MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f266c2151d06f1fa647531d0c8eeea576f149561bf0b49e2a1186d876cc5d33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f266c2151d06f1fa647531d0c8eeea576f149561bf0b49e2a1186d876cc5d33
SHA3-384 hash: a031fb6f11039e581b7a9a8cdc9f77d8780638e8ffc99361e7e1ed94499fb8ae13df7ef888334f3d782b13cdd70274dd
SHA1 hash: 962615c1dff3c32190adaf122cc674d209b5837a
MD5 hash: ac665770f3d90846f49b32f5c5166b2a
humanhash: uncle-iowa-happy-pluto
File name:7f266c2151d06f1fa647531d0c8eeea576f149561bf0b49e2a1186d876cc5d33
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:3'338'884 bytes
First seen:2020-11-14 18:30:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7be4c98eebb39d282cdffc1cea8fb470 (661 x AveMariaRAT, 29 x Riskware.Generic)
ssdeep 24576:8wgpuyuN99z9E3TmQDbGV6eH8tkOIbGD2JTu0GoWQDbGV6eH8tk8:8wuJ6563bNecSC0bNecB
Threatray 235 similar samples on MalwareBazaar
TLSH BFF57E526644005FE6372AB2F40FE622CB623F6C2790779F2F763E198EB3255A057742
Reporter seifreed
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Daqc-6598201-0
Create hunting rule

Win.Malware.Ursu-6793772-0
Create hunting rule

Win.Malware.Ursu-6914170-0
Create hunting rule

Win.Malware.Ursu-6914171-0
Create hunting rule

Win.Malware.Eclv-9782803-0
Create hunting rule

Win.Malware.Eclv-9782804-0
Create hunting rule

Win.Malware.Eclv-9782973-0
Create hunting rule

Win.Malware.Cryptinject-9785242-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/535022
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to detect sleep reduction / modifications
Contains functionality to hide user accounts
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Searches for specific processes (likely to inject)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Spreads via windows shares (copies files to share folders)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 316610 Sample: ppPqHVzml4 Startdate: 14/11/2020 Architecture: WINDOWS Score: 100 107 Antivirus detection for dropped file 2->107 109 Antivirus / Scanner detection for submitted sample 2->109 111 Multi AV Scanner detection for submitted file 2->111 113 6 other signatures 2->113 11 ppPqHVzml4.exe 1 51 2->11         started        15 StikyNot.exe 47 2->15         started        17 StikyNot.exe 2->17         started        19 7 other processes 2->19 process3 dnsIp4 93 C:\Users\user\...\Disk.sys:Zone.Identifier, ASCII 11->93 dropped 95 C:\Users\...\StikyNot.exe:Zone.Identifier, ASCII 11->95 dropped 143 Detected unpacking (changes PE section rights) 11->143 145 Detected unpacking (overwrites its own PE header) 11->145 147 Spreads via windows shares (copies files to share folders) 11->147 159 3 other signatures 11->159 22 ppPqHVzml4.exe 1 3 11->22         started        26 diskperf.exe 11->26         started        97 C:\Users\user\AppData\Local\...\SyncHost.exe, PE32 15->97 dropped 149 Antivirus detection for dropped file 15->149 151 Detected unpacking (creates a PE file in dynamic memory) 15->151 153 Machine Learning detection for dropped file 15->153 161 2 other signatures 15->161 28 StikyNot.exe 15->28         started        30 diskperf.exe 15->30         started        155 Injects a PE file into a foreign processes 17->155 32 StikyNot.exe 17->32         started        99 127.0.0.1 unknown unknown 19->99 157 Changes security center settings (notifications, updates, antivirus, firewall) 19->157 file5 signatures6 process7 file8 85 C:\Windows\System\explorer.exe, PE32 22->85 dropped 129 Installs a global keyboard hook 22->129 34 explorer.exe 47 22->34         started        131 Drops executables to the windows directory (C:\Windows) and starts them 28->131 38 explorer.exe 28->38         started        signatures9 process10 file11 81 C:\Users\user\AppData\Local\Temp\Disk.sys, PE32 34->81 dropped 83 C:\Users\user\AppData\Local\...\StikyNot.exe, PE32 34->83 dropped 115 Antivirus detection for dropped file 34->115 117 Detected unpacking (creates a PE file in dynamic memory) 34->117 119 Machine Learning detection for dropped file 34->119 127 6 other signatures 34->127 40 explorer.exe 3 17 34->40         started        45 diskperf.exe 34->45         started        121 Spreads via windows shares (copies files to share folders) 38->121 123 Sample uses process hollowing technique 38->123 125 Injects a PE file into a foreign processes 38->125 signatures12 process13 dnsIp14 101 74.125.143.82, 49720, 49742, 49754 GOOGLEUS United States 40->101 103 vccmd03.googlecode.com 40->103 105 6 other IPs or domains 40->105 89 C:\Windows\System\spoolsv.exe, PE32 40->89 dropped 91 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 40->91 dropped 137 System process connects to network (likely due to code injection or exploit) 40->137 139 Creates an undocumented autostart registry key 40->139 141 Installs a global keyboard hook 40->141 47 spoolsv.exe 46 40->47         started        50 spoolsv.exe 46 40->50         started        52 spoolsv.exe 40->52         started        54 4 other processes 40->54 file15 signatures16 process17 signatures18 173 Antivirus detection for dropped file 47->173 175 Detected unpacking (changes PE section rights) 47->175 177 Detected unpacking (creates a PE file in dynamic memory) 47->177 191 3 other signatures 47->191 56 spoolsv.exe 47->56         started        60 diskperf.exe 47->60         started        179 Spreads via windows shares (copies files to share folders) 50->179 181 Writes to foreign memory regions 50->181 183 Allocates memory in foreign processes 50->183 62 spoolsv.exe 50->62         started        64 diskperf.exe 50->64         started        185 Drops executables to the windows directory (C:\Windows) and starts them 52->185 187 Injects a PE file into a foreign processes 52->187 66 spoolsv.exe 52->66         started        68 diskperf.exe 52->68         started        189 Sample uses process hollowing technique 54->189 70 spoolsv.exe 54->70         started        72 spoolsv.exe 54->72         started        74 2 other processes 54->74 process19 file20 87 C:\Windows\System\svchost.exe, PE32 56->87 dropped 133 Installs a global keyboard hook 56->133 76 svchost.exe 56->76         started        135 Drops executables to the windows directory (C:\Windows) and starts them 62->135 79 svchost.exe 62->79         started        signatures21 process22 signatures23 163 Antivirus detection for dropped file 76->163 165 Machine Learning detection for dropped file 76->165 167 Spreads via windows shares (copies files to share folders) 76->167 169 Sample uses process hollowing technique 79->169 171 Injects a PE file into a foreign processes 79->171
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f266c2151d06f1fa647531d0c8eeea576f149561bf0b49e2a1186d876cc5d33/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-14 18:35:33 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p4tgyikr2bxr7jshkmoqzdxouv3pcskwdpyljhrkcgdnq5wmluzq._file
Verdict:
unknown
Similar samples:
0590d0aecfea1d3587163f930592279d14e709579f36392dd984afb3cd73fe55
AveMariaRAT
2cbc7c66f352d7095de75a1670784805726b8413b1795bc9a6e4b5ba61ca6cff
AveMariaRAT
4502947e357064b61ddf9ac47b939e5db6458099c959c357b999a125d27ff0fe
AveMariaRAT
4a9294b06d85ea14899e6a586e49fd8814ea499a168d6ea5434841ee9f531f1e
AveMariaRAT
75b5924059485247b806f567965abe6b67a5eac4f2a170d891a3eb620b68555f
AveMariaRAT
819213dcbaba4adab07064fb70f88e4a73f15294635ac0291d5809610151a92f
AveMariaRAT
81ed3f8f6d90a3100f95802d859c1556e974c932e8d7487bf58321651dcff2d6
AveMariaRAT
8dfe00633071fa4e719acd5e638596c35646c937ef1488528ffe6904cb61054f
AveMariaRAT
bc02ea5cec64a11fe6de318b33b326406975d85c46b58a094a6d893a09f6ed83
AveMariaRAT
e9d9443947b693b52dcbc27a0da86e3a5d5cafe2d9023e792ee573c52b0fc148
AveMariaRAT
+ 225 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat evasion infostealer persistence rat
Link:
https://tria.ge/reports/201114-va49dv92hj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
Warzone RAT Payload
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
7f266c2151d06f1fa647531d0c8eeea576f149561bf0b49e2a1186d876cc5d33
MD5 hash:
ac665770f3d90846f49b32f5c5166b2a
SHA1 hash:
962615c1dff3c32190adaf122cc674d209b5837a
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/dca3fc69-f71a-445f-b263-c1e9074822e5/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments