MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69e7e28dbc75b98feb6a8cba124d69111467fa913d94bd1065546b9437cbc383. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69e7e28dbc75b98feb6a8cba124d69111467fa913d94bd1065546b9437cbc383
SHA3-384 hash: c1c5ee37514f343c72fe60845b3a5b737429f8b69db140903977df032306f787dd860e414cb2c74a2cf6e05b54f69e09
SHA1 hash: d1c1df08d9060254efc4eb50bb3a5cb7296bf25d
MD5 hash: 8cc0f0738cc695baadddb3eeb3841f0f
humanhash: california-mockingbird-burger-king
File name:69e7e28dbc75b98feb6a8cba124d69111467fa913d94bd1065546b9437cbc383
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:3'015'281 bytes
First seen:2020-11-15 23:20:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 676f4bc1db7fb9f072b157186a10179e (1'400 x AveMariaRAT, 37 x Riskware.Generic, 2 x njrat)
ssdeep 24576:WbJ7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHb:WbJ7A3mw4gxeOw46fUbNecCCFbNec0
Threatray 4'400 similar samples on MalwareBazaar
TLSH A2D5AFE7F8A944A7E61B51B3A04F1710D5C86E358740F3AB6F3BEA01EC561F1928178B
Reporter seifreed
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.PrivateExeProte-16
Create hunting rule

PUA.Win.Packer.Ep-7
Create hunting rule

PUA.Win.Packer.Embedpe-3
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Ursu-6793772-0
Create hunting rule

Win.Malware.Ursu-6914170-0
Create hunting rule

Win.Malware.Ursu-6914171-0
Create hunting rule

Win.Malware.Cerber-6989221-0
Create hunting rule

Win.Malware.Cryptinject-9785242-0
Create hunting rule

Win.Trojan.Ulise-9792178-0
Create hunting rule

Win.Trojan.Ulise-9792179-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Forced system process termination
Creating a window
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/536793
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Command shell drops VBS files
Contains functionality to hide user accounts
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: System File Execution Location Anomaly
Spreads via windows shares (copies files to share folders)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 317497 Sample: BIUnOgJ4VW Startdate: 16/11/2020 Architecture: WINDOWS Score: 100 129 Antivirus detection for dropped file 2->129 131 Antivirus / Scanner detection for submitted sample 2->131 133 Multi AV Scanner detection for submitted file 2->133 135 6 other signatures 2->135 13 BIUnOgJ4VW.exe 2->13         started        16 wscript.exe 1 2->16         started        18 svchost.exe 2->18         started        process3 signatures4 201 Detected unpacking (changes PE section rights) 13->201 203 Detected unpacking (creates a PE file in dynamic memory) 13->203 205 Detected unpacking (overwrites its own PE header) 13->205 209 4 other signatures 13->209 20 BIUnOgJ4VW.exe 1 51 13->20         started        23 cmd.exe 2 13->23         started        207 Injects code into the Windows Explorer (explorer.exe) 16->207 25 explorer.exe 16->25         started        process5 signatures6 143 Spreads via windows shares (copies files to share folders) 20->143 145 Writes to foreign memory regions 20->145 147 Allocates memory in foreign processes 20->147 149 Sample is not signed and drops a device driver 20->149 27 BIUnOgJ4VW.exe 1 3 20->27         started        32 diskperf.exe 5 20->32         started        151 Command shell drops VBS files 23->151 153 Drops VBS files to the startup folder 23->153 34 conhost.exe 23->34         started        155 Tries to detect sandboxes / dynamic malware analysis system (file name check) 25->155 157 Injects code into the Windows Explorer (explorer.exe) 25->157 159 Injects a PE file into a foreign processes 25->159 36 explorer.exe 46 25->36         started        38 cmd.exe 1 25->38         started        process7 dnsIp8 125 192.168.2.1 unknown unknown 27->125 113 C:\Windows\System\explorer.exe, PE32 27->113 dropped 211 Installs a global keyboard hook 27->211 40 explorer.exe 27->40         started        115 C:\Users\user\...\Disk.sys:Zone.Identifier, ASCII 32->115 dropped 117 C:\Users\...\SyncHost.exe:Zone.Identifier, ASCII 32->117 dropped 119 C:\Users\...\StikyNot.exe:Zone.Identifier, ASCII 32->119 dropped 43 StikyNot.exe 32->43         started        213 Injects code into the Windows Explorer (explorer.exe) 36->213 215 Drops executables to the windows directory (C:\Windows) and starts them 36->215 217 Spreads via windows shares (copies files to share folders) 36->217 219 Injects a PE file into a foreign processes 36->219 45 explorer.exe 36->45         started        47 diskperf.exe 36->47         started        49 conhost.exe 38->49         started        file9 signatures10 process11 signatures12 171 Antivirus detection for dropped file 40->171 173 Detected unpacking (changes PE section rights) 40->173 175 Detected unpacking (creates a PE file in dynamic memory) 40->175 185 3 other signatures 40->185 51 explorer.exe 47 40->51         started        55 cmd.exe 1 40->55         started        177 Detected unpacking (overwrites its own PE header) 43->177 179 Machine Learning detection for dropped file 43->179 181 Tries to detect sandboxes / dynamic malware analysis system (file name check) 43->181 57 StikyNot.exe 46 43->57         started        59 cmd.exe 43->59         started        183 Installs a global keyboard hook 45->183 process13 file14 105 C:\Users\user\AppData\Local\Temp\Disk.sys, PE32 51->105 dropped 107 C:\Users\user\AppData\Local\...\SyncHost.exe, PE32 51->107 dropped 161 Injects code into the Windows Explorer (explorer.exe) 51->161 163 Spreads via windows shares (copies files to share folders) 51->163 165 Writes to foreign memory regions 51->165 167 Allocates memory in foreign processes 51->167 61 explorer.exe 3 5 51->61         started        65 diskperf.exe 51->65         started        67 conhost.exe 55->67         started        169 Injects a PE file into a foreign processes 57->169 69 StikyNot.exe 57->69         started        71 diskperf.exe 57->71         started        73 conhost.exe 59->73         started        signatures15 process16 file17 121 C:\Windows\System\spoolsv.exe, PE32 61->121 dropped 123 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 61->123 dropped 221 Creates an undocumented autostart registry key 61->221 223 Installs a global keyboard hook 61->223 75 spoolsv.exe 61->75         started        78 spoolsv.exe 61->78         started        80 spoolsv.exe 61->80         started        signatures18 process19 signatures20 187 Antivirus detection for dropped file 75->187 189 Detected unpacking (changes PE section rights) 75->189 191 Detected unpacking (creates a PE file in dynamic memory) 75->191 199 2 other signatures 75->199 82 spoolsv.exe 75->82         started        85 cmd.exe 75->85         started        193 Tries to detect sandboxes / dynamic malware analysis system (file name check) 78->193 195 Drops executables to the windows directory (C:\Windows) and starts them 78->195 197 Injects a PE file into a foreign processes 78->197 87 spoolsv.exe 78->87         started        90 cmd.exe 78->90         started        92 spoolsv.exe 80->92         started        94 cmd.exe 80->94         started        process21 file22 96 spoolsv.exe 82->96         started        99 conhost.exe 85->99         started        109 C:\Users\user\AppData\Local\...\StikyNot.exe, PE32 87->109 dropped 137 Spreads via windows shares (copies files to share folders) 87->137 139 Sample uses process hollowing technique 87->139 141 Injects a PE file into a foreign processes 87->141 111 C:\Users\user\AppData\Roaming\...\x.vbs, ASCII 90->111 dropped 101 conhost.exe 90->101         started        103 conhost.exe 94->103         started        signatures23 process24 signatures25 127 Installs a global keyboard hook 96->127
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/69e7e28dbc75b98feb6a8cba124d69111467fa913d94bd1065546b9437cbc383/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-15 23:22:45 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nht6fdn4ow4y723krs5betljcekgp6urhwkl2edfkrvzin6lyobq._file
Verdict:
malicious
Similar samples:
440b8d7da5a03d4e9681c1ed665b971882746ebc04bf215abc77cf9b6a1cbc3e
AveMariaRAT
64838584082550546b24974a0dc7512c8a00c2fc3d70c953bb47b1d166e3b7f7
AveMariaRAT
6abb29db3f82346603f9dd3c29124ed8a27de278942017c3430c7860365ea508
AveMariaRAT
6d4c72ad5ff04844a0c887f2680142fa2ee694c45e2ae0ad3ad54809c56a88d2
AveMariaRAT
867b550c63c79847f87663b1e24945f4de2cc632e957a1e29b8ad7be62981506
AveMariaRAT
966b89d6d7cf241f4820acabfa3cbdd5c2322cc02e98fc9d3cd50249bcf3b5e8
AveMariaRAT
9df3ce84c43cf714ef05077307702f011e7ba0312a622978b9ac7bbb07b0e5a9
AveMariaRAT
a47eb6b30722227c13e4b61032de0f16379fe392022d6d95ad4c077e40c322e5
AveMariaRAT
a8f3dde862d7e81876c11ee41a7d5c6594e72e67d12496461157c56e24c10a35
AveMariaRAT
c448e34a48b8bec2932e23f12aefb36327f9dc143d2e7e3099305035531ad5db
AveMariaRAT
+ 4'390 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat evasion infostealer persistence rat
Link:
https://tria.ge/reports/201115-zb16l3s9f2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
Warzone RAT Payload
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
69e7e28dbc75b98feb6a8cba124d69111467fa913d94bd1065546b9437cbc383
MD5 hash:
8cc0f0738cc695baadddb3eeb3841f0f
SHA1 hash:
d1c1df08d9060254efc4eb50bb3a5cb7296bf25d
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/a9fd5545-0e8d-4341-a30a-8594ca58b42a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nymaim
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/69e7e28dbc75b98feb6a8cba124d69111467fa913d94bd1065546b9437cbc383

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments