MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff406cf2d3e54504d217f522c1bfed0377c1b30794d992f69facc5873f560b05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff406cf2d3e54504d217f522c1bfed0377c1b30794d992f69facc5873f560b05
SHA3-384 hash: 2745d84757d5bc8a86ff7435e46934c11364e63e7ef77cd55e7b885494d19cbce6816ec562c475d69f2e846056498029
SHA1 hash: 81dcbb256d6ecfb79f428c1929764a8114f52b11
MD5 hash: 103cc8be4bfebf9f3bf42e84eba93156
humanhash: green-mango-comet-black
File name:ff406cf2d3e54504d217f522c1bfed0377c1b30794d992f69facc5873f560b05
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:3'024'548 bytes
First seen:2020-11-14 17:58:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 676f4bc1db7fb9f072b157186a10179e (1'400 x AveMariaRAT, 37 x Riskware.Generic, 2 x njrat)
ssdeep 24576:3pN7AAmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eH6:3pN7AAmw4gxeOw46fUbNecCCFbNecX
Threatray 4'287 similar samples on MalwareBazaar
TLSH A2E5BFF7750D0067F7673931B00F57529A9879B85300AB2F6B6C2B8960E72C266D3E87
Reporter seifreed
Tags:AveMariaRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Packer.PrivateExeProte-16
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Ursu-6793772-0
Create hunting rule

Win.Malware.Ursu-6914170-0
Create hunting rule

Win.Malware.Ursu-6914171-0
Create hunting rule

Win.Malware.Cerber-6989221-0
Create hunting rule

Win.Malware.Cryptinject-9785242-0
Create hunting rule

Win.Trojan.Ulise-9792178-0
Create hunting rule

Win.Trojan.Ulise-9792179-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Forced system process termination
Creating a window
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/536132
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Command shell drops VBS files
Contains functionality to hide user accounts
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: System File Execution Location Anomaly
Spreads via windows shares (copies files to share folders)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 317165 Sample: 1cs6NjfZeI Startdate: 15/11/2020 Architecture: WINDOWS Score: 100 124 Antivirus detection for dropped file 2->124 126 Antivirus / Scanner detection for submitted sample 2->126 128 Multi AV Scanner detection for submitted file 2->128 130 6 other signatures 2->130 13 1cs6NjfZeI.exe 2->13         started        16 wscript.exe 2->16         started        18 svchost.exe 2->18         started        20 6 other processes 2->20 process3 dnsIp4 180 Tries to detect sandboxes / dynamic malware analysis system (file name check) 13->180 182 Contains functionality to inject code into remote processes 13->182 184 Drops PE files with benign system names 13->184 186 Injects a PE file into a foreign processes 13->186 23 1cs6NjfZeI.exe 1 51 13->23         started        26 cmd.exe 2 13->26         started        28 StikyNot.exe 16->28         started        188 Changes security center settings (notifications, updates, antivirus, firewall) 18->188 110 127.0.0.1 unknown unknown 20->110 signatures5 process6 signatures7 150 Spreads via windows shares (copies files to share folders) 23->150 152 Writes to foreign memory regions 23->152 154 Allocates memory in foreign processes 23->154 156 Sample is not signed and drops a device driver 23->156 30 1cs6NjfZeI.exe 1 3 23->30         started        34 diskperf.exe 5 23->34         started        158 Command shell drops VBS files 26->158 160 Drops VBS files to the startup folder 26->160 36 conhost.exe 26->36         started        162 Tries to detect sandboxes / dynamic malware analysis system (file name check) 28->162 164 Sample uses process hollowing technique 28->164 166 Injects a PE file into a foreign processes 28->166 38 StikyNot.exe 28->38         started        40 cmd.exe 28->40         started        process8 file9 100 C:\Windows\System\explorer.exe, PE32 30->100 dropped 200 Installs a global keyboard hook 30->200 42 explorer.exe 30->42         started        102 C:\Users\user\AppData\Local\...\StikyNot.exe, PE32 34->102 dropped 104 C:\Users\user\...\Disk.sys:Zone.Identifier, ASCII 34->104 dropped 106 C:\Users\...\SyncHost.exe:Zone.Identifier, ASCII 34->106 dropped 108 C:\Users\...\StikyNot.exe:Zone.Identifier, ASCII 34->108 dropped 45 StikyNot.exe 34->45         started        202 Spreads via windows shares (copies files to share folders) 38->202 204 Sample uses process hollowing technique 38->204 206 Injects a PE file into a foreign processes 38->206 47 conhost.exe 40->47         started        signatures10 process11 signatures12 168 Antivirus detection for dropped file 42->168 170 Machine Learning detection for dropped file 42->170 172 Tries to detect sandboxes / dynamic malware analysis system (file name check) 42->172 178 2 other signatures 42->178 49 explorer.exe 47 42->49         started        53 spoolsv.exe 42->53         started        55 cmd.exe 42->55         started        57 cmd.exe 1 42->57         started        174 Multi AV Scanner detection for dropped file 45->174 176 Injects a PE file into a foreign processes 45->176 59 StikyNot.exe 46 45->59         started        61 cmd.exe 1 45->61         started        process13 file14 94 C:\Users\user\AppData\Local\Temp\Disk.sys, PE32 49->94 dropped 96 C:\Users\user\AppData\Local\...\SyncHost.exe, PE32 49->96 dropped 132 Injects code into the Windows Explorer (explorer.exe) 49->132 134 Drops executables to the windows directory (C:\Windows) and starts them 49->134 136 Spreads via windows shares (copies files to share folders) 49->136 142 2 other signatures 49->142 63 explorer.exe 3 17 49->63         started        68 diskperf.exe 49->68         started        138 Sample uses process hollowing technique 53->138 98 C:\Users\user\AppData\Roaming\...\x.vbs, ASCII 55->98 dropped 70 conhost.exe 55->70         started        72 conhost.exe 57->72         started        140 Injects a PE file into a foreign processes 59->140 74 StikyNot.exe 59->74         started        76 conhost.exe 61->76         started        signatures15 process16 dnsIp17 112 vccmd03.googlecode.com 63->112 114 vccmd02.googlecode.com 63->114 116 5 other IPs or domains 63->116 90 C:\Windows\System\spoolsv.exe, PE32 63->90 dropped 92 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 63->92 dropped 118 System process connects to network (likely due to code injection or exploit) 63->118 120 Creates an undocumented autostart registry key 63->120 122 Installs a global keyboard hook 63->122 78 spoolsv.exe 63->78         started        81 spoolsv.exe 63->81         started        file18 signatures19 process20 signatures21 190 Antivirus detection for dropped file 78->190 192 Machine Learning detection for dropped file 78->192 194 Tries to detect sandboxes / dynamic malware analysis system (file name check) 78->194 83 spoolsv.exe 78->83         started        86 cmd.exe 78->86         started        196 Drops executables to the windows directory (C:\Windows) and starts them 81->196 198 Injects a PE file into a foreign processes 81->198 process22 signatures23 144 Spreads via windows shares (copies files to share folders) 83->144 146 Sample uses process hollowing technique 83->146 148 Injects a PE file into a foreign processes 83->148 88 conhost.exe 86->88         started        process24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff406cf2d3e54504d217f522c1bfed0377c1b30794d992f69facc5873f560b05/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-14 17:59:45 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=75agz4wt4vcqjuqx6urmdp7nan34dmyhstmzf5u7vtcyop2wbmcq._file
Verdict:
malicious
Similar samples:
1cfea3d02575ae87c924799eb10ed2cad9e37e0b44a70fc709cc740732dead05
AveMariaRAT
3a65243f9c90c4da9e2eba16f82e9f0c6e963a887a494862e3ab0bf34ad087cf
AveMariaRAT
3e0c9a3b2805a33a90a06bba668f3e709f15d066d48c280b6715c5bf425d8629
AveMariaRAT
3fb90d8a4569ec1acc7433960d37b366227020c46b73e0e2387f56554fc90d70
AveMariaRAT
440b8d7da5a03d4e9681c1ed665b971882746ebc04bf215abc77cf9b6a1cbc3e
AveMariaRAT
516f5903f415000d759c5dbd52f83703646cc531decf0b4a48466f828cc7fc04
AveMariaRAT
634621ebdc17f9cd231f71de342ad5222c58a7687cec28d99220c15d5532ed81
AveMariaRAT
67b5dff4446d1a79f3af65c95f52d45f7a819c0e15215bbcf26fdedeafed00f4
AveMariaRAT
966b89d6d7cf241f4820acabfa3cbdd5c2322cc02e98fc9d3cd50249bcf3b5e8
AveMariaRAT
a68872fa7cef720305206cd42e552c610fb2d755aa725e5be9b0b71159fb8c8a
AveMariaRAT
+ 4'277 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat evasion infostealer persistence rat upx
Link:
https://tria.ge/reports/201114-sb9z5zwlhj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
UPX packed file
Warzone RAT Payload
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
ff406cf2d3e54504d217f522c1bfed0377c1b30794d992f69facc5873f560b05
MD5 hash:
103cc8be4bfebf9f3bf42e84eba93156
SHA1 hash:
81dcbb256d6ecfb79f428c1929764a8114f52b11
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/8936940a-2e87-42e7-af45-0b099770afb4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nymaim
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff406cf2d3e54504d217f522c1bfed0377c1b30794d992f69facc5873f560b05

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments