MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe5386cd43958a7d73820c890e0a52455c732cb4bf74bcf9d002d569e96a4012. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe5386cd43958a7d73820c890e0a52455c732cb4bf74bcf9d002d569e96a4012
SHA3-384 hash: 9eb08a01c2ca3a54310147ada730c1089ae8d087b9df6ec99a52f34be1a77799c54c9ed02fd8f6a05d5345a89e6aa3a0
SHA1 hash: f4f28d5996cce85604f4384e7e9e82d841ab5bef
MD5 hash: d2805c41b17b18c1512bcc2e12aeb4a5
humanhash: sink-island-echo-salami
File name:fe5386cd43958a7d73820c890e0a52455c732cb4bf74bcf9d002d569e96a4012
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:1'735'940 bytes
First seen:2020-11-10 11:34:02 UTC
Last seen:2024-07-24 23:28:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 676f4bc1db7fb9f072b157186a10179e (1'400 x AveMariaRAT, 37 x Riskware.Generic, 2 x njrat)
ssdeep 24576:3AH7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0P:3AH7A3mw4gxeOw46fUbNecCCy
Threatray 3'525 similar samples on MalwareBazaar
TLSH 3385CFD7FD6F40ABE338C072A04F2A128298A935A701B75B7F39528558931D9E3D274F
Reporter seifreed
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
59
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.PrivateExeProte-16
Create hunting rule

PUA.Win.Packer.Ep-7
Create hunting rule

PUA.Win.Packer.Embedpe-3
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

Win.Malware.Ursu-6793772-0
Create hunting rule

Win.Malware.Ursu-6914170-0
Create hunting rule

Win.Malware.Ursu-6914171-0
Create hunting rule

Win.Malware.Cerber-6989221-0
Create hunting rule

Win.Malware.Cryptinject-9785242-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Forced system process termination
Unauthorized injection to a recently created process
Creating a window
Creating a file in the %temp% directory
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Creating a file in the mass storage device
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/528991
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Command shell drops VBS files
Contains functionality to hide user accounts
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Spreads via windows shares (copies files to share folders)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 313597 Sample: RWN5e15GTS Startdate: 10/11/2020 Architecture: WINDOWS Score: 100 85 Antivirus detection for dropped file 2->85 87 Antivirus / Scanner detection for submitted sample 2->87 89 Multi AV Scanner detection for dropped file 2->89 91 6 other signatures 2->91 9 RWN5e15GTS.exe 2->9         started        12 SyncHost.exe 2->12         started        14 wscript.exe 1 2->14         started        16 StikyNot.exe 2->16         started        process3 signatures4 133 Detected unpacking (changes PE section rights) 9->133 135 Detected unpacking (creates a PE file in dynamic memory) 9->135 137 Detected unpacking (overwrites its own PE header) 9->137 139 Contains functionality to inject code into remote processes 9->139 18 cmd.exe 2 9->18         started        21 RWN5e15GTS.exe 1 51 9->21         started        141 Antivirus detection for dropped file 12->141 143 Multi AV Scanner detection for dropped file 12->143 145 Machine Learning detection for dropped file 12->145 23 SyncHost.exe 12->23         started        26 cmd.exe 12->26         started        28 RWN5e15GTS.exe 14->28         started        147 Tries to detect sandboxes / dynamic malware analysis system (file name check) 16->147 149 Injects a PE file into a foreign processes 16->149 30 StikyNot.exe 16->30         started        32 cmd.exe 1 16->32         started        process5 file6 93 Command shell drops VBS files 18->93 95 Drops VBS files to the startup folder 18->95 34 StikyNot.exe 18->34         started        37 conhost.exe 18->37         started        97 Writes to foreign memory regions 21->97 99 Allocates memory in foreign processes 21->99 101 Sample is not signed and drops a device driver 21->101 39 RWN5e15GTS.exe 1 3 21->39         started        41 diskperf.exe 5 21->41         started        75 C:\Users\user\AppData\Local\Temp\Disk.sys, PE32 23->75 dropped 77 C:\Users\user\AppData\Local\...\StikyNot.exe, PE32 23->77 dropped 79 C:\Users\user\...\Disk.sys:Zone.Identifier, ASCII 23->79 dropped 81 C:\Users\...\StikyNot.exe:Zone.Identifier, ASCII 23->81 dropped 103 Spreads via windows shares (copies files to share folders) 23->103 105 Sample uses process hollowing technique 23->105 43 conhost.exe 26->43         started        107 Tries to detect sandboxes / dynamic malware analysis system (file name check) 28->107 109 Injects a PE file into a foreign processes 28->109 45 RWN5e15GTS.exe 49 28->45         started        47 cmd.exe 1 28->47         started        51 2 other processes 30->51 83 C:\Users\user\AppData\Roaming\...\x.vbs, ASCII 32->83 dropped 49 conhost.exe 32->49         started        signatures7 process8 signatures9 111 Antivirus detection for dropped file 34->111 113 Multi AV Scanner detection for dropped file 34->113 115 Detected unpacking (changes PE section rights) 34->115 123 5 other signatures 34->123 53 StikyNot.exe 49 34->53         started        56 cmd.exe 1 34->56         started        117 Spreads via windows shares (copies files to share folders) 45->117 119 Writes to foreign memory regions 45->119 121 Allocates memory in foreign processes 45->121 58 RWN5e15GTS.exe 2 45->58         started        60 diskperf.exe 45->60         started        62 conhost.exe 47->62         started        process10 signatures11 125 Spreads via windows shares (copies files to share folders) 53->125 127 Writes to foreign memory regions 53->127 129 Allocates memory in foreign processes 53->129 131 Injects a PE file into a foreign processes 53->131 64 diskperf.exe 53->64         started        67 StikyNot.exe 2 53->67         started        69 conhost.exe 56->69         started        process12 file13 71 C:\Users\user\AppData\Local\...\SyncHost.exe, PE32 64->71 dropped 73 C:\Users\...\SyncHost.exe:Zone.Identifier, ASCII 64->73 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe5386cd43958a7d73820c890e0a52455c732cb4bf74bcf9d002d569e96a4012/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 11:41:16 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7zjyntkdswfh244cbseq4cssivohglfux52lz6oqalkwt2lkiaja._file
Verdict:
unknown
Similar samples:
0954707116de7974c38346f17987886632546664d0933bafd412fb343e408317
AveMariaRAT
12c0aac78e35536d75940c301e62cb8cb0388f4e43cf9f1925e02a66cbe2a319
AveMariaRAT
1b7544a23889922c4262251462e81dc2c6d481f1b6c5164a82e4ea5b2b31ff91
AveMariaRAT
33a1631c7b9063a39f15b2fde90f874f5657417d7a265fa03b6277b9c907ca33
AveMariaRAT
3772ad390ed9afe00625633bcc8b4ef9a3cc4ebd3afcdd17e5bcbc77d6dcf450
AveMariaRAT
614ef9ec888de4d04f0624fd4a65f1965313c03592dfe7565d463859ce7122b0
AveMariaRAT
78507fc9bb7ae5d0b07e652a6e473dfa8989868cfb5bdede487cafe0c5798723
AveMariaRAT
a597feb1835307dd3115e535a07ad16544b7950dd1de4e4247bc3bc49f02a487
AveMariaRAT
cc07bcb41bac2d36932375e5be5c4c1b52e147ba3b3c585d5c2435cc0471308d
AveMariaRAT
ff05b5ddbc9d78b2f4507e9e2a16d63cc007584d9cc5e641b41a4a73d96d0c02
AveMariaRAT
+ 3'515 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat persistence rat
Link:
https://tria.ge/reports/201110-z41ezr4k92/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Unpacked files
SH256 hash:
fe5386cd43958a7d73820c890e0a52455c732cb4bf74bcf9d002d569e96a4012
MD5 hash:
d2805c41b17b18c1512bcc2e12aeb4a5
SHA1 hash:
f4f28d5996cce85604f4384e7e9e82d841ab5bef
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/8694348a-81a1-4e53-b9e0-509edd8a9c00/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments