MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7226c2104db4f5714b012a97ca641a8402244746ec6cdddd574a68359ebf6b7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7226c2104db4f5714b012a97ca641a8402244746ec6cdddd574a68359ebf6b7b
SHA3-384 hash: 39c8c8db176347773f74a68891c968a94e9ec0015ac87fc03626dd6828d9058f1e1325281672a0f4de12276f73e74ac8
SHA1 hash: 20d489cf7f2d42cbfc9979330dca2bdb65f97ac0
MD5 hash: eb03abd2dc958becd1b9ab8ddedfad62
humanhash: xray-sink-oregon-kilo
File name:7226c2104db4f5714b012a97ca641a8402244746ec6cdddd574a68359ebf6b7b
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:3'015'319 bytes
First seen:2020-11-11 11:43:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 676f4bc1db7fb9f072b157186a10179e (1'400 x AveMariaRAT, 37 x Riskware.Generic, 2 x njrat)
ssdeep 24576:4xS7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHf:4xS7A3mw4gxeOw46fUbNecCCFbNec8
Threatray 3'734 similar samples on MalwareBazaar
TLSH 2BD5AEE6B99F48C3F73BA531610F79229294AE6E56006BA76B7FBD2040E71C3D253107
Reporter seifreed
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.PrivateExeProte-16
Create hunting rule

PUA.Win.Packer.Ep-7
Create hunting rule

PUA.Win.Packer.Embedpe-3
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Ursu-6793772-0
Create hunting rule

Win.Malware.Ursu-6914170-0
Create hunting rule

Win.Malware.Ursu-6914171-0
Create hunting rule

Win.Malware.Cerber-6989221-0
Create hunting rule

Win.Malware.Cryptinject-9785242-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Forced system process termination
Creating a window
Creating a file in the %temp% directory
Creating a file
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Creating a file in the mass storage device
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/531694
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Command shell drops VBS files
Contains functionality to hide user accounts
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: System File Execution Location Anomaly
Spreads via windows shares (copies files to share folders)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 314947 Sample: 8lgQ5lYdy7 Startdate: 12/11/2020 Architecture: WINDOWS Score: 100 134 Antivirus detection for dropped file 2->134 136 Antivirus / Scanner detection for submitted sample 2->136 138 Multi AV Scanner detection for submitted file 2->138 140 6 other signatures 2->140 13 8lgQ5lYdy7.exe 2->13         started        16 wscript.exe 1 2->16         started        18 svchost.exe 1 2->18         started        20 svchost.exe 2->20         started        process3 signatures4 194 Detected unpacking (changes PE section rights) 13->194 196 Detected unpacking (creates a PE file in dynamic memory) 13->196 198 Detected unpacking (overwrites its own PE header) 13->198 200 4 other signatures 13->200 22 8lgQ5lYdy7.exe 1 51 13->22         started        25 cmd.exe 2 13->25         started        27 StikyNot.exe 16->27         started        process5 signatures6 142 Spreads via windows shares (copies files to share folders) 22->142 144 Writes to foreign memory regions 22->144 146 Allocates memory in foreign processes 22->146 148 Sample is not signed and drops a device driver 22->148 29 8lgQ5lYdy7.exe 1 3 22->29         started        33 diskperf.exe 5 22->33         started        150 Command shell drops VBS files 25->150 152 Drops VBS files to the startup folder 25->152 35 conhost.exe 25->35         started        154 Tries to detect sandboxes / dynamic malware analysis system (file name check) 27->154 156 Injects a PE file into a foreign processes 27->156 37 StikyNot.exe 27->37         started        39 cmd.exe 27->39         started        process7 file8 104 C:\Windows\System\explorer.exe, PE32 29->104 dropped 202 Installs a global keyboard hook 29->202 41 explorer.exe 29->41         started        106 C:\Users\user\...\Disk.sys:Zone.Identifier, ASCII 33->106 dropped 108 C:\Users\...\SyncHost.exe:Zone.Identifier, ASCII 33->108 dropped 110 C:\Users\...\StikyNot.exe:Zone.Identifier, ASCII 33->110 dropped 44 StikyNot.exe 33->44         started        204 Spreads via windows shares (copies files to share folders) 37->204 206 Sample uses process hollowing technique 37->206 208 Injects a PE file into a foreign processes 37->208 46 conhost.exe 39->46         started        signatures9 process10 signatures11 158 Antivirus detection for dropped file 41->158 160 Detected unpacking (changes PE section rights) 41->160 162 Detected unpacking (creates a PE file in dynamic memory) 41->162 170 3 other signatures 41->170 48 explorer.exe 47 41->48         started        52 cmd.exe 1 41->52         started        164 Detected unpacking (overwrites its own PE header) 44->164 166 Machine Learning detection for dropped file 44->166 168 Tries to detect sandboxes / dynamic malware analysis system (file name check) 44->168 54 StikyNot.exe 46 44->54         started        56 cmd.exe 1 44->56         started        process12 file13 92 C:\Users\user\AppData\Local\Temp\Disk.sys, PE32 48->92 dropped 94 C:\Users\user\AppData\Local\...\SyncHost.exe, PE32 48->94 dropped 124 Injects code into the Windows Explorer (explorer.exe) 48->124 126 Spreads via windows shares (copies files to share folders) 48->126 128 Writes to foreign memory regions 48->128 58 explorer.exe 3 17 48->58         started        63 diskperf.exe 48->63         started        65 conhost.exe 52->65         started        130 Allocates memory in foreign processes 54->130 132 Injects a PE file into a foreign processes 54->132 67 StikyNot.exe 54->67         started        69 diskperf.exe 54->69         started        71 conhost.exe 56->71         started        signatures14 process15 dnsIp16 112 vccmd03.googlecode.com 58->112 114 vccmd02.googlecode.com 58->114 116 5 other IPs or domains 58->116 98 C:\Windows\System\spoolsv.exe, PE32 58->98 dropped 100 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 58->100 dropped 186 System process connects to network (likely due to code injection or exploit) 58->186 188 Creates an undocumented autostart registry key 58->188 190 Installs a global keyboard hook 58->190 73 spoolsv.exe 58->73         started        76 spoolsv.exe 58->76         started        102 C:\Users\user\AppData\Local\...\StikyNot.exe, PE32 63->102 dropped 192 Drops executables to the windows directory (C:\Windows) and starts them 67->192 78 explorer.exe 67->78         started        file17 signatures18 process19 signatures20 172 Antivirus detection for dropped file 73->172 174 Detected unpacking (changes PE section rights) 73->174 176 Machine Learning detection for dropped file 73->176 178 Drops executables to the windows directory (C:\Windows) and starts them 73->178 80 spoolsv.exe 73->80         started        83 cmd.exe 73->83         started        180 Tries to detect sandboxes / dynamic malware analysis system (file name check) 76->180 182 Sample uses process hollowing technique 76->182 184 Injects a PE file into a foreign processes 76->184 85 cmd.exe 76->85         started        process21 file22 118 Spreads via windows shares (copies files to share folders) 80->118 120 Sample uses process hollowing technique 80->120 122 Injects a PE file into a foreign processes 80->122 88 conhost.exe 83->88         started        96 C:\Users\user\AppData\Roaming\...\x.vbs, ASCII 85->96 dropped 90 conhost.exe 85->90         started        signatures23 process24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7226c2104db4f5714b012a97ca641a8402244746ec6cdddd574a68359ebf6b7b/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-11 11:54:45 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oitmeecnwt2xcsybfkl4uza2qqbcir2g5rwn3xkxjjudlhv7nn5q._file
Verdict:
unknown
Similar samples:
0e56fbd03797d98d44f101dd0ee0a3dad8d9e286b2d43da8ee0deb4886fc3a54
AveMariaRAT
0e8ac4fb4a55e49a3ffc5d50c43f96f4592171195c48c9be46d6aa0a00f1f9a3
AveMariaRAT
1f8600b60d064d1ba46fda4940bf96dd4b51b8f0bb112be0788e057d2d9d447a
AveMariaRAT
2b55c32fcf66ab2f95d2a079de227e611ac12cc8308845fcb63d317107ee13cb
AveMariaRAT
304a878118613dd0bca8306e932b5f814e45d57a8638cd1412e6c278776538db
AveMariaRAT
5ef65706e9165e40e983264778a75f9606be4146a374497ab956a65cc019dfaa
AveMariaRAT
b0eaa2efe187733039268d68ec5cd916930eb30418149fa1a109ae9f9b478744
AveMariaRAT
b874fdd1d9afbc72e81c0610014252eef6b5a3bc8fc473519f3bd81707e67902
AveMariaRAT
c358da136ac250f6fcf88698e3a2cc32b40d4a9f86f20d4fd897655d40055bd4
AveMariaRAT
e761d308089dba30cc23f8878d984aa1f11b049f2f096e9766db3c92e1ccf290
AveMariaRAT
+ 3'724 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat evasion infostealer persistence rat
Link:
https://tria.ge/reports/201111-3yfm2yp756/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
Warzone RAT Payload
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
7226c2104db4f5714b012a97ca641a8402244746ec6cdddd574a68359ebf6b7b
MD5 hash:
eb03abd2dc958becd1b9ab8ddedfad62
SHA1 hash:
20d489cf7f2d42cbfc9979330dca2bdb65f97ac0
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/4bef4c0d-dbf4-4fa2-a17e-b8dd80c11acd/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments