MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34355208115466551faf533e62160e3b0cfaa2f3297acb7f3c83b27e7b530a88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34355208115466551faf533e62160e3b0cfaa2f3297acb7f3c83b27e7b530a88
SHA3-384 hash: c849807577e9b1e602e4bad688e5c6fb2e81bdd9dbc4359981d6e1148b46c4ba780e9875217fc70e38873103e58ec1f1
SHA1 hash: f459d8193e9c0ba77108be43c58da8c7f3621f1f
MD5 hash: 4364cd268004184eb8a144ee76bc6580
humanhash: crazy-nineteen-equal-tango
File name:34355208115466551faf533e62160e3b0cfaa2f3297acb7f3c83b27e7b530a88
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'930'962 bytes
First seen:2020-11-10 11:15:09 UTC
Last seen:2024-07-24 12:55:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7be4c98eebb39d282cdffc1cea8fb470 (661 x AveMariaRAT, 29 x Riskware.Generic)
ssdeep 12288:hapYW4u07hQu1ooI6YImUoIw64aqFu+jLv1BWLKd8RuOFA7W2FeDSIGVH/KIDgDZ:y9gL6RImi0aqFXAuBQDbGV6eH81kQ
TLSH 4A959EA2FFA1043FEB132A706C0FE360B52DBD6A1A18D35A27773C1E66A75907447346
Reporter seifreed
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
58
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Daqc-6598201-0
Create hunting rule

Win.Malware.Ursu-6793772-0
Create hunting rule

Win.Malware.Ursu-6914171-0
Create hunting rule

Win.Malware.Eclv-9782803-0
Create hunting rule

Win.Malware.Eclv-9782804-0
Create hunting rule

Win.Malware.Eclv-9782973-0
Create hunting rule

Win.Malware.Cryptinject-9785242-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file in the %temp% directory
Creating a file
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Creating a file in the mass storage device
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/529933
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to hide user accounts
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Searches for specific processes (likely to inject)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Spreads via windows shares (copies files to share folders)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 314065 Sample: Bauqa0Akn8 Startdate: 11/11/2020 Architecture: WINDOWS Score: 100 123 Antivirus detection for dropped file 2->123 125 Antivirus / Scanner detection for submitted sample 2->125 127 Multi AV Scanner detection for submitted file 2->127 129 6 other signatures 2->129 12 Bauqa0Akn8.exe 1 51 2->12         started        15 StikyNot.exe 46 2->15         started        17 SyncHost.exe 2->17         started        19 3 other processes 2->19 process3 signatures4 193 Detected unpacking (changes PE section rights) 12->193 195 Detected unpacking (creates a PE file in dynamic memory) 12->195 197 Detected unpacking (overwrites its own PE header) 12->197 211 3 other signatures 12->211 21 Bauqa0Akn8.exe 1 3 12->21         started        25 diskperf.exe 5 12->25         started        199 Spreads via windows shares (copies files to share folders) 15->199 201 Writes to foreign memory regions 15->201 203 Allocates memory in foreign processes 15->203 27 StikyNot.exe 15->27         started        29 diskperf.exe 15->29         started        205 Antivirus detection for dropped file 17->205 207 Machine Learning detection for dropped file 17->207 209 Sample uses process hollowing technique 17->209 31 WerFault.exe 19->31         started        process5 file6 97 C:\Windows\System\explorer.exe, PE32 21->97 dropped 183 Installs a global keyboard hook 21->183 33 explorer.exe 47 21->33         started        99 C:\Users\user\...\Disk.sys:Zone.Identifier, ASCII 25->99 dropped 101 C:\Users\...\SyncHost.exe:Zone.Identifier, ASCII 25->101 dropped 103 C:\Users\...\StikyNot.exe:Zone.Identifier, ASCII 25->103 dropped 37 StikyNot.exe 46 25->37         started        185 Drops executables to the windows directory (C:\Windows) and starts them 27->185 39 explorer.exe 27->39         started        signatures7 process8 file9 93 C:\Users\user\AppData\Local\Temp\Disk.sys, PE32 33->93 dropped 95 C:\Users\user\AppData\Local\...\SyncHost.exe, PE32 33->95 dropped 131 Antivirus detection for dropped file 33->131 133 Detected unpacking (creates a PE file in dynamic memory) 33->133 135 Machine Learning detection for dropped file 33->135 147 5 other signatures 33->147 41 explorer.exe 3 17 33->41         started        46 diskperf.exe 33->46         started        137 Detected unpacking (changes PE section rights) 37->137 139 Detected unpacking (overwrites its own PE header) 37->139 141 Spreads via windows shares (copies files to share folders) 37->141 48 StikyNot.exe 37->48         started        50 diskperf.exe 37->50         started        143 Sample uses process hollowing technique 39->143 145 Injects a PE file into a foreign processes 39->145 signatures10 process11 dnsIp12 111 vccmd03.googlecode.com 41->111 113 vccmd02.googlecode.com 41->113 115 4 other IPs or domains 41->115 105 C:\Windows\System\spoolsv.exe, PE32 41->105 dropped 107 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 41->107 dropped 187 System process connects to network (likely due to code injection or exploit) 41->187 189 Creates an undocumented autostart registry key 41->189 191 Installs a global keyboard hook 41->191 52 spoolsv.exe 46 41->52         started        55 spoolsv.exe 46 41->55         started        57 spoolsv.exe 41->57         started        61 2 other processes 41->61 109 C:\Users\user\AppData\Local\...\StikyNot.exe, PE32 46->109 dropped 59 explorer.exe 48->59         started        file13 signatures14 process15 signatures16 149 Antivirus detection for dropped file 52->149 151 Detected unpacking (changes PE section rights) 52->151 153 Detected unpacking (creates a PE file in dynamic memory) 52->153 167 3 other signatures 52->167 63 spoolsv.exe 2 52->63         started        68 diskperf.exe 52->68         started        155 Spreads via windows shares (copies files to share folders) 55->155 157 Writes to foreign memory regions 55->157 159 Allocates memory in foreign processes 55->159 70 spoolsv.exe 55->70         started        72 diskperf.exe 55->72         started        161 Drops executables to the windows directory (C:\Windows) and starts them 57->161 163 Injects a PE file into a foreign processes 57->163 74 spoolsv.exe 57->74         started        76 diskperf.exe 57->76         started        165 Sample uses process hollowing technique 59->165 78 spoolsv.exe 61->78         started        80 spoolsv.exe 61->80         started        82 2 other processes 61->82 process17 dnsIp18 117 192.168.2.1 unknown unknown 63->117 91 C:\Windows\System\svchost.exe, PE32 63->91 dropped 119 Installs a global keyboard hook 63->119 84 svchost.exe 63->84         started        121 Drops executables to the windows directory (C:\Windows) and starts them 70->121 87 svchost.exe 70->87         started        file19 signatures20 process21 signatures22 169 Antivirus detection for dropped file 84->169 171 Detected unpacking (changes PE section rights) 84->171 173 Detected unpacking (overwrites its own PE header) 84->173 175 Machine Learning detection for dropped file 84->175 89 svchost.exe 84->89         started        177 Spreads via windows shares (copies files to share folders) 87->177 179 Sample uses process hollowing technique 87->179 181 Injects a PE file into a foreign processes 87->181 process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/34355208115466551faf533e62160e3b0cfaa2f3297acb7f3c83b27e7b530a88/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 11:18:42 UTC
AV detection:
38 of 48 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gq2vecarkrtfkh5pkm7gefqohmgpvixtff5mw7z4qozh462tbkea._file
Verdict:
unknown
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat evasion infostealer persistence rat
Link:
https://tria.ge/reports/201110-fnqd1ttfns/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
Warzone RAT Payload
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
34355208115466551faf533e62160e3b0cfaa2f3297acb7f3c83b27e7b530a88
MD5 hash:
4364cd268004184eb8a144ee76bc6580
SHA1 hash:
f459d8193e9c0ba77108be43c58da8c7f3621f1f
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/03226a40-8a0d-4b4b-8158-1ea33094caa2/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments