SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ave_maria (Back to overview)

Ave Maria

aka: AVE_MARIA, AveMariaRAT, Warzone RAT, WarzoneRAT, avemaria

Actor(s): Anunak

VTCollection    

Information stealer which uses AutoIT for wrapping.

References
2024-04-13cyber5wcyber5w, M4lcode
Analysis of malicious Microsoft office macros
AsyncRAT Ave Maria
2024-04-09kienmanowar Blogm4n0w4r, Tran Trung Kien
[QuickNote] Phishing email distributes WarZone RAT via DBatLoader
Ave Maria DBatLoader
2024-02-12EuropolEuropol
International cybercrime malware service targeting thousands of unsuspecting consumers dismantled
Ave Maria
2024-02-12BleepingComputerBill Toulas
FBI seizes Warzone RAT infrastructure, arrests malware vendor
Ave Maria
2024-02-09Department of JusticeOffice of Public Affairs
International Cybercrime Malware Service Dismantled by Federal Authorities: Key Malware Sales and Support Actors in Malta and Nigeria Charged in Federal Indictments
Ave Maria
2023-11-16CISACISA
Scattered Spider
Ave Maria BlackCat Raccoon Vidar
2023-11-16CISACISA
Scattered Spider
BlackCat Ave Maria Raccoon Vidar
2023-10-25Cisco TalosAsheer Malhotra, Vitor Ventura
Kazakhstan-associated YoroTrooper disguises origin of attacks as Azerbaijan
Ave Maria Loda YoroTrooper
2023-10-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2023
FluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar
2023-09-08Gi7w0rm
Uncovering DDGroup — A long-time threat actor
AsyncRAT Ave Maria BitRAT DBatLoader NetWire RC Quasar RAT XWorm
2023-08-25Github (muha2xmad)Muhammad Hasan Ali
Technical analysis of WarZoneRAT malware
Ave Maria
2023-08-25Github (muha2xmad)Muhammad Hasan Ali
Warzone RAT configuration extractor
Ave Maria
2023-07-11SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2023
Hydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee
2023-06-23SecuronixDen Iyzvyk, Oleg Kolesnikov, Tim Peck
Detecting New MULTI#STORM Attack Campaign Involving Python-based Loader Masquerading as OneDrive Utilities to Drop Multiple RAT Payloads With Security Analytics
Ave Maria
2023-04-24Kaspersky LabsIvan Kwiatkowski, Pierre Delcher
Tomiris called, they want their Turla malware back
KopiLuwak Andromeda Ave Maria GoldMax JLORAT Kazuar Meterpreter QUIETCANARY RATel Roopy Telemiris tomiris Topinambour Tomiris
2023-04-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2023-03-25kienmanowar Blogm4n0w4r, Tran Trung Kien
[QuickNote] Decrypting the C2 configuration of Warzone RAT
Ave Maria
2023-02-03Huntress LabsChad Hudson
Ave Maria and the Chambers of Warzone RAT
Ave Maria
2023-01-17QianxinRed Raindrop Team
Kasablanka Group Probably Conducted Compaigns Targeting Russia
Ave Maria Loda
2022-11-24ExploitReversingAlexandre Borges
Malware Analysis Series (MAS): Article 6
Ave Maria
2022-10-13SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-09-19Recorded FutureInsikt Group®
Russia-Nexus UAC-0113 Emulating Telecommunication Providers in Ukraine
Ave Maria Colibri Loader DCRat
2022-07-21ASECASEC Analysis Team
Malware Being Distributed by Disguising Itself as Icon of V3 Lite
Ave Maria
2022-05-31UptycsPritam Salunkhe, Shilpesh Trivedi
WarzoneRAT Can Now Evade Detection With Process Hollowing
Ave Maria
2022-05-19BlackberryThe BlackBerry Research & Intelligence Team
.NET Stubs: Sowing the Seeds of Discord (PureCrypter)
Aberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer Formbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine Stealer WhisperGate
2022-05-12FortiGuard LabsXiaopeng Zhang
Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC – Part I
Ave Maria BitRAT Pandora RAT
2022-05-12MorphisecHido Cohen
New SYK Crypter Distributed Via Discord
AsyncRAT Ave Maria Nanocore RAT NjRAT Quasar RAT RedLine Stealer
2022-05-02cocomelonccocomelonc
Malware development: persistence - part 3. COM DLL hijack. Simple C++ example
Agent.BTZ Ave Maria Konni Mosquito TurlaRPC
2021-12-16BlackberryThe BlackBerry Research & Intelligence Team
Threat Thursday: Warzone RAT Breeds a Litter of ScriptKiddies
Ave Maria
2021-10-21NetskopeGustavo Palazolo
