MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 641023ab7f00543ade8c31e6e417eab1b0683903efac1f21cababd55d19fe237. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 641023ab7f00543ade8c31e6e417eab1b0683903efac1f21cababd55d19fe237
SHA3-384 hash: 57656a4a73b054071d429b10a2c68140cf26ae154193d61bd68033bae219daea1f937b585bd4c037f6a010ad50681ca1
SHA1 hash: d2a0374e11613743077e67871fe7767e2df8c78c
MD5 hash: 54d67ace25b82d937284992c332a4d51
humanhash: victor-crazy-november-alaska
File name:641023ab7f00543ade8c31e6e417eab1b0683903efac1f21cababd55d19fe237
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'931'014 bytes
First seen:2020-11-10 11:43:15 UTC
Last seen:2024-07-24 15:08:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7be4c98eebb39d282cdffc1cea8fb470 (661 x AveMariaRAT, 29 x Riskware.Generic)
ssdeep 12288:2idrtdxXurtNnITASnaPieFw+t14BzKFGTCC3bmy097XwA7W2FeDSIGVH/KIDgDy:5ibIkjieS5BzKUFEQDbGV6eH8tkz
Threatray 177 similar samples on MalwareBazaar
TLSH 17957CF2F7565017CA235FB1A80FDB706106BE1F5A41A75FA3B73E058DE3A01B4A9242
Reporter seifreed
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Daqc-6598201-0
Create hunting rule

Win.Malware.Ursu-6793772-0
Create hunting rule

Win.Malware.Ursu-6914171-0
Create hunting rule

Win.Malware.Eclv-9782803-0
Create hunting rule

Win.Malware.Eclv-9782804-0
Create hunting rule

Win.Malware.Eclv-9782973-0
Create hunting rule

Win.Malware.Cryptinject-9785242-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/528393
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Searches for specific processes (likely to inject)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Spreads via windows shares (copies files to share folders)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 313294 Sample: VKxS2Su8Q9 Startdate: 10/11/2020 Architecture: WINDOWS Score: 100 116 Antivirus detection for dropped file 2->116 118 Antivirus / Scanner detection for submitted sample 2->118 120 Multi AV Scanner detection for submitted file 2->120 122 6 other signatures 2->122 13 VKxS2Su8Q9.exe 1 51 2->13         started        17 StikyNot.exe 46 2->17         started        19 StikyNot.exe 2->19         started        21 7 other processes 2->21 process3 dnsIp4 108 C:\Users\user\...\Disk.sys:Zone.Identifier, ASCII 13->108 dropped 110 C:\Users\...\StikyNot.exe:Zone.Identifier, ASCII 13->110 dropped 160 Detected unpacking (changes PE section rights) 13->160 162 Detected unpacking (overwrites its own PE header) 13->162 164 Spreads via windows shares (copies files to share folders) 13->164 176 2 other signatures 13->176 24 VKxS2Su8Q9.exe 1 3 13->24         started        28 diskperf.exe 13->28         started        166 Writes to foreign memory regions 17->166 168 Allocates memory in foreign processes 17->168 170 Injects a PE file into a foreign processes 17->170 30 StikyNot.exe 17->30         started        32 diskperf.exe 17->32         started        172 Sample uses process hollowing technique 19->172 112 127.0.0.1 unknown unknown 21->112 174 Changes security center settings (notifications, updates, antivirus, firewall) 21->174 file5 signatures6 process7 file8 98 C:\Windows\System\explorer.exe, PE32 24->98 dropped 142 Installs a global keyboard hook 24->142 34 explorer.exe 47 24->34         started        144 Drops executables to the windows directory (C:\Windows) and starts them 30->144 38 explorer.exe 30->38         started        signatures9 process10 file11 92 C:\Users\user\AppData\Local\Temp\Disk.sys, PE32 34->92 dropped 94 C:\Users\user\AppData\Local\...\StikyNot.exe, PE32 34->94 dropped 124 Antivirus detection for dropped file 34->124 126 Detected unpacking (changes PE section rights) 34->126 128 Detected unpacking (creates a PE file in dynamic memory) 34->128 136 7 other signatures 34->136 40 explorer.exe 3 5 34->40         started        44 diskperf.exe 1 34->44         started        130 Spreads via windows shares (copies files to share folders) 38->130 132 Sample uses process hollowing technique 38->132 134 Injects a PE file into a foreign processes 38->134 signatures12 process13 file14 100 C:\Windows\System\spoolsv.exe, PE32 40->100 dropped 102 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 40->102 dropped 146 Creates an undocumented autostart registry key 40->146 148 Installs a global keyboard hook 40->148 46 spoolsv.exe 46 40->46         started        49 spoolsv.exe 46 40->49         started        51 spoolsv.exe 46 40->51         started        55 2 other processes 40->55 104 C:\Users\user\AppData\Local\...\SyncHost.exe, PE32 44->104 dropped 53 StikyNot.exe 46 44->53         started        signatures15 process16 signatures17 178 Antivirus detection for dropped file 46->178 180 Detected unpacking (changes PE section rights) 46->180 182 Detected unpacking (creates a PE file in dynamic memory) 46->182 184 Drops PE files with benign system names 46->184 57 spoolsv.exe 2 46->57         started        61 diskperf.exe 46->61         started        186 Spreads via windows shares (copies files to share folders) 49->186 188 Writes to foreign memory regions 49->188 190 Allocates memory in foreign processes 49->190 63 spoolsv.exe 49->63         started        66 diskperf.exe 49->66         started        68 spoolsv.exe 51->68         started        70 diskperf.exe 51->70         started        192 Detected unpacking (overwrites its own PE header) 53->192 194 Machine Learning detection for dropped file 53->194 196 Injects a PE file into a foreign processes 53->196 72 StikyNot.exe 53->72         started        74 spoolsv.exe 55->74         started        76 diskperf.exe 55->76         started        process18 dnsIp19 106 C:\Windows\System\svchost.exe, PE32 57->106 dropped 156 Installs a global keyboard hook 57->156 78 svchost.exe 57->78         started        114 192.168.2.1 unknown unknown 63->114 158 Drops executables to the windows directory (C:\Windows) and starts them 63->158 81 svchost.exe 63->81         started        file20 signatures21 process22 signatures23 198 Antivirus detection for dropped file 78->198 200 Machine Learning detection for dropped file 78->200 202 Spreads via windows shares (copies files to share folders) 78->202 208 2 other signatures 78->208 83 svchost.exe 78->83         started        87 diskperf.exe 78->87         started        204 Sample uses process hollowing technique 81->204 206 Injects a PE file into a foreign processes 81->206 process24 file25 96 C:\Users\user\AppData\Local\stsys.exe, PE32 83->96 dropped 138 Drops executables to the windows directory (C:\Windows) and starts them 83->138 140 Installs a global keyboard hook 83->140 89 spoolsv.exe 83->89         started        signatures26 process27 signatures28 150 Spreads via windows shares (copies files to share folders) 89->150 152 Sample uses process hollowing technique 89->152 154 Injects a PE file into a foreign processes 89->154
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/641023ab7f00543ade8c31e6e417eab1b0683903efac1f21cababd55d19fe237/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 12:38:43 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mqichk37abkdvxumghtoif7kwgygqoid56wb6iokxk6vlum74i3q._file
Verdict:
suspicious
Similar samples:
4a9294b06d85ea14899e6a586e49fd8814ea499a168d6ea5434841ee9f531f1e
AveMariaRAT
4ecc19690cb79fbe1220b11ed2f779ed8f0fad8df07462eaf12d0a413d2e2e6e
AveMariaRAT
65c40d8f45a1f172d7ad8ceece8d7785788ba07b996403a017f9dd4d8a975d70
AveMariaRAT
66ad721d4568a5a8e5ef1a1efad188f4292398449b34daa68beab5e64a4a3a91
AveMariaRAT
7f1df3446a1e0130e99c6de60ab3aedebca5fa49f576591a0a6dfa14c7d9fd21
AveMariaRAT
83a4e0b8a56cfd55741c12a85af836036eb780e5005ec056eede4fc05166a799
AveMariaRAT
872705f378a258157e9f4ac2925994f96066dbc16d9b8bffc6f6be996c9db118
AveMariaRAT
b8fafb2dd4313003bd9417dce850f3471d97a97357b786d17ff62faba6742282
AveMariaRAT
cf994e926d6984b53ae1e5c6aae226db1632f530bec3b23eace16f35b1c7e6aa
AveMariaRAT
db0094e5713b5bb4ceed767aff4dcf6bf336fd7f1128b02bf80f9e9971d9194b
AveMariaRAT
+ 167 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat evasion infostealer persistence rat
Link:
https://tria.ge/reports/201110-129at6jq4n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
Warzone RAT Payload
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
WarzoneRat, AveMaria
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments