MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2082661840c6ed4e199a9da37df9e37f8700aad3c9bfbb1930ef57d0dcf387f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2082661840c6ed4e199a9da37df9e37f8700aad3c9bfbb1930ef57d0dcf387f
SHA3-384 hash: 4b0856f4ddaf3401203b3c8d22ae9464ffeef88c019a0f4053553f3b685a3024010287f61511dcb38cb16a34528bd510
SHA1 hash: f5868596eb9a9766f537fd695bdcb8fc22ada77a
MD5 hash: 6990fcef95d3afdaf55fa6ae45aa272c
humanhash: south-florida-seven-mockingbird
File name:b2082661840c6ed4e199a9da37df9e37f8700aad3c9bfbb1930ef57d0dcf387f
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'930'988 bytes
First seen:2020-11-10 11:43:07 UTC
Last seen:2024-07-24 20:29:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7be4c98eebb39d282cdffc1cea8fb470 (661 x AveMariaRAT, 29 x Riskware.Generic)
ssdeep 12288:oECWQoUCuMyza1nLyIhON36hjK/tdMrZvbUwGdtwiA7W2FeDSIGVH/KIDgDgUeHX:ohlxadvONK+/tO1XQDbGV6eH8tkn
Threatray 306 similar samples on MalwareBazaar
TLSH A795AFF0B2654423D3737A79980FE7B0BA7C3FE6D708A61B2FE66D0A4EB75902015146
Reporter seifreed
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Daqc-6598201-0
Create hunting rule

Win.Malware.Ursu-6793772-0
Create hunting rule

Win.Malware.Ursu-6914171-0
Create hunting rule

Win.Malware.Eclv-9782803-0
Create hunting rule

Win.Malware.Eclv-9782804-0
Create hunting rule

Win.Malware.Eclv-9782973-0
Create hunting rule

Win.Malware.Cryptinject-9785242-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/528417
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to detect sleep reduction / modifications
Contains functionality to hide user accounts
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Searches for specific processes (likely to inject)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Spreads via windows shares (copies files to share folders)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 313307 Sample: QEbWSYtTo8 Startdate: 10/11/2020 Architecture: WINDOWS Score: 100 105 Antivirus detection for dropped file 2->105 107 Antivirus / Scanner detection for submitted sample 2->107 109 Multi AV Scanner detection for submitted file 2->109 111 6 other signatures 2->111 12 QEbWSYtTo8.exe 1 51 2->12         started        16 StikyNot.exe 2->16         started        18 svchost.exe 2->18         started        20 6 other processes 2->20 process3 dnsIp4 93 C:\Users\user\...\Disk.sys:Zone.Identifier, ASCII 12->93 dropped 149 Detected unpacking (changes PE section rights) 12->149 151 Detected unpacking (creates a PE file in dynamic memory) 12->151 153 Detected unpacking (overwrites its own PE header) 12->153 165 6 other signatures 12->165 23 QEbWSYtTo8.exe 1 3 12->23         started        28 diskperf.exe 3 12->28         started        155 Antivirus detection for dropped file 16->155 157 Machine Learning detection for dropped file 16->157 159 Spreads via windows shares (copies files to share folders) 16->159 161 Sample uses process hollowing technique 16->161 163 Changes security center settings (notifications, updates, antivirus, firewall) 18->163 101 127.0.0.1 unknown unknown 20->101 file5 signatures6 process7 dnsIp8 103 192.168.2.1 unknown unknown 23->103 81 C:\Windows\System\explorer.exe, PE32 23->81 dropped 129 Installs a global keyboard hook 23->129 30 explorer.exe 46 23->30         started        83 C:\Users\...\SyncHost.exe:Zone.Identifier, ASCII 28->83 dropped 85 C:\Users\...\StikyNot.exe:Zone.Identifier, ASCII 28->85 dropped file9 signatures10 process11 signatures12 167 Antivirus detection for dropped file 30->167 169 Machine Learning detection for dropped file 30->169 171 Injects code into the Windows Explorer (explorer.exe) 30->171 173 8 other signatures 30->173 33 explorer.exe 3 17 30->33         started        38 diskperf.exe 30->38         started        process13 dnsIp14 95 vccmd03.googlecode.com 33->95 97 vccmd02.googlecode.com 33->97 99 4 other IPs or domains 33->99 75 C:\Windows\System\spoolsv.exe, PE32 33->75 dropped 77 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 33->77 dropped 113 System process connects to network (likely due to code injection or exploit) 33->113 115 Creates an undocumented autostart registry key 33->115 117 Installs a global keyboard hook 33->117 40 spoolsv.exe 48 33->40         started        44 spoolsv.exe 33->44         started        46 spoolsv.exe 47 33->46         started        48 4 other processes 33->48 file15 signatures16 process17 file18 87 C:\Users\user\AppData\Local\Temp\Disk.sys, PE32 40->87 dropped 89 C:\Users\user\AppData\Local\...\StikyNot.exe, PE32 40->89 dropped 131 Antivirus detection for dropped file 40->131 133 Detected unpacking (changes PE section rights) 40->133 135 Detected unpacking (creates a PE file in dynamic memory) 40->135 147 4 other signatures 40->147 50 spoolsv.exe 40->50         started        54 diskperf.exe 40->54         started        137 Drops executables to the windows directory (C:\Windows) and starts them 44->137 139 Spreads via windows shares (copies files to share folders) 44->139 141 Writes to foreign memory regions 44->141 66 2 other processes 44->66 91 C:\Users\user\AppData\Local\...\SyncHost.exe, PE32 46->91 dropped 143 Allocates memory in foreign processes 46->143 145 Injects a PE file into a foreign processes 46->145 56 spoolsv.exe 46->56         started        58 diskperf.exe 46->58         started        60 spoolsv.exe 48->60         started        62 spoolsv.exe 48->62         started        64 spoolsv.exe 48->64         started        68 5 other processes 48->68 signatures19 process20 file21 79 C:\Windows\System\svchost.exe, PE32 50->79 dropped 119 Installs a global keyboard hook 50->119 70 svchost.exe 50->70         started        signatures22 process23 signatures24 121 Antivirus detection for dropped file 70->121 123 Detected unpacking (changes PE section rights) 70->123 125 Detected unpacking (overwrites its own PE header) 70->125 127 4 other signatures 70->127 73 svchost.exe 70->73         started        process25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2082661840c6ed4e199a9da37df9e37f8700aad3c9bfbb1930ef57d0dcf387f/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 12:39:03 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wiecmymebrxnjymzvhndpx46g74hacvnhsn7xmmtb32x2dophb7q._file
Verdict:
unknown
Similar samples:
22481cd93311b4f18f02b5ff96b5aceff4198db6d3b6ff5660ec2c2dc213e53c
AveMariaRAT
4a9294b06d85ea14899e6a586e49fd8814ea499a168d6ea5434841ee9f531f1e
AveMariaRAT
5c2468557082b50bdf6e44e613b9709b58f38f5064c5e773c6620c6601938535
AveMariaRAT
7f1df3446a1e0130e99c6de60ab3aedebca5fa49f576591a0a6dfa14c7d9fd21
AveMariaRAT
8220a8c4adb4f8132d5586dac58766a76c873d3eba42e0f0c2c772a60f9a04be
AveMariaRAT
9750507a265b34dfac0e3818ca7e3f3859333320a448d8682e1a2ca1a0d55d4f
AveMariaRAT
a2588d62af6b7d4936fe20aae1d206b6dda2a9002dedd7069bdd7785e83ce810
AveMariaRAT
bf340400a994242fec4944db5ec1372a93eb4ed18440e45f7ea4c2b53ff12f1a
AveMariaRAT
f9af550595756a3d4d4f7ea6561bba49fe906c06d047427de9da88ea34ee4063
AveMariaRAT
fd8d043f076ff1fa49472ef39692d8a5fff8f3f5d931b89831078a03c0457bcc
AveMariaRAT
+ 296 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments