SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ave_maria (Back to overview)

Ave Maria

aka: AVE_MARIA, AveMariaRAT, Warzone RAT, WarzoneRAT, avemaria

Actor(s): Anunak

VTCollection    

Information stealer which uses AutoIT for wrapping.

References
2024-02-12EuropolEuropol
International cybercrime malware service targeting thousands of unsuspecting consumers dismantled
Ave Maria
2024-02-12BleepingComputerBill Toulas
FBI seizes Warzone RAT infrastructure, arrests malware vendor
Ave Maria
2023-11-16CISACISA
Scattered Spider
Ave Maria BlackCat Raccoon Vidar
2023-11-16CISACISA
Scattered Spider
BlackCat Ave Maria Raccoon Vidar
2023-10-25Cisco TalosAsheer Malhotra, Vitor Ventura
Kazakhstan-associated YoroTrooper disguises origin of attacks as Azerbaijan
Ave Maria Loda YoroTrooper
2023-10-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2023
FluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar
2023-09-08Gi7w0rm
Uncovering DDGroup — A long-time threat actor
AsyncRAT Ave Maria BitRAT DBatLoader NetWire RC Quasar RAT XWorm
2023-08-25Github (muha2xmad)Muhammad Hasan Ali
Technical analysis of WarZoneRAT malware
Ave Maria
2023-08-25Github (muha2xmad)Muhammad Hasan Ali
Warzone RAT configuration extractor
Ave Maria
2023-07-11SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2023
Hydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee
2023-06-23SecuronixD. Iuzvyk, Den Iyzvyk, O. Kolesnikov, T. Peck, Tim Peck
Detecting New MULTI#STORM Attack Campaign Involving Python-based Loader Masquerading as OneDrive Utilities to Drop Multiple RAT Payloads With Security Analytics
Ave Maria
2023-04-24Kaspersky LabsIvan Kwiatkowski, Pierre Delcher
Tomiris called, they want their Turla malware back
KopiLuwak Andromeda Ave Maria GoldMax JLORAT Kazuar Meterpreter QUIETCANARY RATel Roopy Telemiris tomiris Topinambour Tomiris
2023-04-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2023-03-25kienmanowar Blogm4n0w4r, Tran Trung Kien
[QuickNote] Decrypting the C2 configuration of Warzone RAT
Ave Maria
2023-02-03Huntress LabsChad Hudson
Ave Maria and the Chambers of Warzone RAT
Ave Maria
2023-01-17QianxinRed Raindrop Team
Kasablanka Group Probably Conducted Compaigns Targeting Russia
Ave Maria Loda
2022-11-24ExploitReversingAlexandre Borges
Malware Analysis Series (MAS): Article 6
Ave Maria
2022-10-13SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-09-19Recorded FutureInsikt Group®
Russia-Nexus UAC-0113 Emulating Telecommunication Providers in Ukraine
Ave Maria Colibri Loader DCRat
2022-07-21ASECASEC Analysis Team
Malware Being Distributed by Disguising Itself as Icon of V3 Lite
Ave Maria
2022-05-31UptycsPritam Salunkhe, Shilpesh Trivedi
WarzoneRAT Can Now Evade Detection With Process Hollowing
Ave Maria
2022-05-19BlackberryThe BlackBerry Research & Intelligence Team
.NET Stubs: Sowing the Seeds of Discord (PureCrypter)
Aberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer Formbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine Stealer WhisperGate
2022-05-12FortiGuard LabsXiaopeng Zhang
Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC – Part I
Ave Maria BitRAT Pandora RAT
2022-05-12MorphisecHido Cohen
New SYK Crypter Distributed Via Discord
AsyncRAT Ave Maria Nanocore RAT NjRAT Quasar RAT RedLine Stealer
2022-05-02cocomelonccocomelonc
Malware development: persistence - part 3. COM DLL hijack. Simple C++ example
Agent.BTZ Ave Maria Konni Mosquito TurlaRPC
2021-12-16BlackberryThe BlackBerry Research & Intelligence Team
Threat Thursday: Warzone RAT Breeds a Litter of ScriptKiddies
Ave Maria
2021-10-21NetskopeGustavo Palazolo
DBatLoader: Abusing Discord to Deliver Warzone RAT
Ave Maria DBatLoader
2021-09-23TalosAsheer Malhotra, Justin Thattil, Vanja Svajcer
Operation “Armor Piercer:” Targeted attacks in the Indian subcontinent using commercial RATs
Ave Maria NetWire RC
2021-09-20Trend MicroAliakbar Zahravi, William Gamazo Sanchez
Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads
Ave Maria BitRAT LimeRAT Nanocore RAT NjRAT Quasar RAT
2021-09-13Trend MicroDaniel Lunghi, Jaromír Hořejší
APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos
2021-09-13Trend MicroDaniel Lunghi, Jaromír Hořejší
APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos
2021-07-21Youtube (OALabs)OALabs
Warzone RAT Config Extraction With Python and IDA Pro
Ave Maria
2021-07-12Cipher Tech SolutionsClaire Zaboeva, Dan Dash, Melissa Frydrych
RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-12IBMClaire Zaboeva, Dan Dash, Melissa Frydrych
RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-01Quick HealAyush Puri
WARZONE RAT – Beware Of The Trojan Malware Stealing Data Triggering From Various Office Documents
Ave Maria
2021-05-19Youtube (OALabs)Sergei Frankoff
Reverse Engineering Warzone RAT - Part 1
Ave Maria
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-02-06Clairvoyance Security LabAdvanced threat research team
Mo Luoxiu (Confucius) organizes a new round of secret theft attacks on South Asian military enterprises
Ave Maria
2021-01-27Youtube (OALabs)Sergei Frankoff
IDA Pro Decompiler Basics Microcode and x86 Calling Conventions
Ave Maria
2021-01-21360 Threat Intelligence CenterAdvanced Threat Institute
Disclosure of Manling Flower Organization (APT-C-08) using Warzone RAT attack
Ave Maria
2021-01-12UptycsAbhijit Mohanta, Ashwin Vamshi
Confucius APT deploys Warzone RAT
Ave Maria Confucius
2020-12-21Cisco TalosJON MUNSHAW
2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-11-30Medium Asuna AmawakaAsuna Amawaka
Do you want to bake a donut? Come on, let’s go update~ Go away, Maria.
Ave Maria
2020-11-25UptycsAbhijit Mohanta, Shilpesh Trivedi
Warzone RAT comes with UAC bypass technique
Ave Maria
2020-11-03Kaspersky LabsGReAT
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-09-02Cisco TalosEdmund Brumaghin, Holger Unterbrink
Salfram: Robbing the place without removing your name tag
Ave Maria ISFB SmokeLoader Zloader
2020-07-30SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-05-21MalwarebytesMalwarebytes Labs
Cybercrime tactics and techniques
Ave Maria Azorult DanaBot Loki Password Stealer (PWS) NetWire RC
2020-02-03Check Point ResearchYaroslav Harakhavik
Warzone: Behind the enemy lines
Ave Maria
2019-07-25Team CymruTeam Cymru
Unmasking AVE_MARIA
Ave Maria
2019-05-08Kaspersky LabsKaspersky Labs
Fin7 hacking group targets more than 130 companies after leaders’ arrest
Ave Maria ANTHROPOID SPIDER
2019-05-08Kaspersky LabsFélix Aime, Yury Namestnikov
FIN7.5: the infamous cybercrime rig “FIN7” continues its activities
Griffon Ave Maria FIN7
2019-04-11ReaqtaReaqta
Ave_Maria Malware: there's more than meets the eye
Ave Maria
2019-03-01MorphisecAlon Groisman
Threat Alert: AVE Maria infostealer on the rise
Ave Maria
2019-01-11Cybaze-Yorio Z-LabAntonio Farina, Antonio Pirozzi, Luca Mella
The “AVE_MARIA” Malware
Ave Maria
Yara Rules
[TLP:WHITE] win_ave_maria_auto (20230808 | Detects win.ave_maria.)
rule win_ave_maria_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.ave_maria."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b07 ff740610 8d4614 50 8d45f8 50 }
            // n = 6, score = 400
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   ff740610             | push                dword ptr [esi + eax + 0x10]
            //   8d4614               | lea                 eax, [esi + 0x14]
            //   50                   | push                eax
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax

        $sequence_1 = { 52 8b08 6a01 50 ff510c 85c0 74c1 }
            // n = 7, score = 400
            //   52                   | push                edx
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   6a01                 | push                1
            //   50                   | push                eax
            //   ff510c               | call                dword ptr [ecx + 0xc]
            //   85c0                 | test                eax, eax
            //   74c1                 | je                  0xffffffc3

        $sequence_2 = { 6a0a 03c1 59 8bf8 f3a5 8d4d30 }
            // n = 6, score = 400
            //   6a0a                 | push                0xa
            //   03c1                 | add                 eax, ecx
            //   59                   | pop                 ecx
            //   8bf8                 | mov                 edi, eax
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8d4d30               | lea                 ecx, [ebp + 0x30]

        $sequence_3 = { 0f57c0 c745e015000000 50 8d4de0 0f1145e8 e8???????? 8bc8 }
            // n = 7, score = 400
            //   0f57c0               | xorps               xmm0, xmm0
            //   c745e015000000       | mov                 dword ptr [ebp - 0x20], 0x15
            //   50                   | push                eax
            //   8d4de0               | lea                 ecx, [ebp - 0x20]
            //   0f1145e8             | movups              xmmword ptr [ebp - 0x18], xmm0
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax

        $sequence_4 = { 803800 7509 33c0 5b c3 33c0 40 }
            // n = 7, score = 400
            //   803800               | cmp                 byte ptr [eax], 0
            //   7509                 | jne                 0xb
            //   33c0                 | xor                 eax, eax
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax

        $sequence_5 = { 8bc7 99 2bc1 8bcf 1bd6 52 50 }
            // n = 7, score = 400
            //   8bc7                 | mov                 eax, edi
            //   99                   | cdq                 
            //   2bc1                 | sub                 eax, ecx
            //   8bcf                 | mov                 ecx, edi
            //   1bd6                 | sbb                 edx, esi
            //   52                   | push                edx
            //   50                   | push                eax

        $sequence_6 = { ff500c 8b06 68???????? ff37 8b08 }
            // n = 5, score = 400
            //   ff500c               | call                dword ptr [eax + 0xc]
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   68????????           |                     
            //   ff37                 | push                dword ptr [edi]
            //   8b08                 | mov                 ecx, dword ptr [eax]

        $sequence_7 = { 51 54 8bce e8???????? 8b4d08 e8???????? 83c410 }
            // n = 7, score = 400
            //   51                   | push                ecx
            //   54                   | push                esp
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10

        $sequence_8 = { 300431 41 3bcf 7ced 5f 8bc6 5e }
            // n = 7, score = 400
            //   300431               | xor                 byte ptr [ecx + esi], al
            //   41                   | inc                 ecx
            //   3bcf                 | cmp                 ecx, edi
            //   7ced                 | jl                  0xffffffef
            //   5f                   | pop                 edi
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi

        $sequence_9 = { 83ec18 53 8bd9 56 57 895df8 }
            // n = 6, score = 400
            //   83ec18               | sub                 esp, 0x18
            //   53                   | push                ebx
            //   8bd9                 | mov                 ebx, ecx
            //   56                   | push                esi
            //   57                   | push                edi
            //   895df8               | mov                 dword ptr [ebp - 8], ebx

    condition:
        7 of them and filesize < 237568
}
Download all Yara Rules