MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc07f9c8fc863e38cb6136a4807204b9955a723cd3bbcfddc3db1cdf835c950a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc07f9c8fc863e38cb6136a4807204b9955a723cd3bbcfddc3db1cdf835c950a
SHA3-384 hash: e4a8c9ef51c87c3e42ec795ef5924dca444d1d33430b1d89b4e599549f30c22bc31933314bc9ca7cb7f43b36c0d40412
SHA1 hash: 1f6c73353ca76ac024ab16d3f82f2acbda808863
MD5 hash: 79a19a7a8b4f029bf9bda9f7663b7bf7
humanhash: massachusetts-lemon-xray-nine
File name:cc07f9c8fc863e38cb6136a4807204b9955a723cd3bbcfddc3db1cdf835c950a
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:2'992'226 bytes
First seen:2020-11-10 11:41:58 UTC
Last seen:2024-07-24 21:29:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 676f4bc1db7fb9f072b157186a10179e (1'400 x AveMariaRAT, 37 x Riskware.Generic, 2 x njrat)
ssdeep 24576:OIY7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHb:OIY7A3mw4gxeOw46fUbNecCCFbNece
Threatray 3'687 similar samples on MalwareBazaar
TLSH 92D59EC7FE4D40A3E22B8535710F3B218586693F6B00A73B6F7E7988E1972D69093647
Reporter seifreed
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.PrivateExeProte-16
Create hunting rule

PUA.Win.Packer.Ep-7
Create hunting rule

PUA.Win.Packer.Embedpe-3
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Ursu-6793772-0
Create hunting rule

Win.Malware.Ursu-6914170-0
Create hunting rule

Win.Malware.Ursu-6914171-0
Create hunting rule

Win.Malware.Cerber-6989221-0
Create hunting rule

Win.Malware.Cryptinject-9785242-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Forced system process termination
Creating a window
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/528477
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Command shell drops VBS files
Contain functionality to detect virtual machines
Contains functionality to hide user accounts
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: System File Execution Location Anomaly
Spreads via windows shares (copies files to share folders)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 313338 Sample: I4Q3IzLEUR Startdate: 10/11/2020 Architecture: WINDOWS Score: 100 111 Antivirus detection for dropped file 2->111 113 Antivirus / Scanner detection for submitted sample 2->113 115 Multi AV Scanner detection for submitted file 2->115 117 6 other signatures 2->117 12 I4Q3IzLEUR.exe 2->12         started        15 wscript.exe 1 2->15         started        17 svchost.exe 2->17         started        19 8 other processes 2->19 process3 dnsIp4 203 Detected unpacking (changes PE section rights) 12->203 205 Detected unpacking (creates a PE file in dynamic memory) 12->205 207 Detected unpacking (overwrites its own PE header) 12->207 213 5 other signatures 12->213 22 cmd.exe 2 12->22         started        25 I4Q3IzLEUR.exe 1 51 12->25         started        209 Injects code into the Windows Explorer (explorer.exe) 15->209 27 explorer.exe 15->27         started        211 Changes security center settings (notifications, updates, antivirus, firewall) 17->211 103 127.0.0.1 unknown unknown 19->103 signatures5 process6 signatures7 143 Command shell drops VBS files 22->143 145 Drops VBS files to the startup folder 22->145 29 conhost.exe 22->29         started        147 Spreads via windows shares (copies files to share folders) 25->147 149 Writes to foreign memory regions 25->149 151 Allocates memory in foreign processes 25->151 153 Sample is not signed and drops a device driver 25->153 31 diskperf.exe 5 25->31         started        34 I4Q3IzLEUR.exe 1 3 25->34         started        155 Tries to detect sandboxes / dynamic malware analysis system (file name check) 27->155 157 Injects code into the Windows Explorer (explorer.exe) 27->157 159 Injects a PE file into a foreign processes 27->159 37 explorer.exe 27->37         started        39 cmd.exe 27->39         started        process8 file9 41 explorer.exe 47 29->41         started        45 cmd.exe 1 29->45         started        95 C:\Users\user\...\Disk.sys:Zone.Identifier, ASCII 31->95 dropped 97 C:\Users\...\SyncHost.exe:Zone.Identifier, ASCII 31->97 dropped 99 C:\Users\...\StikyNot.exe:Zone.Identifier, ASCII 31->99 dropped 47 StikyNot.exe 31->47         started        101 C:\Windows\System\explorer.exe, PE32 34->101 dropped 119 Installs a global keyboard hook 34->119 49 explorer.exe 34->49         started        121 Injects code into the Windows Explorer (explorer.exe) 37->121 123 Drops executables to the windows directory (C:\Windows) and starts them 37->123 125 Spreads via windows shares (copies files to share folders) 37->125 127 Injects a PE file into a foreign processes 37->127 51 explorer.exe 37->51         started        53 conhost.exe 39->53         started        signatures10 process11 file12 89 C:\Users\user\AppData\Local\Temp\Disk.sys, PE32 41->89 dropped 91 C:\Users\user\AppData\Local\...\SyncHost.exe, PE32 41->91 dropped 173 Injects code into the Windows Explorer (explorer.exe) 41->173 175 Spreads via windows shares (copies files to share folders) 41->175 177 Writes to foreign memory regions 41->177 195 2 other signatures 41->195 55 explorer.exe 41->55         started        60 diskperf.exe 41->60         started        62 conhost.exe 45->62         started        179 Antivirus detection for dropped file 47->179 181 Detected unpacking (changes PE section rights) 47->181 183 Detected unpacking (creates a PE file in dynamic memory) 47->183 64 StikyNot.exe 46 47->64         started        66 cmd.exe 1 47->66         started        185 Detected unpacking (overwrites its own PE header) 49->185 187 Machine Learning detection for dropped file 49->187 189 Tries to detect sandboxes / dynamic malware analysis system (file name check) 49->189 191 Drops PE files with benign system names 49->191 193 Installs a global keyboard hook 51->193 signatures13 process14 dnsIp15 105 vccmd03.googlecode.com 55->105 107 vccmd02.googlecode.com 55->107 109 5 other IPs or domains 55->109 83 C:\Windows\System\spoolsv.exe, PE32 55->83 dropped 85 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 55->85 dropped 161 System process connects to network (likely due to code injection or exploit) 55->161 163 Creates an undocumented autostart registry key 55->163 165 Installs a global keyboard hook 55->165 68 spoolsv.exe 55->68         started        71 spoolsv.exe 55->71         started        87 C:\Users\user\AppData\Local\...\StikyNot.exe, PE32 60->87 dropped 167 Spreads via windows shares (copies files to share folders) 64->167 169 Sample uses process hollowing technique 64->169 171 Injects a PE file into a foreign processes 64->171 73 conhost.exe 66->73         started        file16 signatures17 process18 signatures19 129 Antivirus detection for dropped file 68->129 131 Detected unpacking (changes PE section rights) 68->131 133 Machine Learning detection for dropped file 68->133 135 Drops executables to the windows directory (C:\Windows) and starts them 68->135 75 spoolsv.exe 68->75         started        78 cmd.exe 68->78         started        137 Tries to detect sandboxes / dynamic malware analysis system (file name check) 71->137 139 Sample uses process hollowing technique 71->139 141 Injects a PE file into a foreign processes 71->141 process20 file21 197 Spreads via windows shares (copies files to share folders) 75->197 199 Sample uses process hollowing technique 75->199 201 Injects a PE file into a foreign processes 75->201 93 C:\Users\user\AppData\Roaming\...\x.vbs, ASCII 78->93 dropped 81 conhost.exe 78->81         started        signatures22 process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc07f9c8fc863e38cb6136a4807204b9955a723cd3bbcfddc3db1cdf835c950a/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 12:39:11 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zqd7tsh4qy7drs3bg2sia4qexgkvu4r42o547xod3mon7a24sufa._file
Verdict:
unknown
Similar samples:
3772ad390ed9afe00625633bcc8b4ef9a3cc4ebd3afcdd17e5bcbc77d6dcf450
AveMariaRAT
78507fc9bb7ae5d0b07e652a6e473dfa8989868cfb5bdede487cafe0c5798723
AveMariaRAT
790ada374a5746ba5c8118615dc54e246836a5fad99032fd1ebeb9488c196d7f
AveMariaRAT
8a23a6db2c8886b0d56f69b4139ad8278b49cf2aaa19729ef3d90171d9419f7b
AveMariaRAT
97600cbe42f7a08b51c85fcf6084d682b526cd31e6ac041c7e94d92eb01cf96c
AveMariaRAT
b8526e6e7c6dcb71a5e3c587455e235c0a3508f2b7cc20aae47120d25dbbe210
AveMariaRAT
bbe69e17d653a71131e0c9fd787429245db67bd8f432b279a85881b2b1cfbf77
AveMariaRAT
cc07bcb41bac2d36932375e5be5c4c1b52e147ba3b3c585d5c2435cc0471308d
AveMariaRAT
f505e3b6c8cf7f1bfc8a0652975f9a595cf2f651e7861ffd7ffaba6fa6b52781
AveMariaRAT
fe5386cd43958a7d73820c890e0a52455c732cb4bf74bcf9d002d569e96a4012
AveMariaRAT
+ 3'677 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments