MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d405bdaaedf41102dc65233ebddc3a8d332aa9c548168da91e6b35a96630df0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d405bdaaedf41102dc65233ebddc3a8d332aa9c548168da91e6b35a96630df0
SHA3-384 hash: f5c3ce5fe81761fc9d976cfe8567f39e554667d78b4099f15ec15c1ce06519946ec5df013856768d3ea8e43ffa3bf18a
SHA1 hash: 29229ba3830a54a3cdc6a660465ea557aa0c90d2
MD5 hash: 0259d236d40a994d8b1f9297090be708
humanhash: juliet-sweet-pizza-music
File name:8d405bdaaedf41102dc65233ebddc3a8d332aa9c548168da91e6b35a96630df0
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'930'923 bytes
First seen:2020-11-12 14:38:43 UTC
Last seen:2024-07-24 18:49:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7be4c98eebb39d282cdffc1cea8fb470 (661 x AveMariaRAT, 29 x Riskware.Generic)
ssdeep 12288:2fBf0tknuqJ0ARDLniBqnaF6muVbdFvmuwaoix2tIAJZA7W2FeDSIGVH/KIDgDgt:aMhpMfxab0bdSmHQDbGV6eH8tkT
Threatray 98 similar samples on MalwareBazaar
TLSH 75958DE177690A6BC40735B17A0FC5B098167E6A0740B76F77AF7C18E4A334168E6AC3
Reporter seifreed
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
58
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Daqc-6598201-0
Create hunting rule

Win.Malware.Ursu-6793772-0
Create hunting rule

Win.Malware.Ursu-6914171-0
Create hunting rule

Win.Malware.Eclv-9782803-0
Create hunting rule

Win.Malware.Eclv-9782804-0
Create hunting rule

Win.Malware.Eclv-9782973-0
Create hunting rule

Win.Malware.Cryptinject-9785242-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/533409
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to hide user accounts
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Searches for specific processes (likely to inject)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Spreads via windows shares (copies files to share folders)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 315809 Sample: h1q735CyTR Startdate: 13/11/2020 Architecture: WINDOWS Score: 100 109 Antivirus detection for dropped file 2->109 111 Antivirus / Scanner detection for submitted sample 2->111 113 Multi AV Scanner detection for submitted file 2->113 115 6 other signatures 2->115 12 h1q735CyTR.exe 1 51 2->12         started        15 StikyNot.exe 46 2->15         started        17 StikyNot.exe 2->17         started        19 3 other processes 2->19 process3 signatures4 145 Detected unpacking (changes PE section rights) 12->145 147 Detected unpacking (creates a PE file in dynamic memory) 12->147 149 Detected unpacking (overwrites its own PE header) 12->149 161 4 other signatures 12->161 21 h1q735CyTR.exe 1 3 12->21         started        25 diskperf.exe 4 12->25         started        151 Antivirus detection for dropped file 15->151 153 Machine Learning detection for dropped file 15->153 155 Spreads via windows shares (copies files to share folders) 15->155 27 StikyNot.exe 15->27         started        29 diskperf.exe 15->29         started        157 Sample uses process hollowing technique 17->157 159 Injects a PE file into a foreign processes 17->159 31 WerFault.exe 19->31         started        process5 file6 85 C:\Windows\System\explorer.exe, PE32 21->85 dropped 131 Installs a global keyboard hook 21->131 33 explorer.exe 47 21->33         started        87 C:\Users\user\...\Disk.sys:Zone.Identifier, ASCII 25->87 dropped 89 C:\Users\...\SyncHost.exe:Zone.Identifier, ASCII 25->89 dropped 91 C:\Users\...\StikyNot.exe:Zone.Identifier, ASCII 25->91 dropped 133 Drops executables to the windows directory (C:\Windows) and starts them 27->133 37 explorer.exe 27->37         started        signatures7 process8 file9 83 C:\Users\user\AppData\Local\...\StikyNot.exe, PE32 33->83 dropped 117 Antivirus detection for dropped file 33->117 119 Machine Learning detection for dropped file 33->119 121 Injects code into the Windows Explorer (explorer.exe) 33->121 129 4 other signatures 33->129 39 explorer.exe 3 17 33->39         started        44 diskperf.exe 33->44         started        123 Spreads via windows shares (copies files to share folders) 37->123 125 Sample uses process hollowing technique 37->125 127 Injects a PE file into a foreign processes 37->127 signatures10 process11 dnsIp12 103 vccmd03.googlecode.com 39->103 105 vccmd02.googlecode.com 39->105 107 5 other IPs or domains 39->107 93 C:\Windows\System\spoolsv.exe, PE32 39->93 dropped 95 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 39->95 dropped 135 System process connects to network (likely due to code injection or exploit) 39->135 137 Creates an undocumented autostart registry key 39->137 139 Installs a global keyboard hook 39->139 46 spoolsv.exe 48 39->46         started        50 spoolsv.exe 46 39->50         started        52 spoolsv.exe 39->52         started        54 4 other processes 39->54 file13 signatures14 process15 file16 99 C:\Users\user\AppData\Local\Temp\Disk.sys, PE32 46->99 dropped 101 C:\Users\user\AppData\Local\...\SyncHost.exe, PE32 46->101 dropped 177 Antivirus detection for dropped file 46->177 179 Detected unpacking (changes PE section rights) 46->179 181 Detected unpacking (creates a PE file in dynamic memory) 46->181 193 4 other signatures 46->193 56 spoolsv.exe 46->56         started        60 diskperf.exe 46->60         started        183 Spreads via windows shares (copies files to share folders) 50->183 185 Writes to foreign memory regions 50->185 187 Allocates memory in foreign processes 50->187 62 spoolsv.exe 50->62         started        64 diskperf.exe 50->64         started        189 Drops executables to the windows directory (C:\Windows) and starts them 52->189 191 Injects a PE file into a foreign processes 52->191 72 2 other processes 52->72 66 spoolsv.exe 54->66         started        68 spoolsv.exe 54->68         started        70 spoolsv.exe 54->70         started        74 5 other processes 54->74 signatures17 process18 file19 97 C:\Windows\System\svchost.exe, PE32 56->97 dropped 141 Installs a global keyboard hook 56->141 76 svchost.exe 56->76         started        143 Drops executables to the windows directory (C:\Windows) and starts them 62->143 79 svchost.exe 62->79         started        signatures20 process21 signatures22 163 Antivirus detection for dropped file 76->163 165 Detected unpacking (changes PE section rights) 76->165 167 Detected unpacking (overwrites its own PE header) 76->167 169 Machine Learning detection for dropped file 76->169 81 svchost.exe 76->81         started        171 Spreads via windows shares (copies files to share folders) 79->171 173 Sample uses process hollowing technique 79->173 175 Injects a PE file into a foreign processes 79->175 process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d405bdaaedf41102dc65233ebddc3a8d332aa9c548168da91e6b35a96630df0/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-12 14:41:50 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rvafxwvo35aralogkiz6xxodvdjtfku4ksawrwur42zvvftdbxya._file
Verdict:
suspicious
Similar samples:
1b65bdc6ffaa9917a397512ec6a3e40cbb93d531691a7b58562db51be68c3830
AveMariaRAT
452b5876fcb121316ad7d3ef6b2a6458e799ca73b4a17f72d4e11d17eefed9a9
AveMariaRAT
66ad721d4568a5a8e5ef1a1efad188f4292398449b34daa68beab5e64a4a3a91
AveMariaRAT
8220a8c4adb4f8132d5586dac58766a76c873d3eba42e0f0c2c772a60f9a04be
AveMariaRAT
919bf9b29063c956860ae23541520867510a4d7197504d885c3b4e4b841aa4c6
AveMariaRAT
9750507a265b34dfac0e3818ca7e3f3859333320a448d8682e1a2ca1a0d55d4f
AveMariaRAT
b05b676fcd96d5f2399989accf27abca7551c727c84c5a2752396d3e971c02ca
AveMariaRAT
bf340400a994242fec4944db5ec1372a93eb4ed18440e45f7ea4c2b53ff12f1a
AveMariaRAT
e9d9443947b693b52dcbc27a0da86e3a5d5cafe2d9023e792ee573c52b0fc148
AveMariaRAT
faa906d161804e4f5b1484b939fab59dcf3af6243cea75fe121cb41375d1d2f1
AveMariaRAT
+ 88 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat evasion infostealer persistence rat
Link:
https://tria.ge/reports/201112-nxjywfkt26/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
Warzone RAT Payload
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
8d405bdaaedf41102dc65233ebddc3a8d332aa9c548168da91e6b35a96630df0
MD5 hash:
0259d236d40a994d8b1f9297090be708
SHA1 hash:
29229ba3830a54a3cdc6a660465ea557aa0c90d2
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/ae2a7b37-ffb4-4af6-a10d-9773aa01ecb5/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments