MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3093a36c7e6517af79b2accb877b76346054847365df4f171c3b5ea1da4bfe45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3093a36c7e6517af79b2accb877b76346054847365df4f171c3b5ea1da4bfe45
SHA3-384 hash: 355beafad6c2b29618aebd2912e8ca8fb0c1ecdd0f85f134a5f89187ba32f80e26c2184887aebdef514dc28e27fec2d1
SHA1 hash: 5907387e919a066e2f6015b7b87e5558aea04dbf
MD5 hash: 78ee30b957519390579172dc143abddd
humanhash: south-batman-carolina-west
File name:3093a36c7e6517af79b2accb877b76346054847365df4f171c3b5ea1da4bfe45
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'931'085 bytes
First seen:2020-11-14 18:29:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7be4c98eebb39d282cdffc1cea8fb470 (661 x AveMariaRAT, 29 x Riskware.Generic)
ssdeep 12288:gPkiIos1uXZiAIceqygIRsxrvstgqtbI0+t9wBPvBSQkwkA7W2FeDSIGVH/KIDgo:S8OoKd8sxTlqtbI8PZFQDbGV6eH81kX
Threatray 1 similar samples on MalwareBazaar
TLSH E8958DE1BA764877D2631E72D98FC270A431BE6E575067AB33A93D1C99BB240B007707
Reporter seifreed
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
281
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Daqc-6598201-0
Create hunting rule

Win.Malware.Ursu-6793772-0
Create hunting rule

Win.Malware.Ursu-6914171-0
Create hunting rule

Win.Malware.Eclv-9782803-0
Create hunting rule

Win.Malware.Eclv-9782804-0
Create hunting rule

Win.Malware.Eclv-9782973-0
Create hunting rule

Win.Malware.Cryptinject-9785242-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/535066
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to hide user accounts
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Searches for specific processes (likely to inject)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Spreads via windows shares (copies files to share folders)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 316632 Sample: pfNQMz1ku6 Startdate: 14/11/2020 Architecture: WINDOWS Score: 100 152 Antivirus detection for dropped file 2->152 154 Antivirus / Scanner detection for submitted sample 2->154 156 Multi AV Scanner detection for submitted file 2->156 158 6 other signatures 2->158 12 pfNQMz1ku6.exe 1 51 2->12         started        15 StikyNot.exe 46 2->15         started        17 SyncHost.exe 2->17         started        19 2 other processes 2->19 process3 signatures4 188 Detected unpacking (changes PE section rights) 12->188 190 Detected unpacking (creates a PE file in dynamic memory) 12->190 192 Detected unpacking (overwrites its own PE header) 12->192 206 3 other signatures 12->206 21 pfNQMz1ku6.exe 1 3 12->21         started        25 diskperf.exe 5 12->25         started        194 Spreads via windows shares (copies files to share folders) 15->194 196 Writes to foreign memory regions 15->196 198 Allocates memory in foreign processes 15->198 27 StikyNot.exe 15->27         started        29 diskperf.exe 15->29         started        200 Antivirus detection for dropped file 17->200 202 Machine Learning detection for dropped file 17->202 204 Sample uses process hollowing technique 17->204 process5 file6 90 C:\Windows\System\explorer.exe, PE32 21->90 dropped 178 Installs a global keyboard hook 21->178 31 explorer.exe 47 21->31         started        92 C:\Users\user\...\Disk.sys:Zone.Identifier, ASCII 25->92 dropped 94 C:\Users\...\SyncHost.exe:Zone.Identifier, ASCII 25->94 dropped 96 C:\Users\...\StikyNot.exe:Zone.Identifier, ASCII 25->96 dropped 35 StikyNot.exe 46 25->35         started        180 Drops executables to the windows directory (C:\Windows) and starts them 27->180 37 explorer.exe 27->37         started        signatures7 process8 file9 106 C:\Users\user\AppData\Local\Temp\Disk.sys, PE32 31->106 dropped 108 C:\Users\user\AppData\Local\...\SyncHost.exe, PE32 31->108 dropped 116 Antivirus detection for dropped file 31->116 118 Machine Learning detection for dropped file 31->118 120 Injects code into the Windows Explorer (explorer.exe) 31->120 134 2 other signatures 31->134 39 explorer.exe 3 17 31->39         started        44 diskperf.exe 31->44         started        122 Detected unpacking (changes PE section rights) 35->122 124 Detected unpacking (creates a PE file in dynamic memory) 35->124 126 Detected unpacking (overwrites its own PE header) 35->126 136 2 other signatures 35->136 46 StikyNot.exe 35->46         started        48 diskperf.exe 35->48         started        128 Spreads via windows shares (copies files to share folders) 37->128 130 Sample uses process hollowing technique 37->130 132 Injects a PE file into a foreign processes 37->132 signatures10 process11 dnsIp12 110 vccmd03.googlecode.com 39->110 112 vccmd02.googlecode.com 39->112 114 5 other IPs or domains 39->114 98 C:\Windows\System\spoolsv.exe, PE32 39->98 dropped 100 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 39->100 dropped 182 System process connects to network (likely due to code injection or exploit) 39->182 184 Creates an undocumented autostart registry key 39->184 186 Installs a global keyboard hook 39->186 50 spoolsv.exe 46 39->50         started        53 spoolsv.exe 46 39->53         started        55 spoolsv.exe 39->55         started        59 3 other processes 39->59 57 WerFault.exe 44->57         started        file13 signatures14 process15 signatures16 160 Antivirus detection for dropped file 50->160 162 Detected unpacking (changes PE section rights) 50->162 164 Detected unpacking (overwrites its own PE header) 50->164 176 2 other signatures 50->176 61 spoolsv.exe 2 50->61         started        65 diskperf.exe 50->65         started        166 Spreads via windows shares (copies files to share folders) 53->166 168 Writes to foreign memory regions 53->168 170 Allocates memory in foreign processes 53->170 67 spoolsv.exe 53->67         started        69 diskperf.exe 53->69         started        172 Drops executables to the windows directory (C:\Windows) and starts them 55->172 174 Injects a PE file into a foreign processes 55->174 77 2 other processes 55->77 71 spoolsv.exe 59->71         started        73 spoolsv.exe 59->73         started        75 spoolsv.exe 59->75         started        79 3 other processes 59->79 process17 file18 102 C:\Windows\System\svchost.exe, PE32 61->102 dropped 208 Installs a global keyboard hook 61->208 81 svchost.exe 61->81         started        210 Drops executables to the windows directory (C:\Windows) and starts them 67->210 84 svchost.exe 67->84         started        104 C:\Users\user\AppData\Local\...\StikyNot.exe, PE32 69->104 dropped signatures19 process20 signatures21 138 Antivirus detection for dropped file 81->138 140 Detected unpacking (changes PE section rights) 81->140 142 Detected unpacking (overwrites its own PE header) 81->142 150 3 other signatures 81->150 86 svchost.exe 81->86         started        88 diskperf.exe 81->88         started        144 Spreads via windows shares (copies files to share folders) 84->144 146 Sample uses process hollowing technique 84->146 148 Injects a PE file into a foreign processes 84->148 process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3093a36c7e6517af79b2accb877b76346054847365df4f171c3b5ea1da4bfe45/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-14 18:35:01 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gcj2g3d6mul266nsvtfyo63wgrqfjbdtmxpu6fy4hnpkdwsl7zcq._file
Verdict:
unknown
Similar samples:
819213dcbaba4adab07064fb70f88e4a73f15294635ac0291d5809610151a92f
AveMariaRAT
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat evasion infostealer persistence rat
Link:
https://tria.ge/reports/201114-x5gkra9eyj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
Warzone RAT Payload
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
3093a36c7e6517af79b2accb877b76346054847365df4f171c3b5ea1da4bfe45
MD5 hash:
78ee30b957519390579172dc143abddd
SHA1 hash:
5907387e919a066e2f6015b7b87e5558aea04dbf
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/f1315bca-92f0-40f8-bc98-a67a6a7d3105/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3093a36c7e6517af79b2accb877b76346054847365df4f171c3b5ea1da4bfe45

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments