MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e284df4dd69f01ca652cc3c9d94cf949839a388fd5a2978679b9890b8f75b4ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e284df4dd69f01ca652cc3c9d94cf949839a388fd5a2978679b9890b8f75b4ee
SHA3-384 hash: 62840d1d68515cb7140c6b09b5d617da40599d6941dbed815f56c472647168bfeb44569713deaf7c08e4d0485936b91b
SHA1 hash: ba14b796291a3a811293f245d50d9067a7eceb00
MD5 hash: 314bd9b11a71a60cbeff7cfaba82dfea
humanhash: lamp-iowa-six-twelve
File name:e284df4dd69f01ca652cc3c9d94cf949839a388fd5a2978679b9890b8f75b4ee
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:3'024'686 bytes
First seen:2020-11-12 14:40:11 UTC
Last seen:2024-07-24 22:22:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 676f4bc1db7fb9f072b157186a10179e (1'400 x AveMariaRAT, 37 x Riskware.Generic, 2 x njrat)
ssdeep 24576:/NB7AAmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHh:/NB7AAmw4gxeOw46fUbNecCCFbNeck
Threatray 3'843 similar samples on MalwareBazaar
TLSH 89E5AED5B96E0857E63FA4B5E04FB25180D8F83D9340637E7B6F3E0AA4531899182F4B
Reporter seifreed
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Packer.PrivateExeProte-16
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Ursu-6793772-0
Create hunting rule

Win.Malware.Ursu-6914170-0
Create hunting rule

Win.Malware.Ursu-6914171-0
Create hunting rule

Win.Malware.Cerber-6989221-0
Create hunting rule

Win.Malware.Cryptinject-9785242-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Forced system process termination
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a file
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Creating a file in the mass storage device
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/533345
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Command shell drops VBS files
Contain functionality to detect virtual machines
Contains functionality to hide user accounts
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: System File Execution Location Anomaly
Spreads via windows shares (copies files to share folders)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 315776 Sample: U7htk7lDf5 Startdate: 13/11/2020 Architecture: WINDOWS Score: 100 137 Antivirus detection for dropped file 2->137 139 Antivirus / Scanner detection for submitted sample 2->139 141 Multi AV Scanner detection for submitted file 2->141 143 6 other signatures 2->143 13 U7htk7lDf5.exe 2->13         started        16 svchost.exe 1 2->16         started        18 svchost.exe 2->18         started        process3 signatures4 183 Tries to detect sandboxes / dynamic malware analysis system (file name check) 13->183 185 Contain functionality to detect virtual machines 13->185 187 Contains functionality to inject code into remote processes 13->187 189 2 other signatures 13->189 20 U7htk7lDf5.exe 1 51 13->20         started        23 cmd.exe 2 13->23         started        process5 signatures6 151 Spreads via windows shares (copies files to share folders) 20->151 153 Writes to foreign memory regions 20->153 155 Allocates memory in foreign processes 20->155 161 2 other signatures 20->161 25 U7htk7lDf5.exe 1 3 20->25         started        29 diskperf.exe 5 20->29         started        157 Command shell drops VBS files 23->157 159 Drops VBS files to the startup folder 23->159 31 conhost.exe 23->31         started        process7 file8 111 C:\Windows\System\explorer.exe, PE32 25->111 dropped 179 Installs a global keyboard hook 25->179 33 explorer.exe 25->33         started        113 C:\Users\user\...\Disk.sys:Zone.Identifier, ASCII 29->113 dropped 115 C:\Users\...\SyncHost.exe:Zone.Identifier, ASCII 29->115 dropped 117 C:\Users\...\StikyNot.exe:Zone.Identifier, ASCII 29->117 dropped 36 StikyNot.exe 29->36         started        signatures9 process10 signatures11 127 Antivirus detection for dropped file 33->127 129 Machine Learning detection for dropped file 33->129 131 Tries to detect sandboxes / dynamic malware analysis system (file name check) 33->131 135 2 other signatures 33->135 38 explorer.exe 47 33->38         started        42 cmd.exe 1 33->42         started        133 Injects a PE file into a foreign processes 36->133 44 StikyNot.exe 46 36->44         started        46 cmd.exe 1 36->46         started        process12 file13 107 C:\Users\user\AppData\Local\Temp\Disk.sys, PE32 38->107 dropped 109 C:\Users\user\AppData\Local\...\SyncHost.exe, PE32 38->109 dropped 163 Injects code into the Windows Explorer (explorer.exe) 38->163 165 Spreads via windows shares (copies files to share folders) 38->165 167 Writes to foreign memory regions 38->167 48 explorer.exe 3 17 38->48         started        53 diskperf.exe 38->53         started        55 conhost.exe 42->55         started        169 Allocates memory in foreign processes 44->169 171 Injects a PE file into a foreign processes 44->171 57 StikyNot.exe 44->57         started        59 diskperf.exe 44->59         started        61 conhost.exe 46->61         started        signatures14 process15 dnsIp16 121 vccmd03.googlecode.com 48->121 123 vccmd02.googlecode.com 48->123 125 5 other IPs or domains 48->125 101 C:\Windows\System\spoolsv.exe, PE32 48->101 dropped 103 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 48->103 dropped 145 System process connects to network (likely due to code injection or exploit) 48->145 147 Creates an undocumented autostart registry key 48->147 149 Installs a global keyboard hook 48->149 63 spoolsv.exe 48->63         started        66 spoolsv.exe 48->66         started        68 spoolsv.exe 48->68         started        105 C:\Users\user\AppData\Local\...\StikyNot.exe, PE32 53->105 dropped 70 explorer.exe 57->70         started        file17 signatures18 process19 signatures20 191 Antivirus detection for dropped file 63->191 193 Machine Learning detection for dropped file 63->193 195 Tries to detect sandboxes / dynamic malware analysis system (file name check) 63->195 72 spoolsv.exe 63->72         started        75 cmd.exe 1 63->75         started        77 spoolsv.exe 66->77         started        79 cmd.exe 66->79         started        82 spoolsv.exe 68->82         started        84 cmd.exe 68->84         started        197 Injects code into the Windows Explorer (explorer.exe) 70->197 199 Drops executables to the windows directory (C:\Windows) and starts them 70->199 201 Injects a PE file into a foreign processes 70->201 86 explorer.exe 70->86         started        88 cmd.exe 70->88         started        process21 file22 173 Spreads via windows shares (copies files to share folders) 72->173 175 Injects a PE file into a foreign processes 72->175 90 spoolsv.exe 72->90         started        93 conhost.exe 75->93         started        119 C:\Users\user\AppData\Roaming\...\x.vbs, ASCII 79->119 dropped 95 conhost.exe 79->95         started        177 Sample uses process hollowing technique 82->177 97 conhost.exe 84->97         started        99 conhost.exe 88->99         started        signatures23 process24 signatures25 181 Installs a global keyboard hook 90->181
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e284df4dd69f01ca652cc3c9d94cf949839a388fd5a2978679b9890b8f75b4ee/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-12 14:45:28 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4kcn6towt4a4uzjmype5sthzjgbzuoep2wrjpbtzxgeqxd3vwtxa._file
Verdict:
unknown
Similar samples:
3a65243f9c90c4da9e2eba16f82e9f0c6e963a887a494862e3ab0bf34ad087cf
AveMariaRAT
3a74b8877e03ea9add7e7edf30c977603981d73c2f061b3948104f1adf6fae03
AveMariaRAT
58c686ae386e71180a0e0544c536e33d1348ab5dd9e7102dc250302f1d721fa6
AveMariaRAT
5b21a4372a66f1bb75eb6edb0666d123fab94c98a170cceb3df8554038eb50f5
AveMariaRAT
6a1c68ee404b6a15596e6374c1af3d7cb88fc86f95428ec4eb05dbfe0c878d5e
AveMariaRAT
78507fc9bb7ae5d0b07e652a6e473dfa8989868cfb5bdede487cafe0c5798723
AveMariaRAT
bbe69e17d653a71131e0c9fd787429245db67bd8f432b279a85881b2b1cfbf77
AveMariaRAT
cc07f9c8fc863e38cb6136a4807204b9955a723cd3bbcfddc3db1cdf835c950a
AveMariaRAT
f1e7407cc064f9c74ab09a214fde2dea53c28fef69e3a97a6c5f5dbe52fef859
AveMariaRAT
fe5386cd43958a7d73820c890e0a52455c732cb4bf74bcf9d002d569e96a4012
AveMariaRAT
+ 3'833 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat evasion infostealer persistence rat upx
Link:
https://tria.ge/reports/201112-cw8wqzycxa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
UPX packed file
Warzone RAT Payload
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
e284df4dd69f01ca652cc3c9d94cf949839a388fd5a2978679b9890b8f75b4ee
MD5 hash:
314bd9b11a71a60cbeff7cfaba82dfea
SHA1 hash:
ba14b796291a3a811293f245d50d9067a7eceb00
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/290a40bd-0080-46a9-8fef-6b3519a32f4b/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments