MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b30001f466536a1c3976ca5d0a442bf18491e7280e25b8b94182a5b1bd7d615. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b30001f466536a1c3976ca5d0a442bf18491e7280e25b8b94182a5b1bd7d615
SHA3-384 hash: 69934b91fae6df654ecc096d1e50d198578bf0023daebffdb39372146dfa56b39223b0f9348d9bb3c6141df8de4c06e9
SHA1 hash: 7abbc6a6530df332134009dc7cf83b1d1c58dad2
MD5 hash: 6d5418c807350456109f3db6b20239ca
humanhash: spaghetti-berlin-mobile-west
File name:4b30001f466536a1c3976ca5d0a442bf18491e7280e25b8b94182a5b1bd7d615
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'931'109 bytes
First seen:2020-11-14 18:17:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7be4c98eebb39d282cdffc1cea8fb470 (661 x AveMariaRAT, 29 x Riskware.Generic)
ssdeep 12288:8GyClPwuv3nN3vDTL6nqG5qtYaT76tSQlpthvxdrVbA7W2FeDSIGVH/KIDgDgUed:8c/NfOnqa/aT7ktNcQDbGV6eH81kB
Threatray 8 similar samples on MalwareBazaar
TLSH AD958EA2B63B4CABD3233570A90FD1729A26FDB4AF40A71E37727C2589A35917417307
Reporter seifreed
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Daqc-6598201-0
Create hunting rule

Win.Malware.Ursu-6793772-0
Create hunting rule

Win.Malware.Ursu-6914171-0
Create hunting rule

Win.Malware.Eclv-9782803-0
Create hunting rule

Win.Malware.Eclv-9782804-0
Create hunting rule

Win.Malware.Eclv-9782973-0
Create hunting rule

Win.Malware.Cryptinject-9785242-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% directory
Creating a file
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Creating a file in the mass storage device
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/535509
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Spreads via windows shares (copies files to share folders)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 316854 Sample: gpV7CqVr4h Startdate: 15/11/2020 Architecture: WINDOWS Score: 100 124 Antivirus detection for dropped file 2->124 126 Antivirus / Scanner detection for submitted sample 2->126 128 Multi AV Scanner detection for submitted file 2->128 130 6 other signatures 2->130 12 gpV7CqVr4h.exe 1 51 2->12         started        15 StikyNot.exe 46 2->15         started        17 StikyNot.exe 2->17         started        19 6 other processes 2->19 process3 dnsIp4 160 Detected unpacking (changes PE section rights) 12->160 162 Detected unpacking (overwrites its own PE header) 12->162 164 Spreads via windows shares (copies files to share folders) 12->164 178 4 other signatures 12->178 22 gpV7CqVr4h.exe 1 3 12->22         started        26 diskperf.exe 5 12->26         started        166 Antivirus detection for dropped file 15->166 168 Detected unpacking (creates a PE file in dynamic memory) 15->168 170 Machine Learning detection for dropped file 15->170 28 StikyNot.exe 15->28         started        30 diskperf.exe 15->30         started        172 Sample uses process hollowing technique 17->172 174 Injects a PE file into a foreign processes 17->174 102 127.0.0.1 unknown unknown 19->102 176 Changes security center settings (notifications, updates, antivirus, firewall) 19->176 signatures5 process6 file7 84 C:\Windows\System\explorer.exe, PE32 22->84 dropped 132 Installs a global keyboard hook 22->132 32 explorer.exe 47 22->32         started        86 C:\Users\user\...\Disk.sys:Zone.Identifier, ASCII 26->86 dropped 88 C:\Users\...\SyncHost.exe:Zone.Identifier, ASCII 26->88 dropped 90 C:\Users\...\StikyNot.exe:Zone.Identifier, ASCII 26->90 dropped 134 Drops executables to the windows directory (C:\Windows) and starts them 28->134 36 explorer.exe 28->36         started        signatures8 process9 file10 82 C:\Users\user\AppData\Local\...\StikyNot.exe, PE32 32->82 dropped 110 Antivirus detection for dropped file 32->110 112 Detected unpacking (creates a PE file in dynamic memory) 32->112 114 Machine Learning detection for dropped file 32->114 122 2 other signatures 32->122 38 explorer.exe 3 17 32->38         started        43 diskperf.exe 32->43         started        116 Spreads via windows shares (copies files to share folders) 36->116 118 Sample uses process hollowing technique 36->118 120 Injects a PE file into a foreign processes 36->120 signatures11 process12 dnsIp13 104 vccmd03.googlecode.com 38->104 106 vccmd02.googlecode.com 38->106 108 5 other IPs or domains 38->108 92 C:\Windows\System\spoolsv.exe, PE32 38->92 dropped 94 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 38->94 dropped 136 System process connects to network (likely due to code injection or exploit) 38->136 138 Creates an undocumented autostart registry key 38->138 140 Installs a global keyboard hook 38->140 45 spoolsv.exe 47 38->45         started        49 spoolsv.exe 46 38->49         started        51 spoolsv.exe 46 38->51         started        53 3 other processes 38->53 file14 signatures15 process16 file17 98 C:\Users\user\AppData\Local\Temp\Disk.sys, PE32 45->98 dropped 100 C:\Users\user\AppData\Local\...\SyncHost.exe, PE32 45->100 dropped 180 Antivirus detection for dropped file 45->180 182 Detected unpacking (changes PE section rights) 45->182 184 Detected unpacking (overwrites its own PE header) 45->184 196 2 other signatures 45->196 55 spoolsv.exe 2 45->55         started        59 diskperf.exe 45->59         started        186 Spreads via windows shares (copies files to share folders) 49->186 188 Injects a PE file into a foreign processes 49->188 61 spoolsv.exe 49->61         started        63 diskperf.exe 49->63         started        190 Writes to foreign memory regions 51->190 192 Allocates memory in foreign processes 51->192 65 spoolsv.exe 51->65         started        67 diskperf.exe 51->67         started        194 Drops executables to the windows directory (C:\Windows) and starts them 53->194 69 spoolsv.exe 53->69         started        71 spoolsv.exe 53->71         started        73 3 other processes 53->73 signatures18 process19 file20 96 C:\Windows\System\svchost.exe, PE32 55->96 dropped 142 Installs a global keyboard hook 55->142 75 svchost.exe 55->75         started        144 Drops executables to the windows directory (C:\Windows) and starts them 61->144 78 svchost.exe 61->78         started        signatures21 process22 signatures23 146 Antivirus detection for dropped file 75->146 148 Detected unpacking (changes PE section rights) 75->148 150 Detected unpacking (overwrites its own PE header) 75->150 152 Machine Learning detection for dropped file 75->152 80 svchost.exe 75->80         started        154 Spreads via windows shares (copies files to share folders) 78->154 156 Sample uses process hollowing technique 78->156 158 Injects a PE file into a foreign processes 78->158 process24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b30001f466536a1c3976ca5d0a442bf18491e7280e25b8b94182a5b1bd7d615/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-14 18:20:56 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jmyaah2gmu3kdq4xnss5bjccx4meshtsqdrfxc4udavfwg6x2ykq._file
Verdict:
unknown
Similar samples:
198f3b86322f49f07c45e60a109efefe4a180c09d4a834044b57231861992535
AveMariaRAT
29440483950aad7b9f78ed3f3748924f2e4513c6dd2f51a90fe8135ad07c0edb
AveMariaRAT
37d111896ff48857ffcc00b910beff5e79262aa5097eb786fa013ca479db9571
AveMariaRAT
40328df2351688250299808aefc7597f9a2998969faaf451df1de690f0f83271
AveMariaRAT
538e2ec21cc50a68c5ee8ff2350b0cabfcf2b8d77d2c3ea1cbcaa443be237201
AveMariaRAT
6cb468ece5c221172feb8a352db446b0394d7704cf6208cea2cda8bd5adc53ff
AveMariaRAT
a828e622f76666e23459f75e1eba33e34b919b1e129d64b937c46a1a30c8a356
AveMariaRAT
cf10f4b5514d2544a6b3a6efdd281f2fa6526b9a07756c8db0b14fed20fd7110
AveMariaRAT
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat evasion infostealer persistence rat
Link:
https://tria.ge/reports/201114-nzxb96gjfa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
Warzone RAT Payload
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
4b30001f466536a1c3976ca5d0a442bf18491e7280e25b8b94182a5b1bd7d615
MD5 hash:
6d5418c807350456109f3db6b20239ca
SHA1 hash:
7abbc6a6530df332134009dc7cf83b1d1c58dad2
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/f1b11044-3bb0-48c2-8369-da7017b6cd2b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b30001f466536a1c3976ca5d0a442bf18491e7280e25b8b94182a5b1bd7d615

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments