MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9826893a1ba9d3eec7c6a165652b14174ec199ca665662bf1b6122000c0876f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9826893a1ba9d3eec7c6a165652b14174ec199ca665662bf1b6122000c0876f5
SHA3-384 hash: 3166b558b167fbb0fccfd9dd63c22438b21bf8d167eab6c158e10162abe661eab5a9b8e5e766887d4e4c6c0d63ed60aa
SHA1 hash: 487c2d9da32ce169bdb8de242183dd018eaa1228
MD5 hash: 92f7686f16f573b9c7edfc1879d46d3f
humanhash: mango-mexico-delaware-three
File name:9826893a1ba9d3eec7c6a165652b14174ec199ca665662bf1b6122000c0876f5
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:3'155'060 bytes
First seen:2020-11-14 17:58:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7be4c98eebb39d282cdffc1cea8fb470 (661 x AveMariaRAT, 29 x Riskware.Generic)
ssdeep 24576:Ore7+5vBX/8zZJQDbGV6eH81kWIbGD2JTu0GoZQDbGV6eH81kX:Xa/42bNecYCFbNec4
Threatray 65 similar samples on MalwareBazaar
TLSH CDE5AE913A63205BE61335B5790FE3B0A854BC3B1B80E75B677F3E19DA672807253287
Reporter seifreed
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Daqc-6598201-0
Create hunting rule

Win.Malware.Ursu-6793772-0
Create hunting rule

Win.Malware.Ursu-6914170-0
Create hunting rule

Win.Malware.Ursu-6914171-0
Create hunting rule

Win.Malware.Eclv-9782803-0
Create hunting rule

Win.Malware.Eclv-9782804-0
Create hunting rule

Win.Malware.Eclv-9782973-0
Create hunting rule

Win.Malware.Cryptinject-9785242-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% directory
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Creating a file in the mass storage device
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/536143
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to hide user accounts
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Spreads via windows shares (copies files to share folders)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 317171 Sample: PSmw2FfHOt Startdate: 15/11/2020 Architecture: WINDOWS Score: 100 69 Antivirus detection for dropped file 2->69 71 Antivirus / Scanner detection for submitted sample 2->71 73 Multi AV Scanner detection for dropped file 2->73 75 5 other signatures 2->75 8 PSmw2FfHOt.exe 1 51 2->8         started        11 StikyNot.exe 49 2->11         started        13 StikyNot.exe 49 2->13         started        process3 signatures4 77 Detected unpacking (changes PE section rights) 8->77 79 Detected unpacking (creates a PE file in dynamic memory) 8->79 81 Detected unpacking (overwrites its own PE header) 8->81 87 3 other signatures 8->87 15 diskperf.exe 5 8->15         started        17 PSmw2FfHOt.exe 1 3 8->17         started        83 Spreads via windows shares (copies files to share folders) 11->83 85 Injects a PE file into a foreign processes 11->85 19 StikyNot.exe 2 11->19         started        21 diskperf.exe 11->21         started        23 StikyNot.exe 2 13->23         started        25 diskperf.exe 13->25         started        process5 process6 27 StikyNot.exe 49 15->27         started        30 StikyNot.exe 15->30         started        33 StikyNot.exe 49 15->33         started        35 StikyNot.exe 49 15->35         started        file7 89 Antivirus detection for dropped file 27->89 91 Detected unpacking (changes PE section rights) 27->91 93 Detected unpacking (creates a PE file in dynamic memory) 27->93 103 2 other signatures 27->103 37 StikyNot.exe 2 27->37         started        40 diskperf.exe 27->40         started        55 C:\Users\user\AppData\Local\Temp\Disk.sys, PE32 30->55 dropped 57 C:\Users\user\AppData\Local\...\SyncHost.exe, PE32 30->57 dropped 59 C:\Users\user\...\Disk.sys:Zone.Identifier, ASCII 30->59 dropped 61 C:\Users\...\SyncHost.exe:Zone.Identifier, ASCII 30->61 dropped 95 Spreads via windows shares (copies files to share folders) 30->95 97 Writes to foreign memory regions 30->97 99 Allocates memory in foreign processes 30->99 42 StikyNot.exe 30->42         started        44 diskperf.exe 30->44         started        101 Injects a PE file into a foreign processes 33->101 46 diskperf.exe 4 33->46         started        49 StikyNot.exe 2 33->49         started        51 StikyNot.exe 35->51         started        53 diskperf.exe 35->53         started        signatures8 process9 dnsIp10 67 192.168.2.1 unknown unknown 37->67 63 C:\Users\user\AppData\Local\...\StikyNot.exe, PE32 46->63 dropped 65 C:\Users\...\StikyNot.exe:Zone.Identifier, ASCII 46->65 dropped file11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9826893a1ba9d3eec7c6a165652b14174ec199ca665662bf1b6122000c0876f5/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-14 17:59:34 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tatisoq3vhj65r6gufswkkyuc5hmdgokmzlgfpy3meraadaio32q._file
Verdict:
unknown
Similar samples:
0590d0aecfea1d3587163f930592279d14e709579f36392dd984afb3cd73fe55
AveMariaRAT
1c20303cc50bd34be8c77e932a3ad53e2ab3ed7e089c3f00c9cddc524889cfbe
AveMariaRAT
24acaf92fe9b2607f0cbc04750ec0b89946812b105cc9ff743a2bed195b40aa2
AveMariaRAT
65c40d8f45a1f172d7ad8ceece8d7785788ba07b996403a017f9dd4d8a975d70
AveMariaRAT
821f5e380e93e0e55644a5ae652751b7ee7205d47da4c4dde6cc23d8c1119039
AveMariaRAT
8dfe00633071fa4e719acd5e638596c35646c937ef1488528ffe6904cb61054f
AveMariaRAT
919bf9b29063c956860ae23541520867510a4d7197504d885c3b4e4b841aa4c6
AveMariaRAT
a828e622f76666e23459f75e1eba33e34b919b1e129d64b937c46a1a30c8a356
AveMariaRAT
b7d066f1f2dcb6a9903f75d67b4c3fa3432394b2bce6223add103b0a9c29d70d
AveMariaRAT
bc02ea5cec64a11fe6de318b33b326406975d85c46b58a094a6d893a09f6ed83
AveMariaRAT
+ 55 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat persistence rat
Link:
https://tria.ge/reports/201114-4f53x8vtkj/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
9826893a1ba9d3eec7c6a165652b14174ec199ca665662bf1b6122000c0876f5
MD5 hash:
92f7686f16f573b9c7edfc1879d46d3f
SHA1 hash:
487c2d9da32ce169bdb8de242183dd018eaa1228
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/a475c5cc-f988-49e7-a6c8-371c2700dbba/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9826893a1ba9d3eec7c6a165652b14174ec199ca665662bf1b6122000c0876f5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments