MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a004c233e5233a32dae93c8f43f9b74529141a3af794ddd1f0e966c56e298404. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a004c233e5233a32dae93c8f43f9b74529141a3af794ddd1f0e966c56e298404
SHA3-384 hash: bd33845c53626572d73793685437c3480d8a51d171b5ed26974d4d927e8d0558ff51f34dc9f4cbd58fcfc11ef94e81ba
SHA1 hash: 28111f897f9c7e9b3655236e0ed124ef0faa1e66
MD5 hash: de5e5bd04eb8ae09b16ef8dd1619d2bc
humanhash: nine-six-king-louisiana
File name:a004c233e5233a32dae93c8f43f9b74529141a3af794ddd1f0e966c56e298404
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'931'127 bytes
First seen:2020-11-14 18:19:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7be4c98eebb39d282cdffc1cea8fb470 (661 x AveMariaRAT, 29 x Riskware.Generic)
ssdeep 12288:eNzf85wugudQyPko5tbOz7dTtd98bu61PKNmyRQi+UCXA7W2FeDSIGVH/KIDgDgK:eRIz/cQOtd8buyyRRQDbGV6eH8tkY
Threatray 4'242 similar samples on MalwareBazaar
TLSH DB959DA1A7182623E3337DB09D1F81B19494BC997B509B5F6BA77D1C68B72C4F02A343
Reporter seifreed
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Daqc-6598201-0
Create hunting rule

Win.Malware.Ursu-6793772-0
Create hunting rule

Win.Malware.Ursu-6914171-0
Create hunting rule

Win.Malware.Eclv-9782803-0
Create hunting rule

Win.Malware.Eclv-9782804-0
Create hunting rule

Win.Malware.Eclv-9782973-0
Create hunting rule

Win.Malware.Cryptinject-9785242-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/535471
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to hide user accounts
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Searches for specific processes (likely to inject)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Spreads via windows shares (copies files to share folders)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 316834 Sample: EgPnmnW3Wa Startdate: 15/11/2020 Architecture: WINDOWS Score: 100 121 Antivirus detection for dropped file 2->121 123 Antivirus / Scanner detection for submitted sample 2->123 125 Multi AV Scanner detection for submitted file 2->125 127 6 other signatures 2->127 12 EgPnmnW3Wa.exe 1 51 2->12         started        15 StikyNot.exe 46 2->15         started        17 SyncHost.exe 2->17         started        19 4 other processes 2->19 process3 dnsIp4 183 Detected unpacking (changes PE section rights) 12->183 185 Detected unpacking (creates a PE file in dynamic memory) 12->185 187 Detected unpacking (overwrites its own PE header) 12->187 197 4 other signatures 12->197 22 EgPnmnW3Wa.exe 1 3 12->22         started        26 diskperf.exe 5 12->26         started        189 Spreads via windows shares (copies files to share folders) 15->189 191 Injects a PE file into a foreign processes 15->191 28 StikyNot.exe 15->28         started        30 diskperf.exe 15->30         started        193 Antivirus detection for dropped file 17->193 195 Machine Learning detection for dropped file 17->195 32 SyncHost.exe 17->32         started        111 127.0.0.1 unknown unknown 19->111 113 192.168.2.1 unknown unknown 19->113 signatures5 process6 file7 95 C:\Windows\System\explorer.exe, PE32 22->95 dropped 181 Installs a global keyboard hook 22->181 34 explorer.exe 47 22->34         started        97 C:\Users\user\...\Disk.sys:Zone.Identifier, ASCII 26->97 dropped 99 C:\Users\...\SyncHost.exe:Zone.Identifier, ASCII 26->99 dropped 101 C:\Users\...\StikyNot.exe:Zone.Identifier, ASCII 26->101 dropped 38 StikyNot.exe 46 26->38         started        40 explorer.exe 28->40         started        signatures8 process9 file10 91 C:\Users\user\AppData\Local\Temp\Disk.sys, PE32 34->91 dropped 93 C:\Users\user\AppData\Local\...\SyncHost.exe, PE32 34->93 dropped 143 Antivirus detection for dropped file 34->143 145 Detected unpacking (changes PE section rights) 34->145 147 Detected unpacking (creates a PE file in dynamic memory) 34->147 161 4 other signatures 34->161 42 explorer.exe 3 17 34->42         started        47 diskperf.exe 34->47         started        149 Detected unpacking (overwrites its own PE header) 38->149 151 Machine Learning detection for dropped file 38->151 153 Spreads via windows shares (copies files to share folders) 38->153 49 StikyNot.exe 38->49         started        155 Injects code into the Windows Explorer (explorer.exe) 40->155 157 Drops executables to the windows directory (C:\Windows) and starts them 40->157 159 Injects a PE file into a foreign processes 40->159 51 explorer.exe 40->51         started        signatures11 process12 dnsIp13 115 vccmd03.googlecode.com 42->115 117 vccmd02.googlecode.com 42->117 119 4 other IPs or domains 42->119 103 C:\Windows\System\spoolsv.exe, PE32 42->103 dropped 105 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 42->105 dropped 199 System process connects to network (likely due to code injection or exploit) 42->199 201 Creates an undocumented autostart registry key 42->201 203 Installs a global keyboard hook 42->203 53 spoolsv.exe 46 42->53         started        56 spoolsv.exe 46 42->56         started        58 spoolsv.exe 46 42->58         started        60 2 other processes 42->60 107 C:\Users\user\AppData\Local\...\StikyNot.exe, PE32 47->107 dropped file14 signatures15 process16 signatures17 163 Antivirus detection for dropped file 53->163 165 Detected unpacking (changes PE section rights) 53->165 167 Detected unpacking (overwrites its own PE header) 53->167 179 2 other signatures 53->179 62 spoolsv.exe 2 53->62         started        66 diskperf.exe 53->66         started        169 Spreads via windows shares (copies files to share folders) 56->169 171 Injects a PE file into a foreign processes 56->171 68 spoolsv.exe 56->68         started        70 diskperf.exe 56->70         started        173 Writes to foreign memory regions 58->173 175 Allocates memory in foreign processes 58->175 72 spoolsv.exe 58->72         started        74 diskperf.exe 58->74         started        177 Drops executables to the windows directory (C:\Windows) and starts them 60->177 76 spoolsv.exe 60->76         started        78 spoolsv.exe 60->78         started        80 diskperf.exe 60->80         started        process18 file19 109 C:\Windows\System\svchost.exe, PE32 62->109 dropped 205 Installs a global keyboard hook 62->205 82 svchost.exe 62->82         started        85 svchost.exe 68->85         started        signatures20 process21 signatures22 129 Antivirus detection for dropped file 82->129 131 Detected unpacking (changes PE section rights) 82->131 133 Detected unpacking (overwrites its own PE header) 82->133 135 Machine Learning detection for dropped file 82->135 87 svchost.exe 82->87         started        137 Drops executables to the windows directory (C:\Windows) and starts them 85->137 139 Spreads via windows shares (copies files to share folders) 85->139 141 Injects a PE file into a foreign processes 85->141 89 svchost.exe 85->89         started        process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a004c233e5233a32dae93c8f43f9b74529141a3af794ddd1f0e966c56e298404/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-14 18:21:34 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uacmem7fem5dfwxjhshuh6nxiuurigr266kn3upq5ftmk3rjqqca._file
Verdict:
unknown
Similar samples:
0954707116de7974c38346f17987886632546664d0933bafd412fb343e408317
AveMariaRAT
32672928863af3e154d0e2cc454c5fd31f217a3bfabc7acff2223bb72a5bbe6f
AveMariaRAT
37246203b9cf8a0baac95420921b4d9b31abf33363235b58acbe20d5079f1819
AveMariaRAT
6a5e6d882ca54d4bba185f1b881b14795e8148dabeadbaf0f2035fcb2f678160
AveMariaRAT
7f95fc08dcdbe713e3a41b5b5d72763b4b3a4c608a1766596c8d055b12b2ee27
AveMariaRAT
a2588d62af6b7d4936fe20aae1d206b6dda2a9002dedd7069bdd7785e83ce810
AveMariaRAT
a2bd87a81b3cc4f40cc8f1e6ba1111a010ad3970b4dff9e98c729142af28b823
AveMariaRAT
af75914541fc8054c7cce0a2bfc4d4e2ae012c1b5989032573914455822b0eb2
AveMariaRAT
b7d066f1f2dcb6a9903f75d67b4c3fa3432394b2bce6223add103b0a9c29d70d
AveMariaRAT
be9af0fdc2439628d89ec49342567c6718dba2444972b173e652268173b8202f
AveMariaRAT
+ 4'232 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat evasion infostealer persistence rat
Link:
https://tria.ge/reports/201114-d5wv5478ra/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
Warzone RAT Payload
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
a004c233e5233a32dae93c8f43f9b74529141a3af794ddd1f0e966c56e298404
MD5 hash:
de5e5bd04eb8ae09b16ef8dd1619d2bc
SHA1 hash:
28111f897f9c7e9b3655236e0ed124ef0faa1e66
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/fc9c88d4-5c90-4beb-b30e-83eeb8191a18/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a004c233e5233a32dae93c8f43f9b74529141a3af794ddd1f0e966c56e298404

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments