MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ef65706e9165e40e983264778a75f9606be4146a374497ab956a65cc019dfaa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 7

Intelligence 7 IOCs YARA 6 File information Comments

SHA256 hash:	5ef65706e9165e40e983264778a75f9606be4146a374497ab956a65cc019dfaa
SHA3-384 hash:	3766d8fbcd5feb641af3d2c2e85366417eeb930b653205893f179efce31b64e0656cd3fae9c697a528507e6b870b78cd
SHA1 hash:	860cca7c7e4f8e8e12cf049ca829d0de90ca771f
MD5 hash:	204ea9f36febc61cc82df8b39cfaec56
humanhash:	blue-butter-hawaii-river
File name:	5ef65706e9165e40e983264778a75f9606be4146a374497ab956a65cc019dfaa
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	3'015'475 bytes
First seen:	2020-11-11 11:19:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	676f4bc1db7fb9f072b157186a10179e (1'400 x AveMariaRAT, 37 x Riskware.Generic, 2 x njrat)
ssdeep	24576:5gW7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHK:5gW7A3mw4gxeOw46fUbNecCCFbNec5
Threatray	3'665 similar samples on MalwareBazaar
TLSH	AAD5B0D1FD99849BEB3B65B7B04F854242086C682704B5276ABF7B60E0E31D8D2D374B
Reporter	seifreed
Tags:	AveMariaRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Running batch commands

Creating a process with a hidden window

Forced system process termination

Creating a window

Creating a file in the %temp% directory

Creating a file

Launching a process

Creating a file in the Windows subdirectories

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Creating a file in the mass storage device

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun by creating a file

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5ef65706e9165e40e983264778a75f9606be4146a374497ab956a65cc019dfaa/

Threat name:

Win32.Spyware.AveMaria

Status:

Malicious

First seen:

2020-11-11 11:23:04 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=l33fobxjczpeb2mdezdxrj27sydl4qkgun2es6vzk2tfzqaz36va._file

Verdict:

unknown

AveMariaRAT

2cca72e6437bfe2378dfd090b0e5d1c702aa43567eb4449e1438340bd2a1ffec

AveMariaRAT

304a878118613dd0bca8306e932b5f814e45d57a8638cd1412e6c278776538db

AveMariaRAT

5b0e0084057c63933670abaa0d9c65ded665a29dbbca91dc912b0533cdb3e2d7

AveMariaRAT

66a88b2366d6da7caf8d1c90c0eb5acecdd9bb3ab3b5fa247ff0793f0bc6b047

AveMariaRAT

81b20e60ad4f840303eb2d1b853e38e34cb779bfc7fe8089b100c52f3fe8b587

AveMariaRAT

a47eb6b30722227c13e4b61032de0f16379fe392022d6d95ad4c077e40c322e5

AveMariaRAT

ab96b93e8058eb25d541928c48e38476be25aa308f3e340559db0f03c1caa93c

AveMariaRAT

b874fdd1d9afbc72e81c0610014252eef6b5a3bc8fc473519f3bd81707e67902

AveMariaRAT

e420dd12e24cd9f9c1c1ffe71170b7218997b423d126d031fb948b183f803e79

AveMariaRAT

+ 3'655 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat evasion infostealer persistence rat

Link:

https://tria.ge/reports/201111-tnh18mkcce/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Suspicious use of SetThreadContext

Adds Run key to start application

Drops startup file

Loads dropped DLL

Executes dropped EXE

Modifies Installed Components in the registry

Warzone RAT Payload

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

WarzoneRat, AveMaria

Unpacked files

SH256 hash:

5ef65706e9165e40e983264778a75f9606be4146a374497ab956a65cc019dfaa

MD5 hash:

204ea9f36febc61cc82df8b39cfaec56

SHA1 hash:

860cca7c7e4f8e8e12cf049ca829d0de90ca771f

Detections:

win_ave_maria_g0

Link:

https://www.unpac.me/results/242e2904-ec63-4e65-ae41-094ce6f785a7/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ave_maria_warzone_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	RDPWrap Create hunting rule
Author:	@bartblaze
Description:	Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:	https://github.com/stascorp/rdpwrap

Rule name:	UAC_bypass_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample