MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 522a870c4fc20821dc2f3a0565fe2cf8ec876ebf96e8f55b5679e4755f8bd131. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 522a870c4fc20821dc2f3a0565fe2cf8ec876ebf96e8f55b5679e4755f8bd131
SHA3-384 hash: 1531d670378b9eeffcc5e44d6c07ef81bf3d73e391e19c8fd6dde59dc82ab2018c63fa8976c2610a2c42c92027936757
SHA1 hash: eefd8eadd8903a85d7861536772702b229f95b5c
MD5 hash: 1982a4adfdd80684f98fd7bc16b8f87a
humanhash: grey-march-jig-mike
File name:522a870c4fc20821dc2f3a0565fe2cf8ec876ebf96e8f55b5679e4755f8bd131
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:2'806'412 bytes
First seen:2020-11-15 23:20:33 UTC
Last seen:2020-11-17 15:14:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6bac3cfe8acb6c6c4a30aaa022de2388 (308 x AveMariaRAT, 7 x njrat, 7 x Skeeeyah)
ssdeep 24576:ssFymZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eH81R:fFymw4gxeOw46fUbNecCCFbNecP
Threatray 4'672 similar samples on MalwareBazaar
TLSH 84D59FF6725A048FF7337570F50BA920A089B92CCB4CA3AB5F7B390E61964C580D6677
Reporter seifreed
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Ursu-6793772-0
Create hunting rule

Win.Malware.Ursu-6914170-0
Create hunting rule

Win.Malware.Ursu-6914171-0
Create hunting rule

Win.Malware.Poison-6986144-0
Create hunting rule

Win.Malware.Razy-7056533-0
Create hunting rule

Win.Malware.Cryptinject-9785242-0
Create hunting rule

Win.Trojan.Ulise-9792178-0
Create hunting rule

Win.Trojan.Ulise-9792179-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Forced system process termination
Creating a window
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/536821
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Command shell drops VBS files
Contain functionality to detect virtual machines
Contains functionality to hide user accounts
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: System File Execution Location Anomaly
Spreads via windows shares (copies files to share folders)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 317510 Sample: I75HqbJtNE Startdate: 16/11/2020 Architecture: WINDOWS Score: 100 130 Antivirus detection for dropped file 2->130 132 Antivirus / Scanner detection for submitted sample 2->132 134 Multi AV Scanner detection for submitted file 2->134 136 6 other signatures 2->136 14 I75HqbJtNE.exe 2->14         started        17 wscript.exe 2->17         started        19 svchost.exe 1 2->19         started        21 2 other processes 2->21 process3 signatures4 210 Tries to detect sandboxes / dynamic malware analysis system (file name check) 14->210 212 Contain functionality to detect virtual machines 14->212 214 Contains functionality to inject code into remote processes 14->214 216 2 other signatures 14->216 23 I75HqbJtNE.exe 1 51 14->23         started        26 cmd.exe 2 14->26         started        28 StikyNot.exe 17->28         started        process5 signatures6 160 Spreads via windows shares (copies files to share folders) 23->160 162 Writes to foreign memory regions 23->162 164 Allocates memory in foreign processes 23->164 166 Sample is not signed and drops a device driver 23->166 30 I75HqbJtNE.exe 1 3 23->30         started        34 diskperf.exe 5 23->34         started        168 Command shell drops VBS files 26->168 170 Drops VBS files to the startup folder 26->170 36 conhost.exe 26->36         started        172 Tries to detect sandboxes / dynamic malware analysis system (file name check) 28->172 174 Injects a PE file into a foreign processes 28->174 38 StikyNot.exe 28->38         started        40 cmd.exe 28->40         started        process7 file8 114 C:\Windows\System\explorer.exe, PE32 30->114 dropped 218 Installs a global keyboard hook 30->218 42 explorer.exe 30->42         started        116 C:\Users\user\...\Disk.sys:Zone.Identifier, ASCII 34->116 dropped 118 C:\Users\...\SyncHost.exe:Zone.Identifier, ASCII 34->118 dropped 120 C:\Users\...\StikyNot.exe:Zone.Identifier, ASCII 34->120 dropped 45 StikyNot.exe 34->45         started        220 Spreads via windows shares (copies files to share folders) 38->220 222 Sample uses process hollowing technique 38->222 224 Injects a PE file into a foreign processes 38->224 122 C:\Users\user\AppData\Roaming\...\x.vbs, ASCII 40->122 dropped 47 conhost.exe 40->47         started        signatures9 process10 signatures11 176 Antivirus detection for dropped file 42->176 178 Machine Learning detection for dropped file 42->178 180 Tries to detect sandboxes / dynamic malware analysis system (file name check) 42->180 186 2 other signatures 42->186 49 explorer.exe 47 42->49         started        53 cmd.exe 1 42->53         started        182 Contain functionality to detect virtual machines 45->182 184 Injects a PE file into a foreign processes 45->184 55 StikyNot.exe 46 45->55         started        57 cmd.exe 1 45->57         started        process12 file13 104 C:\Users\user\AppData\Local\Temp\Disk.sys, PE32 49->104 dropped 106 C:\Users\user\AppData\Local\...\SyncHost.exe, PE32 49->106 dropped 138 Injects code into the Windows Explorer (explorer.exe) 49->138 140 Spreads via windows shares (copies files to share folders) 49->140 142 Writes to foreign memory regions 49->142 59 explorer.exe 3 17 49->59         started        64 diskperf.exe 49->64         started        66 conhost.exe 53->66         started        144 Allocates memory in foreign processes 55->144 146 Injects a PE file into a foreign processes 55->146 68 StikyNot.exe 55->68         started        70 diskperf.exe 55->70         started        72 conhost.exe 57->72         started        signatures14 process15 dnsIp16 124 vccmd03.googlecode.com 59->124 126 vccmd02.googlecode.com 59->126 128 5 other IPs or domains 59->128 108 C:\Windows\System\spoolsv.exe, PE32 59->108 dropped 110 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 59->110 dropped 204 System process connects to network (likely due to code injection or exploit) 59->204 206 Creates an undocumented autostart registry key 59->206 208 Installs a global keyboard hook 59->208 74 spoolsv.exe 59->74         started        77 spoolsv.exe 59->77         started        79 spoolsv.exe 59->79         started        112 C:\Users\user\AppData\Local\...\StikyNot.exe, PE32 64->112 dropped 81 explorer.exe 68->81         started        file17 signatures18 process19 signatures20 188 Antivirus detection for dropped file 74->188 190 Machine Learning detection for dropped file 74->190 192 Tries to detect sandboxes / dynamic malware analysis system (file name check) 74->192 83 spoolsv.exe 74->83         started        86 cmd.exe 74->86         started        194 Drops executables to the windows directory (C:\Windows) and starts them 77->194 196 Injects a PE file into a foreign processes 77->196 88 spoolsv.exe 77->88         started        90 cmd.exe 77->90         started        198 Sample uses process hollowing technique 81->198 process21 signatures22 148 Spreads via windows shares (copies files to share folders) 83->148 150 Injects a PE file into a foreign processes 83->150 92 spoolsv.exe 83->92         started        95 diskperf.exe 83->95         started        97 conhost.exe 86->97         started        152 Sample uses process hollowing technique 88->152 99 conhost.exe 90->99         started        process23 signatures24 200 Drops executables to the windows directory (C:\Windows) and starts them 92->200 202 Installs a global keyboard hook 92->202 101 explorer.exe 92->101         started        process25 signatures26 154 Tries to detect sandboxes / dynamic malware analysis system (file name check) 101->154 156 Sample uses process hollowing technique 101->156 158 Injects a PE file into a foreign processes 101->158
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/522a870c4fc20821dc2f3a0565fe2cf8ec876ebf96e8f55b5679e4755f8bd131/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-15 23:22:39 UTC
AV detection:
42 of 48 (87.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kiviodcpyiecdxbphicwl7rm7dwio3v7s3upkw2wphshkx4l2eyq._file
Verdict:
malicious
Similar samples:
03dfe6cedcfce8418e60ff61cd7a730c9ec52c383b2e5ccad5c67d0b1168146d
AveMariaRAT
0954707116de7974c38346f17987886632546664d0933bafd412fb343e408317
AveMariaRAT
32672928863af3e154d0e2cc454c5fd31f217a3bfabc7acff2223bb72a5bbe6f
AveMariaRAT
3591293a05792261840f36bdbff14ca1eb850764d074ee325cfc9c1351d2d1d9
AveMariaRAT
37246203b9cf8a0baac95420921b4d9b31abf33363235b58acbe20d5079f1819
AveMariaRAT
3772ad390ed9afe00625633bcc8b4ef9a3cc4ebd3afcdd17e5bcbc77d6dcf450
AveMariaRAT
5d4caa3f6c30db0717f68da6f2b1f1ec4145bc3aa4ca265087679a86393cbba2
AveMariaRAT
603b8b4a8d2fedea549b4f06b345da9234a06ceab9366175c8de484df155a2b9
AveMariaRAT
a597feb1835307dd3115e535a07ad16544b7950dd1de4e4247bc3bc49f02a487
AveMariaRAT
ff05b5ddbc9d78b2f4507e9e2a16d63cc007584d9cc5e641b41a4a73d96d0c02
AveMariaRAT
+ 4'662 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat evasion infostealer persistence rat upx
Link:
https://tria.ge/reports/201115-pgrmdyq2vj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
UPX packed file
Warzone RAT Payload
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
021d01fe3793879f57a2942664fc7c096710e94e87ad13dc21467c12edf61546
MD5 hash:
ad9fd1564dd1c6be54747e84444b8f55
SHA1 hash:
001495af4af443265200340a08b5e07dc2a32553
Link:
https://www.unpac.me/results/3a41f79d-9a18-41b0-8e84-488f3276ae29/
Parent samples :
41b6843f504506bfe5a47155873b5e8d4a10382e6bcbbaadf069bc5d216c8b53
273c7d66a2746646c43e4c870ea99def6bfb8d7210cafac4eeda64c50b2f8e83
0105bafb9a326de3ee23e8d01a0b0bd3216a3de3906e28c10c3cfa4825939161
426bb510c18d37da520b953e633c1dca9d950b2d8fc06e550cd9cbd1e08d7b2c
4df8c432a1d5153c687b60c3031648c6ac198cf96b44cb15f1d28f758aa213e5
57bcf0394886e8bd03578d317aebab8af7195e007dd1636b266073b282b43848
95a91cc096986a40b10a03f3376eb7de4b3c83e7742b667f7c2f6bef13ccdeb9
661435185812c66992daa150269ffbd8661c06a6d0847cf8b5e49dbdcffb677f
9fc23786a7059b7e7bfb19582fd5f96b91c86812ccc32aa9c7722e85e16590f8
d18059bfd5e9a4d0e07a953fb8c86101ecdf77f9b7e9e80cf6099fb40506bea9
a579e6d169f7af0c31de4c24bd4a8d3e05f46145a5d219850124fd1e11628349
9b550290b925e68da43d0254e187f3bd53d73778e2fec286ebe66db8da1a5dd5
4966546ac0b90d093d0e2ef5666566b76cebae4b6e02f5a6b9f24a56b7ab049f
963750cdc4a1d1586b16d85a4853a5a48d64b5a79d740895ed8aa33afe95f5c4
000dd50b2f3df84aa499e38e8a88994b92c14556c517cd26237eacede1130c3b
c5a55dd1ecb98f43122a554288baa4e7e0ecdb81e30557db4c19fd833f145107
9b91ef0fbd1439f0e7b13a7d234d0574c6db6a07ea1e2842fbe7d2e4ab4042a9
f4e31d0e6efa4955d4023413ce6658406decbb31b954e822b92d31e3c12956de
447263ca2619e641d0a52b475b2de64ae9c852048415e31897bccbcb615c4927
a3980c5f653e99fe53dc88f60a9ca1b4954b8cee932085ea57b1f46b9c7ab4c1
3c36d574e4005d919706e2945a25f6704d48ea69b5960bdc544e59cc4e3295cc
59ee15056c8ca8f240ba10fe20a523e3dc315cc0304f1f1abcb2913d701d4f23
01dbf52c9a79ce268fa7b5ab876ab6c8a8e6d5d5de70ccfacd11ca169e83908a
46a870926fb693596e4fea1ff6ed4bd228d8cc63a9e285997ded48b1484ab3f5
89e0d97c3f6b79962f97e02152cff003f17d940f973d762874576dab2bc3a312
c8731f7db8cff30881c306796850704a66edb90501fad4952822bb09624db618
d2d549d6dd5d017ce1b853932513ec389de11e6443fe466487b2ed2e1528b857
31b26582627d2978052cdce87ae338c2e78a029f7676365e1583c05528afada0
80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66
913377afa6c3d7afb49a491f830d52a33353349819f0e91157a01dc8336ac5b3
7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c
198c5a845975abb97bec91f98df18522db41489cf5b972445600b2c0e3faa828
13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310
2eefb5dc5aae0ca14290ded3490ec8ae44c88fafdac0b062bacd8b9bd1497eb3
32d376bc206926ca6f299e97d04644b68e6a863ac4975bf4a804bd120e82aeab
decfb2acfa48419eb5c32541e8b99aa142ed856a2969012374c2a30f8bd7db70
dd1fa6cb67aa97468e62afeec6bfa9c1cb52f5acf029ab77a0fdd2e34cd50a21
19dba570adb979d9063882d8dd6d880d1f37f25e600cc07097646946ebc947a2
de492c6384df2afd8c36f3f8ca910d93a21a2981b3c3a80e8a858d643122d488
0246d4eb99473ba449b98548167d0767b68b075749a8962d0573851f505689b5
bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a
3e4da5132877e955fb455e58e300b56033c07a6d2709b386fdc5c43a88e1c499
d10c74984d4c4dab2f492ab8b31013e552108e14c202b4cabe150ca230230b1e
7c6c180635f5329b270bfa6fd56ec15604cca270687d0a0bc2fc5edd78dc4c9c
90f4e7731fc41021b7ce9f9d15704c9849cf3215161585721a370745f7392e71
61a8d6678098ddfa8d1b418cc5d851823d6b09bd5bb4fcf68f0f0797abe61873
6f00f39f32bb3556f024b6e877337a8e6ba5a2feda5d1187e85684de23471ff7
037165fd0435a477539e437c28f25a2e188d0da72b7573aa7d85b26eb34feef7
dbf293d123fe98900bda70549ce336f08f5ff99372d5f8dca4869376bf068416
d677958e05d8e8a3424225fd62da4a68c9401aa13658ecb9d6dbff18372aca85
2e5f3807db334c44e20f17624cfa529304327387e4795c561374379725acde6c
a6c7f1f1e73b612bf2c34e4b6193dd41f75ec0298c694e3600756a79da348152
f9ce9a047b096cb954193ac49049ccb28a476aa8c202f09aea38eae3cb283387
6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4
44337a866f639a40a3730a29a44dfebc9f6828148b409c057969c27987c84dbd
e9d0af516a8d65649c6850b69ff15e65cba280f8d44dbc505882dd16cf922320
f9ebef99fedb86176dafbdecb67a9f600be7f6acb1299deeeb40d4a689018f1c
f901f4b9437419d09352abcdec1a1e7bb1b511adbee059c42695753575b2b77c
91d4c54eb5e24448922894a73d0a3ca2b0a84caa3d2a5526e57098791ad75f73
2769012a5682a98b6f68e4e50157077fef4dc0853654c68986837f17b1c6451b
7ebbd7733c41e5d8d4071ac4bccca6f76577d8dda2ef2a6723b90414f444454a
e492ab74db73fb05a78112868596383e27ad49d8a2aa82a34611eea44a23a1ef
9f772e3b6f92a0f25a040c1fc12899847dfce0a8b0a331be87be264b536c446b
e30fa7df6be2d12dd90390ccad92eb721befc297b387cf1f3dca27a9166b13c6
4813a5905b2003965fe10155c8daf3cdbb57017af02483a53a2d5ca11a9270f7
f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d
5483462ebe9bc5efca3315a9f2ce6a82f0469980e164aa16afecac9ebf13b57d
ea48def5335b8e664304ae54ff020858a1cb8a804d21f1c474c21e4ef2213073
3e90bab5c79be10c283f3752091122910f7c5b9f35428a37eb0250d244d01f94
5f51bf583798f714b2c84e3b6ba30b32b15a12ac308a52efbc950ae406216ad8
e797bb75f04bcac68e688769585623a306a0442a5614f28cb1a38d4232f525ec
066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40
325be1d623422763b0e16bc3c294cc5c006f6fb2ff8ddbf9eb0e45f8d8ac6853
3790861e8c62040dbb2dd3c290d1a2738cef6b04fd38de2d37ba58708838ddab
2b4e54af556badc27f08c9a966dd55f090f4a5ef8978793e0ba296b05ddfb242
f3165a426e73b3dce639c5f44c0c6dca403a363fa07abf4458e61f7a61d7d880
cc0fdb6946afd11917588ce448b752e3f49debcd09d2e4d6c6d04cc1dc774e92
eb2ecf9b7aaa6a3d36d66aac6cc107c09c0518a06272f27ae17f2430c1d7a70f
8711c0444e0e2869118f577b3e28776c75d0845691bac42cb92005cc97c62b8a
99257e66c5904573be6b6316fbace99d9cb4ac2806b88c6e1e1c04787a2f4bd3
1f6feae633a783cf6ef08eee6b65049fe5b692c8a743af8967984e2e212a06b5
4fbea9806312eece3dd8523cf6c9509cedda1abe14fdc55bf793606dffe6c053
044ff15e8d3c9534c11c3719bd88a8302611c697ae888b23c768cec52f1970b6
aaae2a95d3c2054414d9b4cd55405563c1059ac881d9252ce338ecef1a25f857
bd2104c458f1c7197b830efb636df4741232585d55334fcdb6e37e8657571c24
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
c3dc5d9c25e3ef368835ad761bc9b0650170a018d70f93869608105375b73019
b20f2f7de684b2b10149825c4b86e14fadc7e19d5d41cb7b180bee28a1def030
bfb1b045ee5fc2bc3e4ca29683d695c36cc033ed43c0071385907400bc09c7f6
4f52022aa6286c18573e79cb079d5c9a01382bf1b4685a5a0dcc72cd6307b277
ce69de794ef8654455e9323c8dd184a507c39bb319b9c1b34fce460deca631bf
e784a1f8667b80617e5e26ab23f4b101286dd5bddb9629ca59d272ee3267e3ca
37aad7dc61ea841a62ed160802b822c35a0110f3e0be393b0c43a7fae8e96c65
1b9e1710ba83325c36ba9496bb3ff924a69326d07f62afec79ef74adbfcf27f2
3e3fc0ee150a9b3e97a1306c1929076d637f3c6ce3dbddcf30570330e40bf609
efed6ec2f8d3190bbf49a8c62a73c80878a4b7968baabfcff38cd0c3b06d4cff
d14140f160c6659a0848ec2b808bd37739af9b8a28d6d8cd7fc607ab845ab026
7f7089400087e55dbe741b1b137a6712f22d80b67c28215000b8f15787322dc2
429aed088fe3b2dc4cf969687d3eb7412bc387a9f6a7c68b832613630e8c527f
93fbcce3b23629eef2b3ed15e67b61cd5ba82f6a4cf4933b05ee3a1cb17b0523
ba63290ef5e3c1d1e2881879708f9fc793792f1f8ad36bcc8d2cdda9dc3e7ec8
7d784959adbb08754d954aee02c959a1a7318c54d04bccee906952cdbf090ea6
89389da3d32117ac9a495120372591cd36bff66f55ffc0e2e53ed8d64458d433
52c5297a7066438d5ec5ce3e897b7fe3eb642dca0b30aba3cc28866cbb05d96d
21ab6c559c1f1c445e9450f180e252e78799374ebd5d3b0e6384afd3eeeee20e
796364acf14011fa3902103655be7328eef8e3c5bd8635cac4820b5757ec9d13
c8f5d3f153fab81b07f3e666e13bcbd01d696a7efa4ae0c8dc81c054443e5b67
a3d362e58a6aa1b9d9d9ff542c65dccef0423e52dc8d11df2a515be8258ff3ac
090d906fa847c480583c96b467272b407e6c820d0d64b454e6e53dd51d113b03
90da1d87ebf79eefc2a035cc6311b9a26ff17804d6561c9f8253f4189d1c1f57
c33a5d3fd76760bd1657a2007d5ae2ba55155c0fd3ef9bb7e771e41c084158e5
237358a60a6aeaf9e2f5247fdf1c2cc04e3e3c0ff57e2c03b799d10b770361f7
cd4b8eb7fa51767c3cc1942e3523e99026062f95dfcb0428033dd7b706db8481
c90e5c5f118bfc7417e1a43d8ec7a1d6e91a730f336a47799b81f16a0fd6d69c
614f6326a378a9c583fc7de320ea6a60a78706283ec087afcb349ca75c083807
f19253d1e2423e2613b27354b1d8670fc63ffbb2d194ebf00e2323f712141648
93ddcee5487885a9825538b723ba30214b827617f85aef5558d232545171e8f6
2921a0fa40963ad342875ba6fc57c1629caa800f834ebf516a6cf6a59f467212
d371d9409cca4b22d1e90df46524f7112e06bf74a90f65f236957b63fdad2c1b
4822c68976983fb6be04a489ecb0ee85233585040f94599ae1f40e91a815d3d3
12a6b979da40489d768e28882836de2434009bcb436c2901772bed7633d88770
SH256 hash:
fc0c90044b94b080f307c16494369a0796ac1d4e74e7912ba79c15cca241801c
MD5 hash:
6b906764a35508a7fd266cdd512e46b1
SHA1 hash:
2a943b5868de4facf52d4f4c1b63f83eacd882a2
Link:
https://www.unpac.me/results/3a41f79d-9a18-41b0-8e84-488f3276ae29/
SH256 hash:
212c398621cb642a265881194555dbddbca1e712c6327250de0d863c1220606a
MD5 hash:
6a46ef3cd052d7c2342490f7d7405b8b
SHA1 hash:
fe434dee2dab75716a8fa7c5b696a9cc859c3722
Detections:
win_ave_maria_g0
Create hunting rule
win_ave_maria_auto
Create hunting rule
Link:
https://www.unpac.me/results/3a41f79d-9a18-41b0-8e84-488f3276ae29/
Parent samples :
6a0f246688ffb8ccf204918bcbe2d92bb0c60e665f931e404243bf7a763bbf56
e0a7847a4774c2f223e8868b508713ae4bc4ed6bde960c7ce470b3defd0391ec
179e6736163ca4c5f3770b3eca6d647a7b9a6b79d7d8621fe88d83cd4ef25e34
f451f3110bcd363a81c42fb0fc0a341983654d3c57809b88b370e86a0ca5ae4a
74121be90453decce149c47ba6ca799416ae108da883f7d019e91ac8303a0621
ea74ad62cfcfa24f763c49ed4162e2c0966e22420e3a49953758d54981fa4264
93323fa57291a5f1d53789fd606c95a365f4c823fbf4b1761af1a8bd71fbf06b
7bdf534c659d96a9ad772b2a61d9d2c54e26e3721da584d5f13ed3665b7cf181
775a290f23456f22c6ce8a447b37a1c313683e4c57dde4f1cd5216e56a9b7eff
d782e6a48cc754e4815b13eda6128fcd117f8d28b5d3132b1025ceb3827fa061
67ecc399b3b2ec1c2ca4c2f5836c42a14483c0939ba244b569fec89c3e43d0da
2a8131a947ae4f0173c6c37ee38fef449a4ee035c162e57a9b5a18dcfe83a73c
003b4ba8bf0a418e9be8ae3cf997c63bb2dd2221323e814031ad9a447baf9b8a
1e9ee9f54ac6fa9161ef3fca417b2e68bb5968e849ce80b6eba2096004474de1
4e267b605f7a5105b74015fd39e43fb0159e36b6f18e42bfbb14528a44babe22
1448ed3e75bd1ec2860d3d1b867678c1867209cdb9b749462c6c0ad7844bf855
e3ed9a096e7df10322aaa601a3070987e021fb7700acdde5343149a7c3f42980
06c37a32e3ea09407d4d607758aabc09c4dcd807c4d3e85dabd140715ab2bc58
d08058e6dfdcca2e4eb23c22c5b99cf668e51d02684bfd3fcfba6e8a8a183de5
5fc74bf397a7a89b6f3ed730d3d0be9e3c28ac7c2e86907dfadab8fdced2fbe5
798faabbcf8e55956b5c4f2a18a8ff02113613d3f155cfff71e964aed7cf1620
c2b383d0b3a9b8a5ca552549d30588d45c7eee89c7131fd187215ddffbd96c76
86b8118e41691278931114e2d269cf70418465614c5d2a46395e90d9cebde7db
0be8cfe373a8ffc4c4d64820a5b0da2274fc001ff4f71eb25e5400674b969332
841bfd4f2cba1c79790a9001a1820edfae4907c54e73aaae423df6d1e4984725
3d86fc34646c9ee02d23d99c8f9e6f795e11bc26e4c6043c948bd339185a75ec
c233ecf483601d8ee479a779ae405f01efe23d3323ca719e87e5654900d7a299
00a5efd776e1f994281fd22f30a43e2bf5e813af56304226d3b36391718165db
96f25aeb27ffbca1581046dea16ea9f5d29058d5531227c8c386fbb79bc45210
10ece4e4857adf6984368bc4cfe6816772178da27461e4c600d56b8b85aaff76
05013371f69ee1857cb55098226affa50ac960508f9fca0099ce73bc392d88e8
bb48f912a5e3d000e5ba998c8a7a4c3266230ba1f71197994211b6d7f050897b
4df733c3b068d8329d3bd5194d4b1c53f7e3d8d827d47d5e535c90e3842c38ad
b07fe6881331119f54890a5c53d873d48420ed3db2ac67ddbef3ff5f705d2cf9
51d0154c008bfc76d5acff607d7b9c22c5e79137e88b4298c9d6674ba5a95b0e
a2bd87a81b3cc4f40cc8f1e6ba1111a010ad3970b4dff9e98c729142af28b823
8d58fe846e4913ad55762b1c093063b846ab5883faf13afb87628508804684c0
67b525a7ea030e64efc328ed9d68d684244bac53f33f6d2fb5345f86601b5032
a232d489d8dd1f57b37a0c9b4978415c14da6e09c543c8fc582f646d1856f988
4b75a91730fb71f5afff810655360c4ccc2fd3627c9dfc8076bc81f0298da503
d3ae7897556d5d91e8e7c9ed3638f927ddd037ff6b6a0da6f84804ba6b932268
844c602e68e9e8997020c3abd9900459b0a663418459ef632dd9f7d6896b795d
ae93db3af8d593b801a7f4fbb366d4f62cd66b355c3f4a048cad3ba79d390391
1779095e2f27aa3c9a0e15b6ca396118b45eee7f96fcf2167fd5fd12f5f5207f
97cd69d8827e7b0ddaef8e484f3394b8e2b9590a8019f36a96441be3bd1cf9e3
6c2d713d8db03b9b1d1a222cedfd591c06e1c9608b0441d09f2678018430bf41
b0746ece3b840754e5c083ac68665f27920ce75136f3d6dbd60b25a5247611c3
9f02d9abe54213dfc12e67ec65e7f859fd395b778253268ea7879a97e03b2a78
3cec8dcb8977062261300a8c51357e21b18a0f83734fa6de81cc15f5142a0f78
709034d7c6236a5ce9b09782630e3517c6949d245929390b5caf6f7634955e06
d15034b60d35961a750764831179b9ed3bf9329beae8fbef7e9012e2476de151
d4cb24d88f4d22d5f7db8527c9d95b24a90fd2119642681ee7042d5762bee007
5e8cf9c618ed0c6cb82a3460c7a2951df3f5ed08618fd3d6397713e0d850cbe6
7b71b12d30d6ce6adb82e9f8c105c1f1cc36ed8744b0c21cfa8aa08d21119f08
6a7309d569aee1134e9cc1ec647a4eecdeb54a5b74629971fd5aaa4366f6e6d7
c47e51993b8ed5104744edd7816e9107110d6b53f09f9a2adb1f1a071e6676a3
9a13a80a4d563c6810fa4575e6d1f5427195b14172e54e6ca7a1c605270c5bdb
31fca4784b0491b4484025400c62655a08a8964b4fdfed0fa8e22378d35d8c79
8c7a2c016e2921f51f5ada63d5fdb3231f262e7326fcb2533117f0cb17bdf1f7
8ceb5cc007f0a99fd5c92671f43184171e0fa11dda6479788ad53261a23b045d
49a78291ac2a69a3c5931bf2a2d93c0df11f44faf905461f90d516693f2a8fa8
437323c426e81ebd5b6c709371da17f7e99b0ae9fcf3a8c1eac7abb9f39fc551
45cf3040d28eee711cc38ee7be01dc4d1dca827260b8b71a54dd6c9b76d63817
005f3f9660926434bd4e77a32109dd84d13ce38593bda25f135373fbcc8bfa2d
3082d2437dca88dfb1c02d8f0a78caab95ef8e34e71ea00bcdd86f35c3a0c8ea
69d7abcd70d64f7d9ede02cd728793f66a9ee8a29b0aa8cef73753bd949f95a8
d8873978728f4db8eb45e321be972e9986c5037ae199b4c8ad64c257fb64db61
522a870c4fc20821dc2f3a0565fe2cf8ec876ebf96e8f55b5679e4755f8bd131
c94bb2d063955ef56ca300e493197f044fa98371dc6b82f0780c02ffe85d7142
e00d6c7e87add9c3470ba1bf1a1253479105cca3b3b43ba5437904592ed023a1
fbee1e12fcb636ef07f464cedb577f5236eba0e0c447b0364fe70fb39bdc480e
6593812d8bbcdc1f5ab79ff4ac2ec45c686a3706246fc766ba11ee828d9f7f9c
SH256 hash:
6d9fee542af0fe7ba07f82387256c170e2ae54ebf5ed6f40a7c2851733287aa7
MD5 hash:
3912e62d34954fe255646ce61c4fbfec
SHA1 hash:
75e9786c85172934ead0138c7fdf20671014b403
Link:
https://www.unpac.me/results/3a41f79d-9a18-41b0-8e84-488f3276ae29/
SH256 hash:
a17a204f51511144ca97d110dee827ff8fade1088983c30d0bc2fc5ddbe92e64
MD5 hash:
641ad4e559d3865a7db4f3bfdb368766
SHA1 hash:
8cdc17830d4d8462871c9fa30a05b1243b684aa9
Link:
https://www.unpac.me/results/3a41f79d-9a18-41b0-8e84-488f3276ae29/
SH256 hash:
522a870c4fc20821dc2f3a0565fe2cf8ec876ebf96e8f55b5679e4755f8bd131
MD5 hash:
1982a4adfdd80684f98fd7bc16b8f87a
SHA1 hash:
eefd8eadd8903a85d7861536772702b229f95b5c
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/3a41f79d-9a18-41b0-8e84-488f3276ae29/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/522a870c4fc20821dc2f3a0565fe2cf8ec876ebf96e8f55b5679e4755f8bd131

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments