MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3484c5363c5cec57c35318fd0ff2b306341998cf6b0277681e5131bd54c7443c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3484c5363c5cec57c35318fd0ff2b306341998cf6b0277681e5131bd54c7443c
SHA3-384 hash: bdf0fc2b563894f2dc64228632b253824ee79c7a0d7f0f9405052b931e11ee07761b723e1947a43990611974e1e2b9af
SHA1 hash: c5228f361b273aae8dbcead1a614be678402c446
MD5 hash: b9a347ae47fc218b9d581d28cfdf2f02
humanhash: neptune-eleven-aspen-cola
File name:3484c5363c5cec57c35318fd0ff2b306341998cf6b0277681e5131bd54c7443c
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:6'403'504 bytes
First seen:2021-02-28 07:27:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 676f4bc1db7fb9f072b157186a10179e (1'400 x AveMariaRAT, 37 x Riskware.Generic, 2 x njrat)
ssdeep 49152:3Ty7A3mw4gxeOw46fUbNecCCFbNecdTy7A3mw4gxeOw46fUbNecCCFbNecZ:3Ty7m9xZw46G8q8gTy7m9xZw46G8q8K
Threatray 3'063 similar samples on MalwareBazaar
TLSH 4C56BED571290523E9636133A40F7A91A2A9FD292300B6B7B77E7BCD49B30D9D19330B
Reporter JAMESWT_WT
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
949
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3484c5363c5cec57c35318fd0ff2b306341998cf6b0277681e5131bd54c7443c
Verdict:
Malicious activity
Analysis date:
2021-02-28 08:06:03 UTC
Tags:
installer
Link:
https://app.any.run/tasks/78f8e635-48b2-44c0-9dce-00c900f980ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/119983/
Detection(s):
PUA.Win.Packer.PrivateExeProte-16
Create hunting rule

PUA.Win.Packer.Ep-7
Create hunting rule

PUA.Win.Packer.Embedpe-3
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Ursu-6793772-0
Create hunting rule

Win.Malware.Ursu-6914170-0
Create hunting rule

Win.Malware.Cryptinject-9785242-0
Create hunting rule

Win.Trojan.Ulise-9792178-0
Create hunting rule

Win.Trojan.Ulise-9792179-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Forced system process termination
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/620770
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Command shell drops VBS files
Contain functionality to detect virtual machines
Contains functionality to hide user accounts
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: System File Execution Location Anomaly
Spreads via windows shares (copies files to share folders)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 359378 Sample: nAsC9ryZh1 Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 105 vccmd01.googlecode.com 2->105 107 googlecode.l.googleusercontent.com 2->107 129 Malicious sample detected (through community Yara rule) 2->129 131 Antivirus detection for dropped file 2->131 133 Antivirus / Scanner detection for submitted sample 2->133 135 7 other signatures 2->135 12 nAsC9ryZh1.exe 2->12         started        15 wscript.exe 1 2->15         started        17 StikyNot.exe 2->17         started        19 3 other processes 2->19 signatures3 process4 signatures5 187 Detected unpacking (changes PE section rights) 12->187 189 Detected unpacking (creates a PE file in dynamic memory) 12->189 191 Detected unpacking (overwrites its own PE header) 12->191 201 5 other signatures 12->201 21 nAsC9ryZh1.exe 1 51 12->21         started        24 cmd.exe 2 12->24         started        26 nAsC9ryZh1.exe 15->26         started        193 Antivirus detection for dropped file 17->193 195 Multi AV Scanner detection for dropped file 17->195 197 Machine Learning detection for dropped file 17->197 28 StikyNot.exe 17->28         started        30 cmd.exe 17->30         started        199 Injects code into the Windows Explorer (explorer.exe) 19->199 33 explorer.exe 19->33         started        process6 file7 149 Spreads via windows shares (copies files to share folders) 21->149 151 Sample is not signed and drops a device driver 21->151 153 Injects a PE file into a foreign processes 21->153 35 nAsC9ryZh1.exe 1 3 21->35         started        39 diskperf.exe 21->39         started        155 Command shell drops VBS files 24->155 157 Drops VBS files to the startup folder 24->157 41 conhost.exe 24->41         started        159 Tries to detect sandboxes / dynamic malware analysis system (file name check) 26->159 43 nAsC9ryZh1.exe 49 26->43         started        45 cmd.exe 1 26->45         started        161 Sample uses process hollowing technique 28->161 103 C:\Users\user\AppData\Roaming\...\x.vbs, ASCII 30->103 dropped 47 conhost.exe 30->47         started        163 Injects code into the Windows Explorer (explorer.exe) 33->163 49 explorer.exe 33->49         started        51 cmd.exe 33->51         started        signatures8 process9 file10 91 C:\Windows\System\explorer.exe, PE32 35->91 dropped 137 Installs a global keyboard hook 35->137 53 explorer.exe 35->53         started        93 C:\Users\user\AppData\Local\...\StikyNot.exe, PE32 43->93 dropped 95 C:\Users\user\...\Disk.sys:Zone.Identifier, ASCII 43->95 dropped 97 C:\Users\...\StikyNot.exe:Zone.Identifier, ASCII 43->97 dropped 139 Spreads via windows shares (copies files to share folders) 43->139 141 Writes to foreign memory regions 43->141 143 Allocates memory in foreign processes 43->143 56 nAsC9ryZh1.exe 43->56         started        58 diskperf.exe 43->58         started        60 conhost.exe 45->60         started        145 Sample uses process hollowing technique 49->145 147 Injects a PE file into a foreign processes 49->147 62 conhost.exe 51->62         started        signatures11 process12 signatures13 165 Antivirus detection for dropped file 53->165 167 Detected unpacking (changes PE section rights) 53->167 169 Detected unpacking (creates a PE file in dynamic memory) 53->169 173 6 other signatures 53->173 64 explorer.exe 47 53->64         started        68 cmd.exe 1 53->68         started        171 Installs a global keyboard hook 56->171 70 explorer.exe 56->70         started        process14 file15 87 C:\Users\user\AppData\Local\Temp\Disk.sys, PE32 64->87 dropped 89 C:\Users\user\AppData\Local\...\SyncHost.exe, PE32 64->89 dropped 115 Injects code into the Windows Explorer (explorer.exe) 64->115 117 Spreads via windows shares (copies files to share folders) 64->117 119 Writes to foreign memory regions 64->119 121 Allocates memory in foreign processes 64->121 72 explorer.exe 64->72         started        77 diskperf.exe 64->77         started        79 conhost.exe 68->79         started        123 Tries to detect sandboxes / dynamic malware analysis system (file name check) 70->123 125 Drops executables to the windows directory (C:\Windows) and starts them 70->125 127 Injects a PE file into a foreign processes 70->127 81 explorer.exe 70->81         started        83 cmd.exe 70->83         started        signatures16 process17 dnsIp18 109 vccmd03.googlecode.com 72->109 111 vccmd02.googlecode.com 72->111 113 4 other IPs or domains 72->113 99 C:\Windows\System\spoolsv.exe, PE32 72->99 dropped 101 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 72->101 dropped 175 System process connects to network (likely due to code injection or exploit) 72->175 177 Creates an undocumented autostart registry key 72->177 179 Installs a global keyboard hook 72->179 181 Spreads via windows shares (copies files to share folders) 81->181 183 Sample uses process hollowing technique 81->183 185 Injects a PE file into a foreign processes 81->185 85 conhost.exe 83->85         started        file19 signatures20 process21
Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3484c5363c5cec57c35318fd0ff2b306341998cf6b0277681e5131bd54c7443c/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2021-02-26 21:35:18 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gscmknr4ltwfpq2tdd6q74vtay2btggpnmbho2a6key32vghiq6a._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0954707116de7974c38346f17987886632546664d0933bafd412fb343e408317
AveMariaRAT
09a3aa26ef9c6f2544fd2377df9ddb4ed2462db3206cc7723f5015a8e62bde2e
AveMariaRAT
32672928863af3e154d0e2cc454c5fd31f217a3bfabc7acff2223bb72a5bbe6f
AveMariaRAT
37d5c9a4d1ecf8d31abce31cb4092564d1e75c33547d2d385f9b79d15cdcbc3b
AveMariaRAT
5553a7b6943f4c1435ec14ecb41b95029d6f2a94f7f415f660c14bd8b68ab7f9
AveMariaRAT
614ef9ec888de4d04f0624fd4a65f1965313c03592dfe7565d463859ce7122b0
AveMariaRAT
64f94ae44c374d1b7407b2bb64faa5d6bd2df41c299ee02bc6facaa9a364c5ae
AveMariaRAT
7c1eae5e28280689e8db038813d781a47158b6d76f849aeb0c204058dfe94590
AveMariaRAT
a2bd87a81b3cc4f40cc8f1e6ba1111a010ad3970b4dff9e98c729142af28b823
AveMariaRAT
a597feb1835307dd3115e535a07ad16544b7950dd1de4e4247bc3bc49f02a487
AveMariaRAT
+ 3'053 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat family:xmrig evasion infostealer miner persistence rat
Link:
https://tria.ge/reports/210228-l781c32hpa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
Warzone RAT Payload
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
WarzoneRat, AveMaria
xmrig
Unpacked files
SH256 hash:
3484c5363c5cec57c35318fd0ff2b306341998cf6b0277681e5131bd54c7443c
MD5 hash:
b9a347ae47fc218b9d581d28cfdf2f02
SHA1 hash:
c5228f361b273aae8dbcead1a614be678402c446
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/dbc91752-ce8f-4269-9a80-6bd2378fdedf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3484c5363c5cec57c35318fd0ff2b306341998cf6b0277681e5131bd54c7443c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AveMaria
Create hunting rule
Author:@bartblaze
Description:Identifies AveMaria aka WarZone RAT.
Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_WarzoneRAT
Create hunting rule
Author:ditekSHen
Description:Detects AveMaria/WarzoneRAT
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119983/

Comments