MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 646382d8d97656327a6c0ceaf3e4123b7b39b5a52cc24de530304da75928d0d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 7

Intelligence 7 IOCs YARA 6 File information Comments

SHA256 hash:	646382d8d97656327a6c0ceaf3e4123b7b39b5a52cc24de530304da75928d0d0
SHA3-384 hash:	71150cb608cf8d46be0b5e4290049690c16d0e4d640c07ef610ff91b1f0dea0d65c3658f83d3eb5b26a40190d838cddb
SHA1 hash:	1e92ddbfcf0686af4202286a7c4ababa9abd5cd9
MD5 hash:	58d13de5b1c8e8b38686dc023eb4c162
humanhash:	music-solar-berlin-nine
File name:	646382d8d97656327a6c0ceaf3e4123b7b39b5a52cc24de530304da75928d0d0
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	3'015'421 bytes
First seen:	2020-11-12 14:15:05 UTC
Last seen:	2024-07-24 15:09:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	676f4bc1db7fb9f072b157186a10179e (1'400 x AveMariaRAT, 37 x Riskware.Generic, 2 x njrat)
ssdeep	24576:jC57A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eH5:jC57A3mw4gxeOw46fUbNecCCFbNece
Threatray	3'863 similar samples on MalwareBazaar
TLSH	57D5BED3F7688547EB335D32760FA5309948B83AB2467B5BA73B9F04508738942523AF
Reporter	seifreed
Tags:	AveMariaRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Running batch commands

Creating a process with a hidden window

Forced system process termination

Creating a window

Creating a file in the %temp% directory

Creating a file

Launching a process

Creating a file in the Windows subdirectories

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Creating a file in the mass storage device

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun by creating a file

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/646382d8d97656327a6c0ceaf3e4123b7b39b5a52cc24de530304da75928d0d0/

Threat name:

Win32.Spyware.AveMaria

Status:

Malicious

First seen:

2020-11-12 14:17:55 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mrryfwgzozlde6tmbtvphzashn5ttnnfftbe3zjqgbg2owji2dia._file

Verdict:

suspicious

AveMariaRAT

081ce58266d31a5de4f64038f6157267ed0b81c2ea3a25cbf336f7f2f60c86aa

AveMariaRAT

1cfea3d02575ae87c924799eb10ed2cad9e37e0b44a70fc709cc740732dead05

AveMariaRAT

3a65243f9c90c4da9e2eba16f82e9f0c6e963a887a494862e3ab0bf34ad087cf

AveMariaRAT

4f6087282c3216dd8f6f94de3914d2a55b10d1c7a2d0e0a674d46b2734ee8e13

AveMariaRAT

5e7083258eaae58ea9899f5d8227c15f1d73705111df6e5713a93027230e62cd

AveMariaRAT

67b5dff4446d1a79f3af65c95f52d45f7a819c0e15215bbcf26fdedeafed00f4

AveMariaRAT

720d5efa9da834f02070731e4c63ba4f88bf047fd4e514369abc177183facfc1

AveMariaRAT

afcb9b9cea390afa06e9e54614c8f076d46e6287580dde8580bc7709801e1722

AveMariaRAT

ba7c1af5ac4f1146d26e048f792d6edd3464788706ec698208a806cbb52f9aaa

AveMariaRAT

+ 3'853 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat evasion infostealer persistence rat

Link:

https://tria.ge/reports/201112-8zha6xa9fs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Suspicious use of SetThreadContext

Adds Run key to start application

Drops startup file

Loads dropped DLL

Executes dropped EXE

Modifies Installed Components in the registry

Warzone RAT Payload

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

WarzoneRat, AveMaria

Unpacked files

SH256 hash:

646382d8d97656327a6c0ceaf3e4123b7b39b5a52cc24de530304da75928d0d0

MD5 hash:

58d13de5b1c8e8b38686dc023eb4c162

SHA1 hash:

1e92ddbfcf0686af4202286a7c4ababa9abd5cd9

Detections:

win_ave_maria_g0

Link:

https://www.unpac.me/results/c5f4e573-6619-4e6c-a9f0-25212a5afb34/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ave_maria_warzone_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	RDPWrap Create hunting rule
Author:	@bartblaze
Description:	Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:	https://github.com/stascorp/rdpwrap

Rule name:	UAC_bypass_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample