MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 516f5903f415000d759c5dbd52f83703646cc531decf0b4a48466f828cc7fc04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 516f5903f415000d759c5dbd52f83703646cc531decf0b4a48466f828cc7fc04
SHA3-384 hash: 27e3d74487325582b304a623f34602d6516324c0565f5993fb7cd2d59d723f893b82cfa26b668a3c2bfa84d7dc8906f8
SHA1 hash: 4c700915882c28db2eca79b22dc017e173757b65
MD5 hash: 1518774beb47c563d763cce2b8c522ab
humanhash: mexico-nebraska-paris-friend
File name:516f5903f415000d759c5dbd52f83703646cc531decf0b4a48466f828cc7fc04
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:3'024'718 bytes
First seen:2020-11-10 11:28:24 UTC
Last seen:2024-07-24 14:14:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 676f4bc1db7fb9f072b157186a10179e (1'400 x AveMariaRAT, 37 x Riskware.Generic, 2 x njrat)
ssdeep 24576:cZI7AAmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHe:cZI7AAmw4gxeOw46fUbNecCCFbNecD
Threatray 3'564 similar samples on MalwareBazaar
TLSH 3DE5A0D5F7360093E337A4F0620FA7354595BE2A52086B3B27667D99A4832C5F2A3F43
Reporter seifreed
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
56
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Packer.PrivateExeProte-16
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Ursu-6793772-0
Create hunting rule

Win.Malware.Ursu-6914170-0
Create hunting rule

Win.Malware.Ursu-6914171-0
Create hunting rule

Win.Malware.Cerber-6989221-0
Create hunting rule

Win.Malware.Cryptinject-9785242-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Forced system process termination
Creating a window
Creating a file in the %temp% directory
Creating a file
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Creating a file in the mass storage device
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/529287
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Command shell drops VBS files
Contain functionality to detect virtual machines
Contains functionality to hide user accounts
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Searches for specific processes (likely to inject)
Sigma detected: Drops script at startup location
Sigma detected: System File Execution Location Anomaly
Spreads via windows shares (copies files to share folders)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 313741 Sample: WDTnzDGxwB Startdate: 11/11/2020 Architecture: WINDOWS Score: 100 130 Antivirus detection for dropped file 2->130 132 Antivirus / Scanner detection for submitted sample 2->132 134 Multi AV Scanner detection for submitted file 2->134 136 6 other signatures 2->136 14 WDTnzDGxwB.exe 2->14         started        17 wscript.exe 1 2->17         started        19 svchost.exe 2->19         started        process3 signatures4 198 Tries to detect sandboxes / dynamic malware analysis system (file name check) 14->198 200 Contain functionality to detect virtual machines 14->200 202 Contains functionality to inject code into remote processes 14->202 206 2 other signatures 14->206 21 WDTnzDGxwB.exe 1 51 14->21         started        25 cmd.exe 2 14->25         started        204 Injects code into the Windows Explorer (explorer.exe) 17->204 27 explorer.exe 17->27         started        process5 file6 104 C:\Users\user\...\Disk.sys:Zone.Identifier, ASCII 21->104 dropped 106 C:\Users\...\StikyNot.exe:Zone.Identifier, ASCII 21->106 dropped 154 Spreads via windows shares (copies files to share folders) 21->154 156 Sample is not signed and drops a device driver 21->156 158 Injects a PE file into a foreign processes 21->158 29 WDTnzDGxwB.exe 1 3 21->29         started        34 diskperf.exe 21->34         started        160 Command shell drops VBS files 25->160 162 Drops VBS files to the startup folder 25->162 36 conhost.exe 25->36         started        164 Tries to detect sandboxes / dynamic malware analysis system (file name check) 27->164 166 Injects code into the Windows Explorer (explorer.exe) 27->166 38 explorer.exe 27->38         started        40 cmd.exe 1 27->40         started        signatures7 process8 dnsIp9 122 192.168.2.1 unknown unknown 29->122 112 C:\Windows\System\explorer.exe, PE32 29->112 dropped 208 Installs a global keyboard hook 29->208 42 explorer.exe 29->42         started        114 C:\Users\user\AppData\Local\...\SyncHost.exe, PE32 38->114 dropped 210 Injects code into the Windows Explorer (explorer.exe) 38->210 212 Spreads via windows shares (copies files to share folders) 38->212 214 Writes to foreign memory regions 38->214 216 2 other signatures 38->216 45 explorer.exe 38->45         started        47 diskperf.exe 38->47         started        49 conhost.exe 40->49         started        file10 signatures11 process12 signatures13 182 Antivirus detection for dropped file 42->182 184 Machine Learning detection for dropped file 42->184 186 Tries to detect sandboxes / dynamic malware analysis system (file name check) 42->186 190 4 other signatures 42->190 51 explorer.exe 47 42->51         started        55 cmd.exe 1 42->55         started        188 Installs a global keyboard hook 45->188 process14 file15 100 C:\Users\user\AppData\Local\Temp\Disk.sys, PE32 51->100 dropped 102 C:\Users\user\AppData\Local\...\StikyNot.exe, PE32 51->102 dropped 148 Injects code into the Windows Explorer (explorer.exe) 51->148 150 Spreads via windows shares (copies files to share folders) 51->150 152 Injects a PE file into a foreign processes 51->152 57 explorer.exe 3 17 51->57         started        62 diskperf.exe 51->62         started        64 conhost.exe 55->64         started        signatures16 process17 dnsIp18 116 vccmd03.googlecode.com 57->116 118 vccmd02.googlecode.com 57->118 120 4 other IPs or domains 57->120 108 C:\Windows\System\spoolsv.exe, PE32 57->108 dropped 110 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 57->110 dropped 192 System process connects to network (likely due to code injection or exploit) 57->192 194 Creates an undocumented autostart registry key 57->194 196 Installs a global keyboard hook 57->196 66 spoolsv.exe 57->66         started        69 spoolsv.exe 57->69         started        71 spoolsv.exe 57->71         started        file19 signatures20 process21 signatures22 138 Antivirus detection for dropped file 66->138 140 Machine Learning detection for dropped file 66->140 142 Tries to detect sandboxes / dynamic malware analysis system (file name check) 66->142 73 spoolsv.exe 66->73         started        76 cmd.exe 66->76         started        144 Drops executables to the windows directory (C:\Windows) and starts them 69->144 146 Injects a PE file into a foreign processes 69->146 78 spoolsv.exe 69->78         started        80 cmd.exe 69->80         started        82 spoolsv.exe 71->82         started        84 cmd.exe 71->84         started        process23 signatures24 172 Spreads via windows shares (copies files to share folders) 73->172 174 Writes to foreign memory regions 73->174 176 Allocates memory in foreign processes 73->176 86 spoolsv.exe 73->86         started        89 diskperf.exe 73->89         started        91 conhost.exe 76->91         started        93 conhost.exe 80->93         started        178 Sample uses process hollowing technique 82->178 180 Injects a PE file into a foreign processes 82->180 95 conhost.exe 84->95         started        process25 signatures26 168 Drops executables to the windows directory (C:\Windows) and starts them 86->168 170 Installs a global keyboard hook 86->170 97 explorer.exe 86->97         started        process27 signatures28 124 Tries to detect sandboxes / dynamic malware analysis system (file name check) 97->124 126 Sample uses process hollowing technique 97->126 128 Injects a PE file into a foreign processes 97->128
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/516f5903f415000d759c5dbd52f83703646cc531decf0b4a48466f828cc7fc04/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-11 00:04:09 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kfxvsa7ucuaa25m4lw6vf6bxansgzrjr33hqwssiizxyfdgh7qca._file
Verdict:
suspicious
Similar samples:
03dfe6cedcfce8418e60ff61cd7a730c9ec52c383b2e5ccad5c67d0b1168146d
AveMariaRAT
0954707116de7974c38346f17987886632546664d0933bafd412fb343e408317
AveMariaRAT
32672928863af3e154d0e2cc454c5fd31f217a3bfabc7acff2223bb72a5bbe6f
AveMariaRAT
33a1631c7b9063a39f15b2fde90f874f5657417d7a265fa03b6277b9c907ca33
AveMariaRAT
3591293a05792261840f36bdbff14ca1eb850764d074ee325cfc9c1351d2d1d9
AveMariaRAT
37246203b9cf8a0baac95420921b4d9b31abf33363235b58acbe20d5079f1819
AveMariaRAT
3772ad390ed9afe00625633bcc8b4ef9a3cc4ebd3afcdd17e5bcbc77d6dcf450
AveMariaRAT
603b8b4a8d2fedea549b4f06b345da9234a06ceab9366175c8de484df155a2b9
AveMariaRAT
a597feb1835307dd3115e535a07ad16544b7950dd1de4e4247bc3bc49f02a487
AveMariaRAT
ff05b5ddbc9d78b2f4507e9e2a16d63cc007584d9cc5e641b41a4a73d96d0c02
AveMariaRAT
+ 3'554 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat evasion infostealer persistence rat upx
Link:
https://tria.ge/reports/201110-sv3dhqn6qj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
UPX packed file
Warzone RAT Payload
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
516f5903f415000d759c5dbd52f83703646cc531decf0b4a48466f828cc7fc04
MD5 hash:
1518774beb47c563d763cce2b8c522ab
SHA1 hash:
4c700915882c28db2eca79b22dc017e173757b65
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/1eb3db5a-eba5-4d44-9676-f4a6dc970f08/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments