{
	"id": "262d05eb-85d3-4799-b9d1-c2761fe94e0c",
	"created_at": "2026-04-06T00:07:54.36688Z",
	"updated_at": "2026-04-10T03:20:44.758802Z",
	"deleted_at": null,
	"sha1_hash": "680612424a9db4506ddc00d93d5c582612e2f97d",
	"title": "Malware Being Distributed by Disguising Itself as Icon of V3 Lite - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1226980,
	"plain_text": "Malware Being Distributed by Disguising Itself as Icon of V3 Lite -\r\nASEC\r\nBy ATCP\r\nPublished: 2022-07-11 · Archived: 2026-04-02 10:43:28 UTC\r\nThe ASEC analysis team has discovered the distribution of malware disguised as a V3 Lite icon and packed with\r\nthe .NET packer. The attacker likely created an icon that is almost identical to that of V3 Lite to trick the user, and\r\nAveMaria RAT and AgentTesla were discovered during the last month using this method.\r\nhttps://asec.ahnlab.com/en/36629/\r\nPage 1 of 6\n\nAs shown in Figure 1, the icon looks almost identical to the actual V3 Lite icon.\r\nAveMaria is a RAT (Remote Administration Tool) malware with remote control features that receives commands\r\nfrom the C\u0026C server and performs a variety of malicious behaviors. It is usually distributed in the .NET packer\r\nform like AgentTesla, Lokibot, and Formbook to bypass anti-malware detection.\r\nAlthough the original name of AveMaria is WARZONE RAT, it sends the “AVE_MARIA” string for\r\nauthentication when performing a proxy connection with the C2 server, thereyby also known as AveMaria. \r\nAdditional features of the malware and the analysis information of its binary can be found in the AhnLab TIP\r\nPortal’s detailed analysis report and ASEC blog post.\r\nWhile the malware is operating, winSAT.exe (Windows System Assessment Tool) and a command for UAC\r\nprivilege escalation using the winmm.dll file were found, which were explained in the previous blog.\r\nhttps://asec.ahnlab.com/en/36629/\r\nPage 2 of 6\n\nWhen the malware is run, it deliberately causes a delay with timeout.exe. It then performs additional malicious\r\nbehaviors by injecting a malicious binary into a normal Windows process named RegAsm.exe. Figure 4 shows the\r\nmalicious binary inside the process.\r\nBesides AveMaria, the distribution of AgentTesla was also found. AgentTesla is an info-stealer that leaks user\r\ninformation saved in web browsers, emails, and FTP clients. It is one of the most prolific malware in terms of\r\nhttps://asec.ahnlab.com/en/36629/\r\nPage 3 of 6\n\ndistribution, being constantly ranked high in the ASEC Weekly Malware Statistics.\r\nhttps://asec.ahnlab.com/en/36629/\r\nPage 4 of 6\n\nUpon using AhnLab’s infrastructure to check the related malicious files that use V3 Lite icon, it was found that the\r\ndistribution is done actively. Most of such malicious files are distributed through attachments of phishing emails.\r\nAt the basic level, users should refrain from opening attachments in emails from unknown sources and update the\r\nanti-malware program to the latest version to prevent malware infection in advance.\r\nAhnLab’s anti-malware software, V3, detects and blocks the malware above using the aliases below.\r\n[File Detection]\r\nTrojan/Win.MSILKrypt.R495355\r\nTrojan/Win.MSILKrypt.R498085\r\nTrojan/Win.MSIL.C5152589\r\nTrojan/Win.MSIL.R500015\r\nTrojan/Win.MSIL.C515258\r\nTrojan/Win.AveMaria.R498632\r\nTrojan/Win.Tnega.C5059801\r\nDownloader/Win.MSIL.R498629\r\n[Memory Detection]\r\nTrojan/Win.AgentTesla.XM95\r\n[Behavior Detection]\r\nPersistence/MDP.AutoRun.M224\r\nMD5\r\n3280690e018ceb2112ee695933f65742\r\nc5cb27cb09bdc222aeffaf0cccb96bad\r\nccb55c0200203e7fb4748d28c30ba2f9\r\nhttps://asec.ahnlab.com/en/36629/\r\nPage 5 of 6\n\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//45[.]162[.]228[.]171[:]26112/\r\nhttp[:]//filetransfer[.]io/data-package/XRWqXdNN/download\r\nhttp[:]//ppz[.]devel[.]gns[.]com[.]br/temps/donexx[.]exe\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/36629/\r\nhttps://asec.ahnlab.com/en/36629/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://asec.ahnlab.com/en/36629/"
	],
	"report_names": [
		"36629"
	],
	"threat_actors": [],
	"ts_created_at": 1775434074,
	"ts_updated_at": 1775791244,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/680612424a9db4506ddc00d93d5c582612e2f97d.pdf",
		"text": "https://archive.orkl.eu/680612424a9db4506ddc00d93d5c582612e2f97d.txt",
		"img": "https://archive.orkl.eu/680612424a9db4506ddc00d93d5c582612e2f97d.jpg"
	}
}