DBatLoader: Abusing Discord to Deliver Warzone RAT
Ave Maria DBatLoader
2021-09-23TalosAsheer Malhotra, Justin Thattil, Vanja Svajcer
Operation “Armor Piercer:” Targeted attacks in the Indian subcontinent using commercial RATs
Ave Maria NetWire RC
2021-09-20Trend MicroAliakbar Zahravi, William Gamazo Sanchez
Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads
Ave Maria BitRAT LimeRAT Nanocore RAT NjRAT Quasar RAT
2021-09-13Trend MicroDaniel Lunghi, Jaromír Hořejší
APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos
2021-09-13Trend MicroDaniel Lunghi, Jaromír Hořejší
APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos
2021-07-21Youtube (OALabs)OALabs
Warzone RAT Config Extraction With Python and IDA Pro
Ave Maria
2021-07-12Cipher Tech SolutionsClaire Zaboeva, Dan Dash, Melissa Frydrych
RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-12IBMClaire Zaboeva, Dan Dash, Melissa Frydrych
RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-01Quick HealAyush Puri
WARZONE RAT – Beware Of The Trojan Malware Stealing Data Triggering From Various Office Documents
Ave Maria
2021-05-19Youtube (OALabs)Sergei Frankoff
Reverse Engineering Warzone RAT - Part 1
Ave Maria
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-02-06Clairvoyance Security LabAdvanced threat research team
Mo Luoxiu (Confucius) organizes a new round of secret theft attacks on South Asian military enterprises
Ave Maria
2021-01-27Youtube (OALabs)Sergei Frankoff
IDA Pro Decompiler Basics Microcode and x86 Calling Conventions
Ave Maria
2021-01-21360 Threat Intelligence CenterAdvanced Threat Institute
Disclosure of Manling Flower Organization (APT-C-08) using Warzone RAT attack
Ave Maria
2021-01-12UptycsAbhijit Mohanta, Ashwin Vamshi
Confucius APT deploys Warzone RAT
Ave Maria Confucius
2020-12-21Cisco TalosJON MUNSHAW
2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-11-30Medium Asuna AmawakaAsuna Amawaka
Do you want to bake a donut? Come on, let’s go update~ Go away, Maria.
Ave Maria
2020-11-25UptycsAbhijit Mohanta, Shilpesh Trivedi
Warzone RAT comes with UAC bypass technique
Ave Maria
2020-11-03Kaspersky LabsGReAT
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-09-02Cisco TalosEdmund Brumaghin, Holger Unterbrink
Salfram: Robbing the place without removing your name tag
Ave Maria ISFB SmokeLoader Zloader
2020-07-30SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-05-21MalwarebytesMalwarebytes Labs
Cybercrime tactics and techniques
Ave Maria Azorult DanaBot Loki Password Stealer (PWS) NetWire RC
2020-02-03Check Point ResearchYaroslav Harakhavik
Warzone: Behind the enemy lines
Ave Maria
2019-07-25Team CymruTeam Cymru
Unmasking AVE_MARIA
Ave Maria
2019-05-08Kaspersky LabsKaspersky Labs
Fin7 hacking group targets more than 130 companies after leaders’ arrest
Ave Maria ANTHROPOID SPIDER
2019-05-08Kaspersky LabsFélix Aime, Yury Namestnikov
FIN7.5: the infamous cybercrime rig “FIN7” continues its activities
Griffon Ave Maria FIN7
2019-04-11ReaqtaReaqta
Ave_Maria Malware: there's more than meets the eye
Ave Maria
2019-03-01MorphisecAlon Groisman
Threat Alert: AVE Maria infostealer on the rise
Ave Maria
2019-01-11Cybaze-Yorio Z-LabAntonio Farina, Antonio Pirozzi, Luca Mella
The “AVE_MARIA” Malware
Ave Maria
Yara Rules
[TLP:WHITE] win_ave_maria_auto (20241030 | Detects win.ave_maria.)
rule win_ave_maria_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.ave_maria."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8165e800ff00ff c1c008 25ff00ff00 894df8 0945e8 8bc7 33c2 }
            // n = 7, score = 400
            //   8165e800ff00ff       | and                 dword ptr [ebp - 0x18], 0xff00ff00
            //   c1c008               | rol                 eax, 8
            //   25ff00ff00           | and                 eax, 0xff00ff
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   0945e8               | or                  dword ptr [ebp - 0x18], eax
            //   8bc7                 | mov                 eax, edi
            //   33c2                 | xor                 eax, edx

        $sequence_1 = { 8bcf e8???????? 8d4de0 e8???????? 33f6 e9???????? e8???????? }
            // n = 7, score = 400
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   8d4de0               | lea                 ecx, [ebp - 0x20]
            //   e8????????           |                     
            //   33f6                 | xor                 esi, esi
            //   e9????????           |                     
            //   e8????????           |                     

        $sequence_2 = { 50 e8???????? 8d4c2424 e8???????? 46 3b770c 7293 }
            // n = 7, score = 400
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d4c2424             | lea                 ecx, [esp + 0x24]
            //   e8????????           |                     
            //   46                   | inc                 esi
            //   3b770c               | cmp                 esi, dword ptr [edi + 0xc]
            //   7293                 | jb                  0xffffff95

        $sequence_3 = { e8???????? 897e34 ff15???????? 5f 5e c20400 55 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   897e34               | mov                 dword ptr [esi + 0x34], edi
            //   ff15????????         |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   c20400               | ret                 4
            //   55                   | push                ebp

        $sequence_4 = { 56 57 57 57 53 6801000080 ff15???????? }
            // n = 7, score = 400
            //   56                   | push                esi
            //   57                   | push                edi
            //   57                   | push                edi
            //   57                   | push                edi
            //   53                   | push                ebx
            //   6801000080           | push                0x80000001
            //   ff15????????         |                     

        $sequence_5 = { 85f6 742c 8b5004 2bf2 ff750c 8b08 83c2f8 }
            // n = 7, score = 400
            //   85f6                 | test                esi, esi
            //   742c                 | je                  0x2e
            //   8b5004               | mov                 edx, dword ptr [eax + 4]
            //   2bf2                 | sub                 esi, edx
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   83c2f8               | add                 edx, -8

        $sequence_6 = { 81ce00ffffff 46 8b4df8 8a040e 88040f 47 881c0e }
            // n = 7, score = 400
            //   81ce00ffffff         | or                  esi, 0xffffff00
            //   46                   | inc                 esi
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   8a040e               | mov                 al, byte ptr [esi + ecx]
            //   88040f               | mov                 byte ptr [edi + ecx], al
            //   47                   | inc                 edi
            //   881c0e               | mov                 byte ptr [esi + ecx], bl

        $sequence_7 = { 50 50 8d45f8 50 8d85f0cfffff 50 53 }
            // n = 7, score = 400
            //   50                   | push                eax
            //   50                   | push                eax
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   8d85f0cfffff         | lea                 eax, [ebp - 0x3010]
            //   50                   | push                eax
            //   53                   | push                ebx

        $sequence_8 = { 8b07 5f 8b443004 5e 894304 5b 5d }
            // n = 7, score = 400
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   5f                   | pop                 edi
            //   8b443004             | mov                 eax, dword ptr [eax + esi + 4]
            //   5e                   | pop                 esi
            //   894304               | mov                 dword ptr [ebx + 4], eax
            //   5b                   | pop                 ebx
            //   5d                   | pop                 ebp

        $sequence_9 = { 83ec18 53 8b5d08 56 57 8bf9 53 }
            // n = 7, score = 400
            //   83ec18               | sub                 esp, 0x18
            //   53                   | push                ebx
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   56                   | push                esi
            //   57                   | push                edi
            //   8bf9                 | mov                 edi, ecx
            //   53                   | push                ebx

    condition:
        7 of them and filesize < 237568
}
Download all Yara Rules