MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ce65b62e4bfd353c95b4fce220c6a54a597c9632a7691e66ed67aa673e8d8ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ce65b62e4bfd353c95b4fce220c6a54a597c9632a7691e66ed67aa673e8d8ce
SHA3-384 hash: df2bf8825b4e918c7cbe5b6ed8f82a64c2ab352c3c9d6e1c738b0249dbfdb8d677cce33b6e3c46796524d668c42fa0e4
SHA1 hash: c255ed80effe51ed6fdb7d8b15e7ea761a4733d0
MD5 hash: 45043e3acc02951fd8abc45449ed57b8
humanhash: leopard-alaska-princess-utah
File name:7ce65b62e4bfd353c95b4fce220c6a54a597c9632a7691e66ed67aa673e8d8ce
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:3'015'295 bytes
First seen:2020-11-10 11:17:40 UTC
Last seen:2024-07-24 16:38:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 676f4bc1db7fb9f072b157186a10179e (1'400 x AveMariaRAT, 37 x Riskware.Generic, 2 x njrat)
ssdeep 24576:T3i7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHe:T3i7A3mw4gxeOw46fUbNecCCFbNecd
Threatray 3'562 similar samples on MalwareBazaar
TLSH A9D5BFE22D6D8487D74F89B7B85F701246429C3A2705F7BB273BDB8844E3682C6D5B06
Reporter seifreed
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
56
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.PrivateExeProte-16
Create hunting rule

PUA.Win.Packer.Ep-7
Create hunting rule

PUA.Win.Packer.Embedpe-3
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Ursu-6793772-0
Create hunting rule

Win.Malware.Ursu-6914170-0
Create hunting rule

Win.Malware.Ursu-6914171-0
Create hunting rule

Win.Malware.Cerber-6989221-0
Create hunting rule

Win.Malware.Cryptinject-9785242-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Forced system process termination
Creating a window
Creating a file in the %temp% directory
Creating a file
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Creating a file in the mass storage device
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/529788
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Command shell drops VBS files
Contains functionality to hide user accounts
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: System File Execution Location Anomaly
Spreads via windows shares (copies files to share folders)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 313991 Sample: LXyfj1Hjjv Startdate: 11/11/2020 Architecture: WINDOWS Score: 100 131 Antivirus detection for dropped file 2->131 133 Antivirus / Scanner detection for submitted sample 2->133 135 Multi AV Scanner detection for submitted file 2->135 137 6 other signatures 2->137 13 LXyfj1Hjjv.exe 2->13         started        16 SyncHost.exe 2->16         started        18 wscript.exe 2->18         started        20 6 other processes 2->20 process3 dnsIp4 187 Detected unpacking (changes PE section rights) 13->187 189 Detected unpacking (creates a PE file in dynamic memory) 13->189 191 Detected unpacking (overwrites its own PE header) 13->191 203 3 other signatures 13->203 23 LXyfj1Hjjv.exe 1 51 13->23         started        26 cmd.exe 2 13->26         started        193 Antivirus detection for dropped file 16->193 195 Machine Learning detection for dropped file 16->195 197 Tries to detect sandboxes / dynamic malware analysis system (file name check) 16->197 199 Sample uses process hollowing technique 16->199 28 cmd.exe 16->28         started        31 StikyNot.exe 18->31         started        111 127.0.0.1 unknown unknown 20->111 201 Changes security center settings (notifications, updates, antivirus, firewall) 20->201 signatures5 process6 file7 157 Spreads via windows shares (copies files to share folders) 23->157 159 Writes to foreign memory regions 23->159 161 Allocates memory in foreign processes 23->161 163 Sample is not signed and drops a device driver 23->163 33 LXyfj1Hjjv.exe 1 3 23->33         started        37 diskperf.exe 5 23->37         started        165 Command shell drops VBS files 26->165 167 Drops VBS files to the startup folder 26->167 39 conhost.exe 26->39         started        105 C:\Users\user\AppData\Roaming\...\x.vbs, ASCII 28->105 dropped 169 Tries to detect sandboxes / dynamic malware analysis system (file name check) 31->169 171 Injects a PE file into a foreign processes 31->171 41 StikyNot.exe 31->41         started        43 cmd.exe 31->43         started        signatures8 process9 file10 91 C:\Windows\System\explorer.exe, PE32 33->91 dropped 139 Installs a global keyboard hook 33->139 45 explorer.exe 33->45         started        93 C:\Users\user\AppData\Local\...\StikyNot.exe, PE32 37->93 dropped 95 C:\Users\user\...\Disk.sys:Zone.Identifier, ASCII 37->95 dropped 97 C:\Users\...\SyncHost.exe:Zone.Identifier, ASCII 37->97 dropped 99 C:\Users\...\StikyNot.exe:Zone.Identifier, ASCII 37->99 dropped 48 StikyNot.exe 37->48         started        141 Spreads via windows shares (copies files to share folders) 41->141 143 Sample uses process hollowing technique 41->143 145 Injects a PE file into a foreign processes 41->145 50 conhost.exe 43->50         started        signatures11 process12 signatures13 205 Antivirus detection for dropped file 45->205 207 Detected unpacking (changes PE section rights) 45->207 209 Detected unpacking (creates a PE file in dynamic memory) 45->209 217 4 other signatures 45->217 52 explorer.exe 47 45->52         started        56 cmd.exe 1 45->56         started        211 Multi AV Scanner detection for dropped file 48->211 213 Detected unpacking (overwrites its own PE header) 48->213 215 Machine Learning detection for dropped file 48->215 58 StikyNot.exe 46 48->58         started        60 cmd.exe 1 48->60         started        process14 file15 101 C:\Users\user\AppData\Local\Temp\Disk.sys, PE32 52->101 dropped 103 C:\Users\user\AppData\Local\...\SyncHost.exe, PE32 52->103 dropped 147 Injects code into the Windows Explorer (explorer.exe) 52->147 149 Drops executables to the windows directory (C:\Windows) and starts them 52->149 151 Spreads via windows shares (copies files to share folders) 52->151 155 2 other signatures 52->155 62 explorer.exe 3 17 52->62         started        67 diskperf.exe 52->67         started        69 conhost.exe 56->69         started        153 Injects a PE file into a foreign processes 58->153 71 StikyNot.exe 58->71         started        73 conhost.exe 60->73         started        signatures16 process17 dnsIp18 113 vccmd03.googlecode.com 62->113 115 vccmd02.googlecode.com 62->115 117 5 other IPs or domains 62->117 107 C:\Windows\System\spoolsv.exe, PE32 62->107 dropped 109 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 62->109 dropped 119 System process connects to network (likely due to code injection or exploit) 62->119 121 Creates an undocumented autostart registry key 62->121 123 Installs a global keyboard hook 62->123 75 spoolsv.exe 62->75         started        78 spoolsv.exe 62->78         started        file19 signatures20 process21 signatures22 173 Antivirus detection for dropped file 75->173 175 Detected unpacking (changes PE section rights) 75->175 177 Machine Learning detection for dropped file 75->177 179 Drops executables to the windows directory (C:\Windows) and starts them 75->179 80 spoolsv.exe 75->80         started        83 cmd.exe 75->83         started        181 Tries to detect sandboxes / dynamic malware analysis system (file name check) 78->181 183 Sample uses process hollowing technique 78->183 185 Injects a PE file into a foreign processes 78->185 85 cmd.exe 78->85         started        process23 signatures24 125 Spreads via windows shares (copies files to share folders) 80->125 127 Sample uses process hollowing technique 80->127 129 Injects a PE file into a foreign processes 80->129 87 conhost.exe 83->87         started        89 conhost.exe 85->89         started        process25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ce65b62e4bfd353c95b4fce220c6a54a597c9632a7691e66ed67aa673e8d8ce/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 11:22:21 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pttfwyxex7jvhsk3j7hceddkksszpsldfj3jdzto2z5km47i3dha._file
Verdict:
unknown
Similar samples:
3591293a05792261840f36bdbff14ca1eb850764d074ee325cfc9c1351d2d1d9
AveMariaRAT
6f5c818cf92eae514225fa33f5f8a2004685e4760a0253bad5a7cc975c87b0c8
AveMariaRAT
790ada374a5746ba5c8118615dc54e246836a5fad99032fd1ebeb9488c196d7f
AveMariaRAT
81b20e60ad4f840303eb2d1b853e38e34cb779bfc7fe8089b100c52f3fe8b587
AveMariaRAT
9507af91a812af02c886d6eccf06af123d9b8346876f2c15187a8bcf86f4203e
AveMariaRAT
a425002cf906c94a18e2919275f05370df5daef4dd5c8ab041873439b17e1736
AveMariaRAT
a5358933cec70362ee1feeda944f7e3a045bbadc9e8b03cc117258c58a69cc78
AveMariaRAT
bcc0caa5fbae72926fb1d1004eaeb92e5d4abc12439cf92e1ee3ed4d427fa38c
AveMariaRAT
d49bf8b5ef7c4c8195b34f1468612abf2ff1e8200f64d1420fe974c994c6c5bf
AveMariaRAT
e761d308089dba30cc23f8878d984aa1f11b049f2f096e9766db3c92e1ccf290
AveMariaRAT
+ 3'552 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat evasion infostealer persistence rat
Link:
https://tria.ge/reports/201110-yw69hjwdks/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
Warzone RAT Payload
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
7ce65b62e4bfd353c95b4fce220c6a54a597c9632a7691e66ed67aa673e8d8ce
MD5 hash:
45043e3acc02951fd8abc45449ed57b8
SHA1 hash:
c255ed80effe51ed6fdb7d8b15e7ea761a4733d0
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/26ffddd2-357b-4bbf-936d-2b5b86616163/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments