MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6844d638d45cd69038526a0d0ce341f1e36f2ff07bcad50644e7d0f1d07434f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6844d638d45cd69038526a0d0ce341f1e36f2ff07bcad50644e7d0f1d07434f
SHA3-384 hash: 8a2b435bf4f2ad00fe519f3d29b229b5e6a86035d76ed44bd99f4e079db5d1bb55b9f79610ccdbc6b230df612cf74b23
SHA1 hash: b1f939b27c39d5bc2fb0a40b001b3bd42fc20eff
MD5 hash: 17041eeed05650f704d693e9565b5c6a
humanhash: hydrogen-double-india-foxtrot
File name:a6844d638d45cd69038526a0d0ce341f1e36f2ff07bcad50644e7d0f1d07434f
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:3'024'497 bytes
First seen:2020-11-14 18:14:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 676f4bc1db7fb9f072b157186a10179e (1'400 x AveMariaRAT, 37 x Riskware.Generic, 2 x njrat)
ssdeep 24576:J3h7AAmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHn:J3h7AAmw4gxeOw46fUbNecCCFbNecQ
Threatray 4'299 similar samples on MalwareBazaar
TLSH C7E59EC7D6B7004BF72B51B2D10F8BA188D87E39A280A65F6B3F281858771C573C965B
Reporter seifreed
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Packer.PrivateExeProte-16
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Ursu-6793772-0
Create hunting rule

Win.Malware.Ursu-6914170-0
Create hunting rule

Win.Malware.Ursu-6914171-0
Create hunting rule

Win.Malware.Cerber-6989221-0
Create hunting rule

Win.Malware.Cryptinject-9785242-0
Create hunting rule

Win.Trojan.Ulise-9792178-0
Create hunting rule

Win.Trojan.Ulise-9792179-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Forced system process termination
Sending a UDP request
Creating a window
Creating a file in the %temp% directory
Creating a file
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Creating a file in the mass storage device
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/535611
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Command shell drops VBS files
Contain functionality to detect virtual machines
Contains functionality to hide user accounts
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Searches for specific processes (likely to inject)
Sigma detected: Drops script at startup location
Sigma detected: System File Execution Location Anomaly
Spreads via windows shares (copies files to share folders)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 316905 Sample: JhLNOgYKqC Startdate: 15/11/2020 Architecture: WINDOWS Score: 100 129 Antivirus detection for dropped file 2->129 131 Antivirus / Scanner detection for submitted sample 2->131 133 Multi AV Scanner detection for submitted file 2->133 135 6 other signatures 2->135 13 JhLNOgYKqC.exe 2->13         started        16 wscript.exe 1 2->16         started        18 svchost.exe 2->18         started        20 5 other processes 2->20 process3 dnsIp4 199 Tries to detect sandboxes / dynamic malware analysis system (file name check) 13->199 201 Contain functionality to detect virtual machines 13->201 203 Contains functionality to inject code into remote processes 13->203 209 2 other signatures 13->209 23 JhLNOgYKqC.exe 1 51 13->23         started        27 cmd.exe 2 13->27         started        205 Injects code into the Windows Explorer (explorer.exe) 16->205 29 explorer.exe 16->29         started        207 Changes security center settings (notifications, updates, antivirus, firewall) 18->207 111 127.0.0.1 unknown unknown 20->111 113 192.168.2.1 unknown unknown 20->113 signatures5 process6 file7 105 C:\Users\user\...\Disk.sys:Zone.Identifier, ASCII 23->105 dropped 107 C:\Users\...\StikyNot.exe:Zone.Identifier, ASCII 23->107 dropped 163 Spreads via windows shares (copies files to share folders) 23->163 165 Sample is not signed and drops a device driver 23->165 167 Injects a PE file into a foreign processes 23->167 31 JhLNOgYKqC.exe 1 3 23->31         started        35 diskperf.exe 23->35         started        169 Command shell drops VBS files 27->169 171 Drops VBS files to the startup folder 27->171 37 conhost.exe 27->37         started        173 Tries to detect sandboxes / dynamic malware analysis system (file name check) 29->173 175 Injects code into the Windows Explorer (explorer.exe) 29->175 177 Drops executables to the windows directory (C:\Windows) and starts them 29->177 39 explorer.exe 29->39         started        41 cmd.exe 29->41         started        signatures8 process9 file10 109 C:\Windows\System\explorer.exe, PE32 31->109 dropped 121 Installs a global keyboard hook 31->121 43 explorer.exe 31->43         started        46 spoolsv.exe 31->46         started        48 spoolsv.exe 31->48         started        50 spoolsv.exe 31->50         started        123 Spreads via windows shares (copies files to share folders) 39->123 125 Sample uses process hollowing technique 39->125 127 Injects a PE file into a foreign processes 39->127 52 conhost.exe 41->52         started        signatures11 process12 signatures13 185 Antivirus detection for dropped file 43->185 187 Machine Learning detection for dropped file 43->187 189 Tries to detect sandboxes / dynamic malware analysis system (file name check) 43->189 197 3 other signatures 43->197 54 explorer.exe 47 43->54         started        58 cmd.exe 1 43->58         started        191 Injects a PE file into a foreign processes 46->191 60 spoolsv.exe 46->60         started        62 cmd.exe 46->62         started        193 Drops executables to the windows directory (C:\Windows) and starts them 48->193 64 spoolsv.exe 48->64         started        66 cmd.exe 48->66         started        195 Sample uses process hollowing technique 50->195 process14 file15 99 C:\Users\user\AppData\Local\Temp\Disk.sys, PE32 54->99 dropped 101 C:\Users\user\AppData\Local\...\StikyNot.exe, PE32 54->101 dropped 151 Injects code into the Windows Explorer (explorer.exe) 54->151 153 Spreads via windows shares (copies files to share folders) 54->153 155 Writes to foreign memory regions 54->155 157 Allocates memory in foreign processes 54->157 68 diskperf.exe 1 54->68         started        71 explorer.exe 3 17 54->71         started        75 conhost.exe 58->75         started        159 Injects a PE file into a foreign processes 60->159 77 spoolsv.exe 60->77         started        79 conhost.exe 62->79         started        161 Sample uses process hollowing technique 64->161 103 C:\Users\user\AppData\Roaming\...\x.vbs, ASCII 66->103 dropped 81 conhost.exe 66->81         started        signatures16 process17 dnsIp18 93 C:\Users\user\AppData\Local\...\SyncHost.exe, PE32 68->93 dropped 83 StikyNot.exe 68->83         started        115 vccmd03.googlecode.com 71->115 117 vccmd02.googlecode.com 71->117 119 4 other IPs or domains 71->119 95 C:\Windows\System\spoolsv.exe, PE32 71->95 dropped 97 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 71->97 dropped 179 System process connects to network (likely due to code injection or exploit) 71->179 181 Creates an undocumented autostart registry key 71->181 183 Installs a global keyboard hook 71->183 file19 signatures20 process21 signatures22 137 Antivirus detection for dropped file 83->137 139 Machine Learning detection for dropped file 83->139 141 Tries to detect sandboxes / dynamic malware analysis system (file name check) 83->141 143 Injects a PE file into a foreign processes 83->143 86 StikyNot.exe 83->86         started        89 cmd.exe 83->89         started        process23 signatures24 145 Spreads via windows shares (copies files to share folders) 86->145 147 Sample uses process hollowing technique 86->147 149 Injects a PE file into a foreign processes 86->149 91 conhost.exe 89->91         started        process25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a6844d638d45cd69038526a0d0ce341f1e36f2ff07bcad50644e7d0f1d07434f/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-14 18:17:10 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u2ce2y4nixgwsa4fe2qnbtrud4pdn4x7a66k2udejz6q6hihinhq._file
Verdict:
malicious
Similar samples:
0954707116de7974c38346f17987886632546664d0933bafd412fb343e408317
AveMariaRAT
0b3b70199dae68ef49f3f2eafebab3fcb65f3d92118b689a8bbc987fb7793cc9
AveMariaRAT
33a1631c7b9063a39f15b2fde90f874f5657417d7a265fa03b6277b9c907ca33
AveMariaRAT
3e0c9a3b2805a33a90a06bba668f3e709f15d066d48c280b6715c5bf425d8629
AveMariaRAT
3f0fe613e49d7765df268a8443f9c21260856a71c978c87d28d02c14248fef77
AveMariaRAT
5cb853a95efb63587a4a7565020f6f36a9f7bf6fd2746c5795a06d49b245a666
AveMariaRAT
723ef98487bce9622b550cc458b59c54d26ac2b272d03e754d19597066888b72
AveMariaRAT
ba7c1af5ac4f1146d26e048f792d6edd3464788706ec698208a806cbb52f9aaa
AveMariaRAT
bb10d53967d703dd945777d9b9b38e03bd3c90fa77e68e7082678a9b02b40235
AveMariaRAT
f66d2f25ee39823a50bbce9480441c44db70372142924403f0b798e7afee77da
AveMariaRAT
+ 4'289 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat evasion infostealer persistence rat upx
Link:
https://tria.ge/reports/201114-wptpjkzsmn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
UPX packed file
Warzone RAT Payload
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
a6844d638d45cd69038526a0d0ce341f1e36f2ff07bcad50644e7d0f1d07434f
MD5 hash:
17041eeed05650f704d693e9565b5c6a
SHA1 hash:
b1f939b27c39d5bc2fb0a40b001b3bd42fc20eff
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/cf5c4562-50ac-43f2-948b-3b918b3decbe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nymaim
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a6844d638d45cd69038526a0d0ce341f1e36f2ff07bcad50644e7d0f1d07434f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments