MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efbb6ae3207ae2a624c4b3db113f4a42fbb0b65c8316ece36d29c32b21fd2af0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efbb6ae3207ae2a624c4b3db113f4a42fbb0b65c8316ece36d29c32b21fd2af0
SHA3-384 hash: 963506b738e61e5835df2536d2076ec9dabdc290b95fafee5982c436202cc636fd77fb59bcc0a13da9834e52ab694971
SHA1 hash: 2f7f3f330ceeb7a05421c9c8eb24af21b385212a
MD5 hash: 5766658da5d0297b8e52332ad4dc8f73
humanhash: seventeen-pennsylvania-eight-oxygen
File name:efbb6ae3207ae2a624c4b3db113f4a42fbb0b65c8316ece36d29c32b21fd2af0
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:3'338'955 bytes
First seen:2020-11-12 14:29:06 UTC
Last seen:2024-07-24 22:49:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7be4c98eebb39d282cdffc1cea8fb470 (661 x AveMariaRAT, 29 x Riskware.Generic)
ssdeep 24576:+T2v/eZ4MqH3ToViZ6QDbGV6eH8tkOIbGD2JTu0GoWQDbGV6eH8tkd:C2nG/oLbNecSC0bNeca
Threatray 67 similar samples on MalwareBazaar
TLSH CCF57DE0F602506AD6237DB5EC0FD261D589BDBE0682B76FA7737E1E68477806443603
Reporter seifreed
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
64
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Daqc-6598201-0
Create hunting rule

Win.Malware.Ursu-6793772-0
Create hunting rule

Win.Malware.Ursu-6914170-0
Create hunting rule

Win.Malware.Ursu-6914171-0
Create hunting rule

Win.Malware.Eclv-9782803-0
Create hunting rule

Win.Malware.Eclv-9782804-0
Create hunting rule

Win.Malware.Eclv-9782973-0
Create hunting rule

Win.Malware.Cryptinject-9785242-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% directory
Creating a file
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Creating a file in the mass storage device
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/533870
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to hide user accounts
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Searches for specific processes (likely to inject)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Spreads via windows shares (copies files to share folders)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 316038 Sample: 3ktXgzQepj Startdate: 13/11/2020 Architecture: WINDOWS Score: 100 106 Antivirus detection for dropped file 2->106 108 Antivirus / Scanner detection for submitted sample 2->108 110 Multi AV Scanner detection for submitted file 2->110 112 6 other signatures 2->112 11 3ktXgzQepj.exe 1 51 2->11         started        15 StikyNot.exe 47 2->15         started        17 StikyNot.exe 2->17         started        19 3 other processes 2->19 process3 file4 92 C:\Users\user\...\Disk.sys:Zone.Identifier, ASCII 11->92 dropped 94 C:\Users\...\StikyNot.exe:Zone.Identifier, ASCII 11->94 dropped 154 Detected unpacking (changes PE section rights) 11->154 156 Detected unpacking (overwrites its own PE header) 11->156 158 Spreads via windows shares (copies files to share folders) 11->158 172 2 other signatures 11->172 21 3ktXgzQepj.exe 1 3 11->21         started        25 diskperf.exe 11->25         started        96 C:\Users\user\AppData\Local\...\SyncHost.exe, PE32 15->96 dropped 160 Antivirus detection for dropped file 15->160 162 Detected unpacking (creates a PE file in dynamic memory) 15->162 164 Machine Learning detection for dropped file 15->164 27 StikyNot.exe 2 15->27         started        29 diskperf.exe 15->29         started        166 Writes to foreign memory regions 17->166 168 Allocates memory in foreign processes 17->168 170 Injects a PE file into a foreign processes 17->170 31 StikyNot.exe 17->31         started        33 diskperf.exe 17->33         started        signatures5 process6 file7 86 C:\Windows\System\explorer.exe, PE32 21->86 dropped 146 Installs a global keyboard hook 21->146 35 explorer.exe 47 21->35         started        39 explorer.exe 27->39         started        signatures8 process9 file10 82 C:\Users\user\AppData\Local\Temp\Disk.sys, PE32 35->82 dropped 84 C:\Users\user\AppData\Local\...\StikyNot.exe, PE32 35->84 dropped 132 Antivirus detection for dropped file 35->132 134 Detected unpacking (changes PE section rights) 35->134 136 Detected unpacking (overwrites its own PE header) 35->136 144 6 other signatures 35->144 41 explorer.exe 3 17 35->41         started        46 diskperf.exe 35->46         started        138 Injects code into the Windows Explorer (explorer.exe) 39->138 140 Drops executables to the windows directory (C:\Windows) and starts them 39->140 142 Spreads via windows shares (copies files to share folders) 39->142 48 explorer.exe 39->48         started        signatures11 process12 dnsIp13 100 vccmd03.googlecode.com 41->100 102 vccmd02.googlecode.com 41->102 104 5 other IPs or domains 41->104 88 C:\Windows\System\spoolsv.exe, PE32 41->88 dropped 90 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 41->90 dropped 148 System process connects to network (likely due to code injection or exploit) 41->148 150 Creates an undocumented autostart registry key 41->150 152 Installs a global keyboard hook 41->152 50 spoolsv.exe 46 41->50         started        53 spoolsv.exe 46 41->53         started        55 spoolsv.exe 46 41->55         started        57 4 other processes 41->57 file14 signatures15 process16 signatures17 114 Antivirus detection for dropped file 50->114 116 Detected unpacking (changes PE section rights) 50->116 118 Detected unpacking (creates a PE file in dynamic memory) 50->118 130 3 other signatures 50->130 59 spoolsv.exe 50->59         started        63 diskperf.exe 50->63         started        120 Spreads via windows shares (copies files to share folders) 53->120 122 Writes to foreign memory regions 53->122 124 Allocates memory in foreign processes 53->124 65 spoolsv.exe 53->65         started        67 diskperf.exe 53->67         started        126 Injects a PE file into a foreign processes 55->126 69 spoolsv.exe 55->69         started        71 diskperf.exe 55->71         started        128 Drops executables to the windows directory (C:\Windows) and starts them 57->128 73 spoolsv.exe 57->73         started        75 spoolsv.exe 57->75         started        77 4 other processes 57->77 process18 file19 98 C:\Windows\System\svchost.exe, PE32 59->98 dropped 174 Drops executables to the windows directory (C:\Windows) and starts them 59->174 176 Installs a global keyboard hook 59->176 79 svchost.exe 59->79         started        signatures20 process21 signatures22 178 Antivirus detection for dropped file 79->178 180 Machine Learning detection for dropped file 79->180 182 Spreads via windows shares (copies files to share folders) 79->182 184 2 other signatures 79->184
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/efbb6ae3207ae2a624c4b3db113f4a42fbb0b65c8316ece36d29c32b21fd2af0/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-12 14:31:34 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=565wvyzaplrkmjgewpnrcp2kil53bns4qmlozy3nfhbswip5flya._file
Verdict:
unknown
Similar samples:
0157dd7fb07b3d3db807bafa53451ba0458d2571ca068e6c78ff9cb61b893e13
AveMariaRAT
143351152c41df32cdb16965fcdc462217d3ac7781d3681a75611611322e8c63
AveMariaRAT
68c58b0bcdc1c5b60ae6c139269b3b0b9b8fbc143dc57daaa65e75087ea9651b
AveMariaRAT
6ac27bfb9817a0450b58003ce3695671139d6649c03bfb7ecd1cb0acfacf7dc1
AveMariaRAT
7f1df3446a1e0130e99c6de60ab3aedebca5fa49f576591a0a6dfa14c7d9fd21
AveMariaRAT
b9d3aec2e12d09c575669441fbc43366c1443ae8c3e5c1671b3c1da1828e1393
AveMariaRAT
c6eb90065fc3ff411b3d6112c379b29d7e168df2584d6572aef9de30cc5003ac
AveMariaRAT
d75eda9289c684de721841f3e777720cb1360a804e5da52e8882fab56ae6fcf7
AveMariaRAT
fe759de7afe9839e4832488673dd1966bd0735d5269ac77a7de020649f787dd3
AveMariaRAT
ff8111f3f289a8ff4b459920471df4fc0cfd4f43c0ae072c95cd56aaf33e5d5e
AveMariaRAT
+ 57 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat evasion infostealer persistence rat
Link:
https://tria.ge/reports/201112-l22l22hers/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
Warzone RAT Payload
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
efbb6ae3207ae2a624c4b3db113f4a42fbb0b65c8316ece36d29c32b21fd2af0
MD5 hash:
5766658da5d0297b8e52332ad4dc8f73
SHA1 hash:
2f7f3f330ceeb7a05421c9c8eb24af21b385212a
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/214d8560-fe74-459d-b92a-0196710c3670/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments