# Malware Being Distributed by Disguising Itself as Icon of V3 Lite **asec.ahnlab.com/en/36629/** July 21, 2022 The ASEC analysis team has discovered the distribution of malware disguised as a V3 Lite icon and packed with the .NET packer. The attacker likely created an icon that is almost identical to that of V3 Lite to trick the user, and AveMaria RAT and AgentTesla were discovered during the last month using this method. ----- Figure 1. Malware using icon identical to that of V3 Lite executable As shown in Figure 1, the icon looks almost identical to the actual V3 Lite icon. AveMaria is a RAT (Remote Administration Tool) malware with remote control features that receives commands from the C&C server and performs a variety of malicious behaviors. It is usually distributed in the .NET packer form like AgentTesla, Lokibot, and Formbook to bypass anti-malware detection. Although the original name of AveMaria is WARZONE RAT, it sends the “AVE_MARIA” string for authentication when performing a proxy connection with the C2 server, thereyby also known as AveMaria. Additional features of the malware and the analysis information of its binary can be found in the AhnLab TIP Portal’s detailed analysis report and ASEC blog post. [AveMaria malware being distributed as spam mail](https://asec.ahnlab.com/en/17692/) While the malware is operating, winSAT.exe (Windows System Assessment Tool) and a command for UAC privilege escalation using the winmm.dll file were found, which were explained in the previous blog. [Distribution of Remcos RAT Disguised as Tax Invoice](https://asec.ahnlab.com/en/32376/) ----- Figure 2. UAC Bypass behavior found in the memory when AveMaria is executed When the malware is run, it deliberately causes a delay with timeout.exe. It then performs additional malicious behaviors by injecting a malicious binary into a normal Windows process named RegAsm.exe. Figure 4 shows the malicious binary inside the process. Figure 3. Process tree (injected into a normal process RegAsm.exe) ----- Figure 4. Malicious internal DLL binary found during the debugging process Besides AveMaria, the distribution of AgentTesla was also found. AgentTesla is an infostealer that leaks user information saved in web browsers, emails, and FTP clients. It is one of the most prolific malware in terms of distribution, being constantly ranked high in the ASEC Weekly Malware Statistics. [How AgentTesla Malware is Being Distributed in Korea](https://asec.ahnlab.com/en/17550/) Figure 5. RAPIT log – Snatching web browser data ----- Figure 6. Malicious binary downloaded from an external URL process tree Figure 7. RAPIT ----- Upon using AhnLab s infrastructure to check the related malicious files that use V3 Lite icon, it was found that the distribution is done actively. Most of such malicious files are distributed through attachments of phishing emails. At the basic level, users should refrain from opening attachments in emails from unknown sources and update the anti-malware program to the latest version to prevent malware infection in advance. AhnLab’s anti-malware software, V3, detects and blocks the malware above using the aliases below. **[File Detection]** Trojan/Win.MSILKrypt.R495355 Trojan/Win.MSILKrypt.R498085 Trojan/Win.MSIL.C5152589 Trojan/Win.MSIL.R500015 Trojan/Win.MSIL.C515258 Trojan/Win.AveMaria.R498632 Trojan/Win.Tnega.C5059801 Downloader/Win.MSIL.R498629 **[Memory Detection]** Trojan/Win.AgentTesla.XM95 **[Behavior Detection]** Persistence/MDP.AutoRun.M224 **[IOC]** c5cb27cb09bdc222aeffaf0cccb96bad ccb55c0200203e7fb4748d28c30ba2f9 45.162.228[.]171:26112 3280690e018ceb2112ee695933f65742 hxxp://ppz.devel.gns.com[.]br/temps/donexx.exe hxxp://filetransfer[.]io/data-package/XRWqXdNN/download **Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to** **check related IOC and detailed analysis information.** [Categories:Malware Information](https://asec.ahnlab.com/en/category/malware-information/) [Tagged as:AGENTTESLA,](https://asec.ahnlab.com/en/tag/agenttesla-en/) [Avemaria,](https://asec.ahnlab.com/en/tag/avemaria-en/) [InfoStealer,](https://asec.ahnlab.com/en/tag/infostealer-en/) [malware,](https://asec.ahnlab.com/en/tag/malware-en/) [Phishing email](https://asec.ahnlab.com/tag/phishing-email/) -----