MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27f9b9be25a30c0bd075ea352dd69ca1ee26dd05c93f53e9a08ad2ee210a0022. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27f9b9be25a30c0bd075ea352dd69ca1ee26dd05c93f53e9a08ad2ee210a0022
SHA3-384 hash: 58be1fa03b39c8aebe6f7c0f33ac53005b06dedc442afa3b94808ccd9f084c1072e32e636ef97971f40b85fc00c21bf4
SHA1 hash: 7bfbe6c32c2a77e5b63eb298e10d7143277b458a
MD5 hash: 7acb98b0dc8f497197b6cd11475f61cf
humanhash: hamper-romeo-helium-carbon
File name:27f9b9be25a30c0bd075ea352dd69ca1ee26dd05c93f53e9a08ad2ee210a0022
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'931'066 bytes
First seen:2020-11-15 22:53:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7be4c98eebb39d282cdffc1cea8fb470 (661 x AveMariaRAT, 29 x Riskware.Generic)
ssdeep 12288:NzR7gMuxD/pWLPfyBbAG/rtWJba5xd0oMvbhUgXDqtA7W2FeDSIGVH/KIDgDgUe3:NiNM7MA4gJbauVXQDbGV6eH81kz
Threatray 16 similar samples on MalwareBazaar
TLSH 77959DB2B7780423C12729B08D0FD2A59E15BF6B1E05ABAB27753C0E5E7F644A057B43
Reporter seifreed
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Daqc-6598201-0
Create hunting rule

Win.Malware.Ursu-6793772-0
Create hunting rule

Win.Malware.Ursu-6914171-0
Create hunting rule

Win.Malware.Eclv-9782803-0
Create hunting rule

Win.Malware.Eclv-9782804-0
Create hunting rule

Win.Malware.Eclv-9782973-0
Create hunting rule

Win.Malware.Cryptinject-9785242-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/538163
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Searches for specific processes (likely to inject)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Spreads via windows shares (copies files to share folders)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 318180 Sample: c7CFFyBPbU Startdate: 16/11/2020 Architecture: WINDOWS Score: 100 129 Antivirus detection for dropped file 2->129 131 Antivirus / Scanner detection for submitted sample 2->131 133 Multi AV Scanner detection for submitted file 2->133 135 6 other signatures 2->135 12 c7CFFyBPbU.exe 1 51 2->12         started        16 StikyNot.exe 46 2->16         started        18 StikyNot.exe 2->18         started        20 7 other processes 2->20 process3 dnsIp4 95 C:\Users\user\...\Disk.sys:Zone.Identifier, ASCII 12->95 dropped 97 C:\Users\...\StikyNot.exe:Zone.Identifier, ASCII 12->97 dropped 173 Detected unpacking (changes PE section rights) 12->173 175 Detected unpacking (overwrites its own PE header) 12->175 177 Spreads via windows shares (copies files to share folders) 12->177 189 2 other signatures 12->189 23 c7CFFyBPbU.exe 1 3 12->23         started        27 diskperf.exe 12->27         started        179 Antivirus detection for dropped file 16->179 181 Detected unpacking (creates a PE file in dynamic memory) 16->181 183 Machine Learning detection for dropped file 16->183 191 2 other signatures 16->191 29 StikyNot.exe 16->29         started        31 diskperf.exe 16->31         started        185 Injects a PE file into a foreign processes 18->185 33 StikyNot.exe 18->33         started        105 127.0.0.1 unknown unknown 20->105 107 192.168.2.1 unknown unknown 20->107 187 Changes security center settings (notifications, updates, antivirus, firewall) 20->187 35 WerFault.exe 20->35         started        file5 signatures6 process7 file8 93 C:\Windows\System\explorer.exe, PE32 23->93 dropped 169 Installs a global keyboard hook 23->169 37 explorer.exe 47 23->37         started        171 Drops executables to the windows directory (C:\Windows) and starts them 29->171 41 explorer.exe 29->41         started        signatures9 process10 file11 89 C:\Users\user\AppData\Local\Temp\Disk.sys, PE32 37->89 dropped 91 C:\Users\user\AppData\Local\...\StikyNot.exe, PE32 37->91 dropped 155 Antivirus detection for dropped file 37->155 157 Detected unpacking (creates a PE file in dynamic memory) 37->157 159 Machine Learning detection for dropped file 37->159 167 5 other signatures 37->167 43 explorer.exe 3 17 37->43         started        48 diskperf.exe 37->48         started        161 Spreads via windows shares (copies files to share folders) 41->161 163 Sample uses process hollowing technique 41->163 165 Injects a PE file into a foreign processes 41->165 signatures12 process13 dnsIp14 109 vccmd03.googlecode.com 43->109 111 vccmd02.googlecode.com 43->111 113 4 other IPs or domains 43->113 99 C:\Windows\System\spoolsv.exe, PE32 43->99 dropped 101 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 43->101 dropped 193 System process connects to network (likely due to code injection or exploit) 43->193 195 Creates an undocumented autostart registry key 43->195 197 Installs a global keyboard hook 43->197 50 spoolsv.exe 47 43->50         started        54 spoolsv.exe 46 43->54         started        56 spoolsv.exe 43->56         started        58 2 other processes 43->58 file15 signatures16 process17 file18 87 C:\Users\user\AppData\Local\...\SyncHost.exe, PE32 50->87 dropped 137 Antivirus detection for dropped file 50->137 139 Detected unpacking (changes PE section rights) 50->139 141 Detected unpacking (creates a PE file in dynamic memory) 50->141 153 3 other signatures 50->153 60 spoolsv.exe 2 50->60         started        64 diskperf.exe 50->64         started        143 Spreads via windows shares (copies files to share folders) 54->143 145 Injects a PE file into a foreign processes 54->145 66 spoolsv.exe 54->66         started        68 diskperf.exe 54->68         started        147 Drops executables to the windows directory (C:\Windows) and starts them 56->147 149 Writes to foreign memory regions 56->149 151 Allocates memory in foreign processes 56->151 70 spoolsv.exe 56->70         started        72 diskperf.exe 56->72         started        74 spoolsv.exe 58->74         started        76 spoolsv.exe 58->76         started        78 2 other processes 58->78 signatures19 process20 file21 103 C:\Windows\System\svchost.exe, PE32 60->103 dropped 199 Installs a global keyboard hook 60->199 80 svchost.exe 60->80         started        201 Drops executables to the windows directory (C:\Windows) and starts them 66->201 83 svchost.exe 66->83         started        signatures22 process23 signatures24 115 Antivirus detection for dropped file 80->115 117 Detected unpacking (changes PE section rights) 80->117 119 Detected unpacking (overwrites its own PE header) 80->119 121 Machine Learning detection for dropped file 80->121 85 svchost.exe 80->85         started        123 Spreads via windows shares (copies files to share folders) 83->123 125 Sample uses process hollowing technique 83->125 127 Injects a PE file into a foreign processes 83->127 process25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/27f9b9be25a30c0bd075ea352dd69ca1ee26dd05c93f53e9a08ad2ee210a0022/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-15 22:54:40 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e743tprfumgaxudv5i2s3vu4uhxcnxifze7vh2narljo4iikaara._file
Verdict:
suspicious
Similar samples:
14e52e549676db824147ad08e351b2bae5a8df91ac58c50836743c3d7ec68806
AveMariaRAT
22b8cd43c2fe83b4516fa39d795e6da1374dfe1df93f38dfdbd7c5d316f0dd93
AveMariaRAT
452b5876fcb121316ad7d3ef6b2a6458e799ca73b4a17f72d4e11d17eefed9a9
AveMariaRAT
51de6a5e2a34adaa5fede04b7274fce7fea89f54b2100ba09f11662e9f9132c2
AveMariaRAT
5f4235a07c86cc4904b5d247870eb6b48c3254a96570f03723daffbd1880aeb8
AveMariaRAT
60751f7968b616b3120d67f3daf47df455e3ec1e0471c8e9d001030065e768d7
AveMariaRAT
bf312133bbf5084cf719d23988bf29b9ff4bb87f88e1c8c63d019640f6ca77a9
AveMariaRAT
cc5f9ed45bcf03b1e35d126b0d61bf83e8397ab700bc7e201fe08d251a68974b
AveMariaRAT
db6c1977d9325ddd1ba9b9aa417d9c6a32427ab341f3204f6ec04d14715fefa4
AveMariaRAT
e9d9443947b693b52dcbc27a0da86e3a5d5cafe2d9023e792ee573c52b0fc148
AveMariaRAT
+ 6 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat evasion infostealer persistence rat
Link:
https://tria.ge/reports/201115-y87wjdm7we/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
Warzone RAT Payload
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
27f9b9be25a30c0bd075ea352dd69ca1ee26dd05c93f53e9a08ad2ee210a0022
MD5 hash:
7acb98b0dc8f497197b6cd11475f61cf
SHA1 hash:
7bfbe6c32c2a77e5b63eb298e10d7143277b458a
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/33f51056-ae79-444c-87dc-20977d54a3d5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/27f9b9be25a30c0bd075ea352dd69ca1ee26dd05c93f53e9a08ad2ee210a0022

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments