MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5fd02008e86c06d74e74208f75e34a6c32afd3992530f048c7da755fd06c214. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 7

Intelligence 7 IOCs YARA 6 File information Comments

SHA256 hash:	c5fd02008e86c06d74e74208f75e34a6c32afd3992530f048c7da755fd06c214
SHA3-384 hash:	8e65c82fb91c07d7cfa7bfa5751cb79502d3ed656063fce36ba085a9aac843cd7c4644282362b3a5c6e4d63be689ed69
SHA1 hash:	78e589bb87cdeef77a689614e091d14cf49ce7b4
MD5 hash:	72ca3c5730cfe7c094835721b4ff282f
humanhash:	november-twelve-uniform-cup
File name:	c5fd02008e86c06d74e74208f75e34a6c32afd3992530f048c7da755fd06c214
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	1'252'896 bytes
First seen:	2020-11-11 11:14:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5a498eee87e4d89512a84502f500181f (138 x AveMariaRAT, 57 x RedLineStealer, 7 x CoinMiner)
ssdeep	12288:GIbsBDU0I6+Tu0TJ0N1oYgeOFkA7W2FeDSIGVH/KIDgDgUeHbY1tk3:GIbGD2JTu0GolQDbGV6eH8tk3
Threatray	3'752 similar samples on MalwareBazaar
TLSH	4945AD82B67A040BC8737DB2F50FD220D8D9FE3D5640A7BB677BFE5984672418243A16
Reporter	seifreed
Tags:	AveMariaRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.Asprotect-3

Win.Malware.Ursu-6793772-0

Win.Malware.Ursu-6914170-0

Win.Malware.Ursu-6914171-0

Win.Malware.Cryptinject-9785242-0

Win.Malware.Daqc-6598201-0

Win.Malware.Eclv-9782803-0

Win.Malware.Eclv-9782804-0

Win.Malware.Eclv-9782973-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file in the %temp% directory

Creating a file

Launching a process

Creating a file in the Windows subdirectories

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the mass storage device

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c5fd02008e86c06d74e74208f75e34a6c32afd3992530f048c7da755fd06c214/

Threat name:

Win32.Spyware.AveMaria

Status:

Malicious

First seen:

2020-11-11 11:16:55 UTC

AV detection:

39 of 48 (81.25%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yx6qeaeoq3ag25hhiiepoxruu3bsv7jzsjjq6bempwtvl7igyika._file

Verdict:

suspicious

AveMariaRAT

5553a7b6943f4c1435ec14ecb41b95029d6f2a94f7f415f660c14bd8b68ab7f9

AveMariaRAT

66c84cc2020c62f67f7044dbc3bb6b8f377d545b6e7e4f4f636d26b2d5e4d0da

AveMariaRAT

840fcf3e185f0a54e8f1aee00cbcaa8b452a7f45bedb258e3afef8cb9fd3e0fd

AveMariaRAT

a0169c5cea57cdacc8c2f434b1e7ca6fbccadad3d1ba15ee168905d5b4e4956c

AveMariaRAT

a5d757f0c6bdf80b0d483bdc417c7f14857c9e4c72ac39d3b04d5babf20d807a

AveMariaRAT

c1f39d8f71e07d8eb327eba34a855ef2233cef3c04150da2e02807ece40cb905

AveMariaRAT

dedad3d7a97da9f0103dd87d86a422e38f581879c41ab07594d141eb303d2de9

AveMariaRAT

f2f2480af56f120f4d1f6586940ed898766a86509a2de41c5fea7f305d21b6fe

AveMariaRAT

f9676410bb9da322ef7440edfc31815ff0f0a32f92269770d869f62c8f1ee497

AveMariaRAT

+ 3'742 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat aspackv2 evasion infostealer persistence rat

Link:

https://tria.ge/reports/201111-vxxm1phkms/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

Drops file in Windows directory

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

ASPack v2.12-2.42

Executes dropped EXE

Modifies Installed Components in the registry

Warzone RAT Payload

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

WarzoneRat, AveMaria

Unpacked files

SH256 hash:

c5fd02008e86c06d74e74208f75e34a6c32afd3992530f048c7da755fd06c214

MD5 hash:

72ca3c5730cfe7c094835721b4ff282f

SHA1 hash:

78e589bb87cdeef77a689614e091d14cf49ce7b4

Detections:

win_ave_maria_g0

Link:

https://www.unpac.me/results/d3d05a44-42eb-4436-a2e7-3b4dbed94c73/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ave_maria_warzone_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	RDPWrap Create hunting rule
Author:	@bartblaze
Description:	Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:	https://github.com/stascorp/rdpwrap

Rule name:	UAC_bypass_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample