MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4de284df7bd0540ea90b888a3af878d37324e19bcf55ec25dc57b320a0a88040. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4de284df7bd0540ea90b888a3af878d37324e19bcf55ec25dc57b320a0a88040
SHA3-384 hash: 405e84a2f4559dcbb423e87faaa16bcd18e23d253cb81ac646bf204f1811c049904330604fb6c3a55272fb388f8e4826
SHA1 hash: c990bb92f650c26c0fdd599a801745c69bea7142
MD5 hash: 2f5fe0054c2b0240fd343ca5011bfd52
humanhash: angel-sixteen-low-spaghetti
File name:4de284df7bd0540ea90b888a3af878d37324e19bcf55ec25dc57b320a0a88040
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:3'024'600 bytes
First seen:2020-11-10 11:24:50 UTC
Last seen:2024-07-24 14:06:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 676f4bc1db7fb9f072b157186a10179e (1'400 x AveMariaRAT, 37 x Riskware.Generic, 2 x njrat)
ssdeep 24576:Dgd7AAmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHj:Dgd7AAmw4gxeOw46fUbNecCCFbNecS
Threatray 3'506 similar samples on MalwareBazaar
TLSH 4BE5AED2F69B009FD2722471F10F9A10C2E9A93BC205D3AFAB763A8556D31C663C7647
Reporter seifreed
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
60
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Packer.PrivateExeProte-16
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Ursu-6793772-0
Create hunting rule

Win.Malware.Ursu-6914170-0
Create hunting rule

Win.Malware.Ursu-6914171-0
Create hunting rule

Win.Malware.Cerber-6989221-0
Create hunting rule

Win.Malware.Cryptinject-9785242-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Forced system process termination
Creating a window
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/529453
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Command shell drops VBS files
Contains functionality to hide user accounts
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: System File Execution Location Anomaly
Spreads via windows shares (copies files to share folders)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 313824 Sample: Mm23hGMYql Startdate: 11/11/2020 Architecture: WINDOWS Score: 100 134 Antivirus detection for dropped file 2->134 136 Antivirus / Scanner detection for submitted sample 2->136 138 Multi AV Scanner detection for submitted file 2->138 140 6 other signatures 2->140 13 Mm23hGMYql.exe 2->13         started        16 wscript.exe 1 2->16         started        18 svchost.exe 1 2->18         started        process3 signatures4 208 Tries to detect sandboxes / dynamic malware analysis system (file name check) 13->208 210 Contains functionality to inject code into remote processes 13->210 212 Drops PE files with benign system names 13->212 214 Injects a PE file into a foreign processes 13->214 20 Mm23hGMYql.exe 1 51 13->20         started        23 cmd.exe 2 13->23         started        25 StikyNot.exe 16->25         started        process5 signatures6 142 Spreads via windows shares (copies files to share folders) 20->142 144 Writes to foreign memory regions 20->144 146 Allocates memory in foreign processes 20->146 148 Sample is not signed and drops a device driver 20->148 27 Mm23hGMYql.exe 1 3 20->27         started        31 diskperf.exe 5 20->31         started        150 Command shell drops VBS files 23->150 152 Drops VBS files to the startup folder 23->152 33 conhost.exe 23->33         started        154 Tries to detect sandboxes / dynamic malware analysis system (file name check) 25->154 156 Injects a PE file into a foreign processes 25->156 35 StikyNot.exe 25->35         started        37 cmd.exe 25->37         started        process7 file8 110 C:\Windows\System\explorer.exe, PE32 27->110 dropped 186 Installs a global keyboard hook 27->186 39 explorer.exe 27->39         started        112 C:\Users\user\...\Disk.sys:Zone.Identifier, ASCII 31->112 dropped 114 C:\Users\...\SyncHost.exe:Zone.Identifier, ASCII 31->114 dropped 116 C:\Users\...\StikyNot.exe:Zone.Identifier, ASCII 31->116 dropped 42 StikyNot.exe 31->42         started        188 Spreads via windows shares (copies files to share folders) 35->188 190 Writes to foreign memory regions 35->190 192 Allocates memory in foreign processes 35->192 194 Injects a PE file into a foreign processes 35->194 44 StikyNot.exe 35->44         started        46 diskperf.exe 35->46         started        49 conhost.exe 37->49         started        signatures9 process10 file11 174 Antivirus detection for dropped file 39->174 176 Machine Learning detection for dropped file 39->176 178 Tries to detect sandboxes / dynamic malware analysis system (file name check) 39->178 184 2 other signatures 39->184 51 explorer.exe 47 39->51         started        55 cmd.exe 1 39->55         started        180 Injects a PE file into a foreign processes 42->180 57 StikyNot.exe 46 42->57         started        59 cmd.exe 1 42->59         started        182 Installs a global keyboard hook 44->182 118 C:\Users\user\AppData\Local\...\StikyNot.exe, PE32 46->118 dropped signatures12 process13 file14 106 C:\Users\user\AppData\Local\Temp\Disk.sys, PE32 51->106 dropped 108 C:\Users\user\AppData\Local\...\SyncHost.exe, PE32 51->108 dropped 158 Injects code into the Windows Explorer (explorer.exe) 51->158 160 Spreads via windows shares (copies files to share folders) 51->160 162 Writes to foreign memory regions 51->162 164 Allocates memory in foreign processes 51->164 61 explorer.exe 3 17 51->61         started        66 diskperf.exe 51->66         started        68 conhost.exe 55->68         started        166 Injects a PE file into a foreign processes 57->166 70 StikyNot.exe 57->70         started        72 diskperf.exe 57->72         started        74 conhost.exe 59->74         started        signatures15 process16 dnsIp17 126 vccmd03.googlecode.com 61->126 128 vccmd02.googlecode.com 61->128 130 5 other IPs or domains 61->130 120 C:\Windows\System\spoolsv.exe, PE32 61->120 dropped 122 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 61->122 dropped 216 System process connects to network (likely due to code injection or exploit) 61->216 218 Creates an undocumented autostart registry key 61->218 220 Installs a global keyboard hook 61->220 76 spoolsv.exe 61->76         started        79 spoolsv.exe 61->79         started        81 spoolsv.exe 61->81         started        222 Drops executables to the windows directory (C:\Windows) and starts them 70->222 83 explorer.exe 70->83         started        file18 signatures19 process20 signatures21 196 Antivirus detection for dropped file 76->196 198 Machine Learning detection for dropped file 76->198 200 Tries to detect sandboxes / dynamic malware analysis system (file name check) 76->200 85 spoolsv.exe 76->85         started        88 cmd.exe 76->88         started        202 Drops executables to the windows directory (C:\Windows) and starts them 79->202 204 Injects a PE file into a foreign processes 79->204 90 spoolsv.exe 79->90         started        92 cmd.exe 79->92         started        206 Sample uses process hollowing technique 81->206 94 cmd.exe 81->94         started        process22 file23 168 Spreads via windows shares (copies files to share folders) 85->168 170 Injects a PE file into a foreign processes 85->170 97 spoolsv.exe 85->97         started        100 conhost.exe 88->100         started        172 Sample uses process hollowing technique 90->172 102 conhost.exe 92->102         started        124 C:\Users\user\AppData\Roaming\...\x.vbs, ASCII 94->124 dropped 104 conhost.exe 94->104         started        signatures24 process25 signatures26 132 Installs a global keyboard hook 97->132
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4de284df7bd0540ea90b888a3af878d37324e19bcf55ec25dc57b320a0a88040/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 11:28:22 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jxrijx332bka5kilrcfdv6dy2nzsjym3z5k6yjo4k6zsbifiqbaa._file
Verdict:
unknown
Similar samples:
03dfe6cedcfce8418e60ff61cd7a730c9ec52c383b2e5ccad5c67d0b1168146d
AveMariaRAT
3591293a05792261840f36bdbff14ca1eb850764d074ee325cfc9c1351d2d1d9
AveMariaRAT
3772ad390ed9afe00625633bcc8b4ef9a3cc4ebd3afcdd17e5bcbc77d6dcf450
AveMariaRAT
581578334976e3ddeb5680b160ac757ab6ffac724c201f46eae03f373f102ee5
AveMariaRAT
a425002cf906c94a18e2919275f05370df5daef4dd5c8ab041873439b17e1736
AveMariaRAT
b8526e6e7c6dcb71a5e3c587455e235c0a3508f2b7cc20aae47120d25dbbe210
AveMariaRAT
b8fb56d3c66d2b6280cf2be3fb58de14e9103989429d78861bd712479424c4f6
AveMariaRAT
d49bf8b5ef7c4c8195b34f1468612abf2ff1e8200f64d1420fe974c994c6c5bf
AveMariaRAT
e43d5312d11b3a19a14207f6163c841644e43e18d31f6f8029509b284f454821
AveMariaRAT
f5e621d29e3f1bc96a68b44c139e62d6e37513373faaada2a11eb5b40123c3a6
AveMariaRAT
+ 3'496 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat evasion infostealer persistence rat upx
Link:
https://tria.ge/reports/201110-9a1n82agye/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
UPX packed file
Warzone RAT Payload
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
4de284df7bd0540ea90b888a3af878d37324e19bcf55ec25dc57b320a0a88040
MD5 hash:
2f5fe0054c2b0240fd343ca5011bfd52
SHA1 hash:
c990bb92f650c26c0fdd599a801745c69bea7142
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/fc0c783d-d761-47be-b37f-9c1d1c5487f5/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments