MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19e260f3f8e21a501e0bc8b6e5285da663cb0284f453891e78a5d2f28fec1ee4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19e260f3f8e21a501e0bc8b6e5285da663cb0284f453891e78a5d2f28fec1ee4
SHA3-384 hash: 90d86f80c6c2e46f5a228e2042045974364b7bd736ed7c588bca08f2dfb31222ecd06daf775991110fa1e92bdbccf5f4
SHA1 hash: 45db2776f308458dbc2e87bd796428b98400f5f2
MD5 hash: f4897c97949e0753add68806cf721c60
humanhash: east-high-california-indigo
File name:19e260f3f8e21a501e0bc8b6e5285da663cb0284f453891e78a5d2f28fec1ee4
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'216'400 bytes
First seen:2020-11-12 14:39:22 UTC
Last seen:2024-07-24 11:44:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a498eee87e4d89512a84502f500181f (138 x AveMariaRAT, 57 x RedLineStealer, 7 x CoinMiner)
ssdeep 12288:GIbsBDU0I6+Tu0TJ0N1oYgeOFwA7W2FeDSIGVH/KIDgDgUeHbY1tk2:GIbGD2JTu0GoJQDbGV6eH8tk2
Threatray 3'920 similar samples on MalwareBazaar
TLSH FC459ED0377E1407E65325B9FC0FD1606185BDAE9F40A7AF6B3ABC2694A3345A063B07
Reporter seifreed
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Ursu-6793772-0
Create hunting rule

Win.Malware.Ursu-6914170-0
Create hunting rule

Win.Malware.Ursu-6914171-0
Create hunting rule

Win.Malware.Cryptinject-9785242-0
Create hunting rule

Win.Malware.Daqc-6598201-0
Create hunting rule

Win.Malware.Eclv-9782803-0
Create hunting rule

Win.Malware.Eclv-9782804-0
Create hunting rule

Win.Malware.Eclv-9782973-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% directory
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Creating a file in the mass storage device
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/533383
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Contains functionality to hide user accounts
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Spreads via windows shares (copies files to share folders)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 315796 Sample: nF8uNere1T Startdate: 13/11/2020 Architecture: WINDOWS Score: 100 79 Antivirus detection for dropped file 2->79 81 Antivirus / Scanner detection for submitted sample 2->81 83 Multi AV Scanner detection for dropped file 2->83 85 5 other signatures 2->85 12 nF8uNere1T.exe 1 51 2->12         started        15 StikyNot.exe 2->15         started        17 StikyNot.exe 2->17         started        process3 signatures4 103 Detected unpacking (changes PE section rights) 12->103 105 Detected unpacking (creates a PE file in dynamic memory) 12->105 107 Detected unpacking (overwrites its own PE header) 12->107 109 6 other signatures 12->109 19 diskperf.exe 5 12->19         started        21 nF8uNere1T.exe 1 3 12->21         started        23 WerFault.exe 2 9 15->23         started        26 WerFault.exe 23 9 17->26         started        process5 dnsIp6 28 StikyNot.exe 49 19->28         started        31 StikyNot.exe 49 19->31         started        33 StikyNot.exe 19->33         started        77 192.168.2.1 unknown unknown 23->77 process7 signatures8 111 Spreads via windows shares (copies files to share folders) 28->111 113 Writes to foreign memory regions 28->113 115 Allocates memory in foreign processes 28->115 117 Injects a PE file into a foreign processes 28->117 35 diskperf.exe 4 28->35         started        37 StikyNot.exe 2 28->37         started        119 Antivirus detection for dropped file 31->119 121 Detected unpacking (changes PE section rights) 31->121 123 Detected unpacking (creates a PE file in dynamic memory) 31->123 125 3 other signatures 31->125 39 StikyNot.exe 2 31->39         started        41 diskperf.exe 31->41         started        process9 process10 43 StikyNot.exe 49 35->43         started        signatures11 95 Spreads via windows shares (copies files to share folders) 43->95 97 Writes to foreign memory regions 43->97 99 Allocates memory in foreign processes 43->99 101 Injects a PE file into a foreign processes 43->101 46 diskperf.exe 43->46         started        49 StikyNot.exe 2 43->49         started        process12 file13 73 C:\Users\user\AppData\Local\...\StikyNot.exe, PE32 46->73 dropped 75 C:\Users\...\StikyNot.exe:Zone.Identifier, ASCII 46->75 dropped 51 StikyNot.exe 46->51         started        55 StikyNot.exe 46->55         started        process14 file15 65 C:\Users\user\AppData\Local\Temp\Disk.sys, PE32 51->65 dropped 67 C:\Users\user\AppData\Local\...\SyncHost.exe, PE32 51->67 dropped 69 C:\Users\user\...\Disk.sys:Zone.Identifier, ASCII 51->69 dropped 71 C:\Users\...\SyncHost.exe:Zone.Identifier, ASCII 51->71 dropped 87 Spreads via windows shares (copies files to share folders) 51->87 89 Injects a PE file into a foreign processes 51->89 57 StikyNot.exe 51->57         started        59 diskperf.exe 51->59         started        91 Writes to foreign memory regions 55->91 93 Allocates memory in foreign processes 55->93 61 StikyNot.exe 55->61         started        63 diskperf.exe 55->63         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/19e260f3f8e21a501e0bc8b6e5285da663cb0284f453891e78a5d2f28fec1ee4/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-12 14:45:08 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dhrgb47y4infahqlzc3okkc5uzr4waue6rjyshtyuxjpfd7md3sa._file
Verdict:
unknown
Similar samples:
0590d0aecfea1d3587163f930592279d14e709579f36392dd984afb3cd73fe55
AveMariaRAT
13cad8715da2c690091d24ea3eed6b4ef38ccf1229f1014fdfb1902cccd41a5f
AveMariaRAT
5553a7b6943f4c1435ec14ecb41b95029d6f2a94f7f415f660c14bd8b68ab7f9
AveMariaRAT
66ad721d4568a5a8e5ef1a1efad188f4292398449b34daa68beab5e64a4a3a91
AveMariaRAT
75b5924059485247b806f567965abe6b67a5eac4f2a170d891a3eb620b68555f
AveMariaRAT
7f1df3446a1e0130e99c6de60ab3aedebca5fa49f576591a0a6dfa14c7d9fd21
AveMariaRAT
99d7aa1f965c458b612b93f336191c5cc91a448270d53a2df6091437363dda70
AveMariaRAT
a828e622f76666e23459f75e1eba33e34b919b1e129d64b937c46a1a30c8a356
AveMariaRAT
bfc37612ba0820ca68c0a867f4fe169899dcd96aae8f1666da8a136a70d0fcfb
AveMariaRAT
f9676410bb9da322ef7440edfc31815ff0f0a32f92269770d869f62c8f1ee497
AveMariaRAT
+ 3'910 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat aspackv2 persistence rat
Link:
https://tria.ge/reports/201112-xkdb2bndps/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
19e260f3f8e21a501e0bc8b6e5285da663cb0284f453891e78a5d2f28fec1ee4
MD5 hash:
f4897c97949e0753add68806cf721c60
SHA1 hash:
45db2776f308458dbc2e87bd796428b98400f5f2
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/88788346-6f4e-4407-8ba7-7c781a04de68/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments