MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbf81a7934a725f91d61f0bd08d2414da2376df910bd1be865369fe9bdd6186a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fbf81a7934a725f91d61f0bd08d2414da2376df910bd1be865369fe9bdd6186a
SHA3-384 hash: 8823caeabcfecf9651ad2f31baaa9fde070780c3351d245ce4f5bab0153613557006d830c996ea766260d5fc8edc55eb
SHA1 hash: 4773f8bb4741c6f051318c6ce8303f94aad4f272
MD5 hash: efd44650b0c0d37432cb7d87983308f3
humanhash: dakota-uniform-hotel-eighteen
File name:fbf81a7934a725f91d61f0bd08d2414da2376df910bd1be865369fe9bdd6186a
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:3'024'503 bytes
First seen:2020-11-09 21:58:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 676f4bc1db7fb9f072b157186a10179e (1'400 x AveMariaRAT, 37 x Riskware.Generic, 2 x njrat)
ssdeep 24576:fCq7AAmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHu:fCq7AAmw4gxeOw46fUbNecCCFbNecl
Threatray 3'280 similar samples on MalwareBazaar
TLSH 26E59ED6762F1453D33196B1561F4640928CA8AA6F81FA5F7FF63A06704B0CAF2D2B07
Reporter seifreed
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Packer.PrivateExeProte-16
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Ursu-6793772-0
Create hunting rule

Win.Malware.Ursu-6914170-0
Create hunting rule

Win.Malware.Ursu-6914171-0
Create hunting rule

Win.Malware.Cerber-6989221-0
Create hunting rule

Win.Malware.Cryptinject-9785242-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Forced system process termination
Creating a window
Creating a file in the %temp% directory
Creating a file
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Creating a file in the mass storage device
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/527562
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Command shell drops VBS files
Contain functionality to detect virtual machines
Contains functionality to hide user accounts
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Searches for specific processes (likely to inject)
Sigma detected: Drops script at startup location
Sigma detected: System File Execution Location Anomaly
Spreads via windows shares (copies files to share folders)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 312873 Sample: S52d2Ohigo Startdate: 10/11/2020 Architecture: WINDOWS Score: 100 140 Antivirus detection for dropped file 2->140 142 Antivirus / Scanner detection for submitted sample 2->142 144 Multi AV Scanner detection for submitted file 2->144 146 6 other signatures 2->146 13 S52d2Ohigo.exe 2->13         started        16 wscript.exe 1 2->16         started        18 StikyNot.exe 2->18         started        20 svchost.exe 1 2->20         started        process3 signatures4 198 Tries to detect sandboxes / dynamic malware analysis system (file name check) 13->198 200 Contain functionality to detect virtual machines 13->200 202 Contains functionality to inject code into remote processes 13->202 204 Drops PE files with benign system names 13->204 22 S52d2Ohigo.exe 1 51 13->22         started        26 cmd.exe 2 13->26         started        28 S52d2Ohigo.exe 16->28         started        206 Antivirus detection for dropped file 18->206 208 Machine Learning detection for dropped file 18->208 210 Injects a PE file into a foreign processes 18->210 30 StikyNot.exe 18->30         started        32 cmd.exe 18->32         started        process5 file6 112 C:\Users\user\...\Disk.sys:Zone.Identifier, ASCII 22->112 dropped 114 C:\Users\...\StikyNot.exe:Zone.Identifier, ASCII 22->114 dropped 180 Spreads via windows shares (copies files to share folders) 22->180 182 Sample is not signed and drops a device driver 22->182 184 Injects a PE file into a foreign processes 22->184 34 S52d2Ohigo.exe 1 3 22->34         started        38 diskperf.exe 22->38         started        186 Command shell drops VBS files 26->186 188 Drops VBS files to the startup folder 26->188 40 conhost.exe 26->40         started        190 Tries to detect sandboxes / dynamic malware analysis system (file name check) 28->190 42 S52d2Ohigo.exe 46 28->42         started        44 cmd.exe 1 28->44         started        46 StikyNot.exe 30->46         started        48 conhost.exe 32->48         started        signatures7 process8 file9 106 C:\Windows\System\explorer.exe, PE32 34->106 dropped 158 Installs a global keyboard hook 34->158 50 explorer.exe 34->50         started        160 Spreads via windows shares (copies files to share folders) 42->160 162 Writes to foreign memory regions 42->162 164 Allocates memory in foreign processes 42->164 166 Injects a PE file into a foreign processes 42->166 53 S52d2Ohigo.exe 42->53         started        55 diskperf.exe 42->55         started        58 conhost.exe 44->58         started        signatures10 process11 file12 148 Antivirus detection for dropped file 50->148 150 Machine Learning detection for dropped file 50->150 152 Tries to detect sandboxes / dynamic malware analysis system (file name check) 50->152 156 4 other signatures 50->156 60 explorer.exe 47 50->60         started        64 cmd.exe 1 50->64         started        154 Installs a global keyboard hook 53->154 66 explorer.exe 53->66         started        116 C:\Users\user\AppData\Local\...\StikyNot.exe, PE32 55->116 dropped signatures13 process14 file15 118 C:\Users\user\AppData\Local\Temp\Disk.sys, PE32 60->118 dropped 120 C:\Users\user\AppData\Local\...\SyncHost.exe, PE32 60->120 dropped 212 Injects code into the Windows Explorer (explorer.exe) 60->212 214 Spreads via windows shares (copies files to share folders) 60->214 216 Writes to foreign memory regions 60->216 218 Allocates memory in foreign processes 60->218 68 explorer.exe 3 17 60->68         started        73 diskperf.exe 60->73         started        75 conhost.exe 64->75         started        220 Tries to detect sandboxes / dynamic malware analysis system (file name check) 66->220 222 Drops executables to the windows directory (C:\Windows) and starts them 66->222 224 Injects a PE file into a foreign processes 66->224 77 explorer.exe 66->77         started        79 cmd.exe 66->79         started        signatures16 process17 dnsIp18 122 vccmd03.googlecode.com 68->122 124 vccmd02.googlecode.com 68->124 126 6 other IPs or domains 68->126 108 C:\Windows\System\spoolsv.exe, PE32 68->108 dropped 110 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 68->110 dropped 168 System process connects to network (likely due to code injection or exploit) 68->168 170 Creates an undocumented autostart registry key 68->170 172 Installs a global keyboard hook 68->172 81 spoolsv.exe 68->81         started        84 spoolsv.exe 68->84         started        86 spoolsv.exe 68->86         started        174 Spreads via windows shares (copies files to share folders) 77->174 176 Sample uses process hollowing technique 77->176 178 Injects a PE file into a foreign processes 77->178 file19 signatures20 process21 signatures22 128 Antivirus detection for dropped file 81->128 130 Machine Learning detection for dropped file 81->130 132 Tries to detect sandboxes / dynamic malware analysis system (file name check) 81->132 88 spoolsv.exe 81->88         started        91 cmd.exe 81->91         started        134 Drops executables to the windows directory (C:\Windows) and starts them 84->134 136 Injects a PE file into a foreign processes 84->136 93 spoolsv.exe 84->93         started        95 cmd.exe 84->95         started        138 Sample uses process hollowing technique 86->138 97 cmd.exe 86->97         started        process23 file24 192 Spreads via windows shares (copies files to share folders) 88->192 194 Sample uses process hollowing technique 88->194 196 Injects a PE file into a foreign processes 88->196 100 conhost.exe 91->100         started        102 conhost.exe 95->102         started        104 C:\Users\user\AppData\Roaming\...\x.vbs, ASCII 97->104 dropped signatures25 process26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fbf81a7934a725f91d61f0bd08d2414da2376df910bd1be865369fe9bdd6186a/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-09 22:39:42 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7p4bu6juu4s7shlb6c6qrusbjwrdo3pzcc6rx2dfg2p6tpowdbva._file
Verdict:
unknown
Similar samples:
2866188a62791f50f9ee78c040abe14550957a6bf3fa89bfa5c26c0d0959d879
AveMariaRAT
304a878118613dd0bca8306e932b5f814e45d57a8638cd1412e6c278776538db
AveMariaRAT
5b21a4372a66f1bb75eb6edb0666d123fab94c98a170cceb3df8554038eb50f5
AveMariaRAT
9a7cd11337369984d415dd2f6853c865b73210272430723f2eb4bbbe41a9034a
AveMariaRAT
addefef63597571a7ee0b376ef5ee82509a7cfa58edc0462071761f944733f5a
AveMariaRAT
b877487b20ef3aff6886174c46b7884ed7298d8f6580215f82e83f806a6e1b65
AveMariaRAT
d2ff7e8c230bcd57e83bda83bcd6a33691ada18ef85d790b85974682971b7520
AveMariaRAT
e43d5312d11b3a19a14207f6163c841644e43e18d31f6f8029509b284f454821
AveMariaRAT
e5f1a65b5f6bc81f8b2fb62c7bc74c871a3879b5966125b68d85da86d1a571ad
AveMariaRAT
e761d308089dba30cc23f8878d984aa1f11b049f2f096e9766db3c92e1ccf290
AveMariaRAT
+ 3'270 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat evasion infostealer persistence rat upx
Link:
https://tria.ge/reports/201109-l93mmjhc2s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
UPX packed file
Warzone RAT Payload
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
WarzoneRat, AveMaria
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fbf81a7934a725f91d61f0bd08d2414da2376df910bd1be865369fe9bdd6186a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments