713cdb72cba B. Classification Infostealer, used to harvest stored credentials and session objects from browsers installed on the machine.
C. Behavioral Summary The malware is a PyInstaller packed executable, with slight obfuscation. When the sample is executed, it extracts the packed Python bytecode, and required libraries into a temporary folder. It then proceeds to spawn a child process by executing itself again, sets/adds the temporary folder into its DLL directories, unpacks and unmarshall the Python bytecode on the fly in the memory.
1. Executive Summary A. Fingerprinting MD5: 425cf022932c7ace6542f18af4fbac2a SHA256: b24ce8861d8d06d10d73e38c6fcc0c026a5c9529fda74927f85b4cfe022f7e1d VirusTotal Report: https://www.virustotal.com/gui/file/b24ce8861d8d06d10d73e38c6fcc0c026a5c9529fda74927f85b4cfe022f7e1d/detection/f-b24ce8861d8d06d10d73e38c6fcc0c026a5c9529fda74927f85b4cfe022f7e1d-1668189288 B. Classification The AveMariaRat is a Remote Access Trojan that allow the attacker to connect and control the victim’s machine throught the using of a fake process and a reverse connection the its C&C server.
C. Behavioral Summary The AveMariaRat comes with a common technique that hide the exe malware using a fake Word icon, once launched the exe start some cmd that creates two distinct dll files.