MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fc49e599f29eece58d5ebe51df11add3a5be73c3e1baa5afb5bd3924759acfc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fc49e599f29eece58d5ebe51df11add3a5be73c3e1baa5afb5bd3924759acfc
SHA3-384 hash: 73b63e56d552a6331473821bd5337dcaeb301178452837f1b3bb107452fd2f5bbb5a6fadb03f5fdbfffa08a90c76903b
SHA1 hash: 5ed7eac84abbef54a0435508fdd276b388254c3c
MD5 hash: e98b65a290124328f5826e7678fc99c3
humanhash: ten-oscar-kansas-pip
File name:4fc49e599f29eece58d5ebe51df11add3a5be73c3e1baa5afb5bd3924759acfc
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'252'903 bytes
First seen:2020-11-13 16:14:47 UTC
Last seen:2024-07-24 14:11:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a498eee87e4d89512a84502f500181f (138 x AveMariaRAT, 57 x RedLineStealer, 7 x CoinMiner)
ssdeep 12288:GIbsBDU0I6+Tu0TJ0N1oYgeOFvA7W2FeDSIGVH/KIDgDgUeHbY1tkk:GIbGD2JTu0GoEQDbGV6eH8tkk
Threatray 4'271 similar samples on MalwareBazaar
TLSH AA458DA13A391493D303FA727C0F822015D8BEAEAB545F9F17B77E26C0D72829147A57
Reporter seifreed
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
66
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Ursu-6793772-0
Create hunting rule

Win.Malware.Ursu-6914170-0
Create hunting rule

Win.Malware.Ursu-6914171-0
Create hunting rule

Win.Malware.Cryptinject-9785242-0
Create hunting rule

Win.Malware.Daqc-6598201-0
Create hunting rule

Win.Malware.Eclv-9782803-0
Create hunting rule

Win.Malware.Eclv-9782804-0
Create hunting rule

Win.Malware.Eclv-9782973-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/534341
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to detect sleep reduction / modifications
Contains functionality to hide user accounts
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Searches for specific processes (likely to inject)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Spreads via windows shares (copies files to share folders)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 316272 Sample: AriZ9abruX Startdate: 14/11/2020 Architecture: WINDOWS Score: 100 109 Antivirus / Scanner detection for submitted sample 2->109 111 Multi AV Scanner detection for submitted file 2->111 113 Yara detected AveMaria stealer 2->113 115 4 other signatures 2->115 13 AriZ9abruX.exe 1 51 2->13         started        17 StikyNot.exe 46 2->17         started        19 svchost.exe 2->19         started        21 10 other processes 2->21 process3 dnsIp4 95 C:\Users\...\StikyNot.exe:Zone.Identifier, ASCII 13->95 dropped 151 Detected unpacking (changes PE section rights) 13->151 153 Detected unpacking (overwrites its own PE header) 13->153 155 Spreads via windows shares (copies files to share folders) 13->155 165 4 other signatures 13->165 24 AriZ9abruX.exe 1 3 13->24         started        29 diskperf.exe 13->29         started        157 Detected unpacking (creates a PE file in dynamic memory) 17->157 159 Writes to foreign memory regions 17->159 161 Allocates memory in foreign processes 17->161 31 StikyNot.exe 17->31         started        33 diskperf.exe 17->33         started        163 Changes security center settings (notifications, updates, antivirus, firewall) 19->163 103 127.0.0.1 unknown unknown 21->103 35 WerFault.exe 21->35         started        37 WerFault.exe 21->37         started        39 WerFault.exe 21->39         started        41 4 other processes 21->41 file5 signatures6 process7 dnsIp8 105 192.168.2.1 unknown unknown 24->105 87 C:\Windows\System\explorer.exe, PE32 24->87 dropped 131 Installs a global keyboard hook 24->131 43 explorer.exe 47 24->43         started        133 Drops executables to the windows directory (C:\Windows) and starts them 31->133 47 explorer.exe 31->47         started        file9 signatures10 process11 file12 91 C:\Users\user\AppData\Local\Temp\Disk.sys, PE32 43->91 dropped 93 C:\Users\user\AppData\Local\...\StikyNot.exe, PE32 43->93 dropped 143 Detected unpacking (changes PE section rights) 43->143 145 Injects code into the Windows Explorer (explorer.exe) 43->145 147 Spreads via windows shares (copies files to share folders) 43->147 149 4 other signatures 43->149 49 explorer.exe 3 17 43->49         started        54 diskperf.exe 43->54         started        56 WerFault.exe 47->56         started        signatures13 process14 dnsIp15 97 googlecode.l.googleusercontent.com 74.125.143.82, 49701, 49703, 49704 GOOGLEUS United States 49->97 99 vccmd03.googlecode.com 49->99 101 4 other IPs or domains 49->101 83 C:\Windows\System\spoolsv.exe, PE32 49->83 dropped 85 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 49->85 dropped 117 System process connects to network (likely due to code injection or exploit) 49->117 119 Creates an undocumented autostart registry key 49->119 121 Installs a global keyboard hook 49->121 58 spoolsv.exe 47 49->58         started        62 spoolsv.exe 49->62         started        file16 signatures17 process18 file19 89 C:\Users\user\AppData\Local\...\SyncHost.exe, PE32 58->89 dropped 135 Detected unpacking (changes PE section rights) 58->135 137 Detected unpacking (overwrites its own PE header) 58->137 139 Drops executables to the windows directory (C:\Windows) and starts them 58->139 141 5 other signatures 58->141 64 spoolsv.exe 2 58->64         started        68 diskperf.exe 58->68         started        70 WerFault.exe 20 9 62->70         started        signatures20 process21 file22 81 C:\Windows\System\svchost.exe, PE32 64->81 dropped 107 Installs a global keyboard hook 64->107 72 svchost.exe 64->72         started        signatures23 process24 signatures25 123 Detected unpacking (changes PE section rights) 72->123 125 Detected unpacking (overwrites its own PE header) 72->125 127 Drops executables to the windows directory (C:\Windows) and starts them 72->127 129 2 other signatures 72->129 75 svchost.exe 72->75         started        77 diskperf.exe 72->77         started        process26 process27 79 WerFault.exe 75->79         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4fc49e599f29eece58d5ebe51df11add3a5be73c3e1baa5afb5bd3924759acfc/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-13 16:32:22 UTC
AV detection:
42 of 48 (87.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j7cj4wm7fhxm4wgv5psr34i23u5fxzz4hyn2uwx3lpjzer2zvt6a._file
Verdict:
suspicious
Similar samples:
11dade6bd8c1f5050042141431e76397360b2944cfa9492322b877a29f38d9f6
AveMariaRAT
13cad8715da2c690091d24ea3eed6b4ef38ccf1229f1014fdfb1902cccd41a5f
AveMariaRAT
5482d1a6643afc18ab1cd3716ebb5391929bfa875b81c187e686722451ece5c1
AveMariaRAT
5553a7b6943f4c1435ec14ecb41b95029d6f2a94f7f415f660c14bd8b68ab7f9
AveMariaRAT
571e7886fb8a93e18282fac2339fcaa166e1cd3eedcb8f95cce3b1f33bf21348
AveMariaRAT
6a5e6d882ca54d4bba185f1b881b14795e8148dabeadbaf0f2035fcb2f678160
AveMariaRAT
6c3a2a15b41eb56729d6682230dbdde331e5f6cd7950aee950233475bebaad99
AveMariaRAT
a8928580092756f469646e1236c183568db799328ec088571fd3bea5407e03e3
AveMariaRAT
be9af0fdc2439628d89ec49342567c6718dba2444972b173e652268173b8202f
AveMariaRAT
c5fd02008e86c06d74e74208f75e34a6c32afd3992530f048c7da755fd06c214
AveMariaRAT
+ 4'261 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat aspackv2 evasion infostealer persistence rat
Link:
https://tria.ge/reports/201113-yhe1tfv8de/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
ASPack v2.12-2.42
Executes dropped EXE
Modifies Installed Components in the registry
Warzone RAT Payload
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
4fc49e599f29eece58d5ebe51df11add3a5be73c3e1baa5afb5bd3924759acfc
MD5 hash:
e98b65a290124328f5826e7678fc99c3
SHA1 hash:
5ed7eac84abbef54a0435508fdd276b388254c3c
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/ef672335-ab69-4c8d-8b58-465577b4d9c1/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments