SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ave_maria (Back to overview)

Ave Maria

aka: AVE_MARIA, AveMariaRAT, Warzone RAT, avemaria

Actor(s): Anunak

Information stealer which uses AutoIT for wrapping.

References
2020-05-21MalwarebytesMalwarebytes Labs
@techreport{labs:20200521:cybercrime:d38d2da, author = {Malwarebytes Labs}, title = {{Cybercrime tactics and techniques}}, date = {2020-05-21}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf}, language = {English}, urldate = {2020-06-03} } Cybercrime tactics and techniques
Ave Maria Azorult DanaBot Loki Password Stealer (PWS) NetWire RC
2020-02-03Check Point ResearchYaroslav Harakhavik
@online{harakhavik:20200203:warzone:18606cf, author = {Yaroslav Harakhavik}, title = {{Warzone: Behind the enemy lines}}, date = {2020-02-03}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/}, language = {English}, urldate = {2020-02-03} } Warzone: Behind the enemy lines
Ave Maria
2019-07-25Team CymruTeam Cymru
@online{cymru:20190725:unmasking:91638f6, author = {Team Cymru}, title = {{Unmasking AVE_MARIA}}, date = {2019-07-25}, organization = {Team Cymru}, url = {https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/}, language = {English}, urldate = {2020-01-08} } Unmasking AVE_MARIA
Ave Maria
2019-05-08Kaspersky LabsYury Namestnikov, Félix Aime
@online{namestnikov:20190508:fin75:443b111, author = {Yury Namestnikov and Félix Aime}, title = {{FIN7.5: the infamous cybercrime rig “FIN7” continues its activities}}, date = {2019-05-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/}, language = {English}, urldate = {2019-12-20} } FIN7.5: the infamous cybercrime rig “FIN7” continues its activities
Griffon Ave Maria Anunak
2019-05-08Kaspersky LabsKaspersky Labs
@online{labs:20190508:fin7:6874fc6, author = {Kaspersky Labs}, title = {{Fin7 hacking group targets more than 130 companies after leaders’ arrest}}, date = {2019-05-08}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest}, language = {English}, urldate = {2020-03-22} } Fin7 hacking group targets more than 130 companies after leaders’ arrest
Ave Maria ANTHROPOID SPIDER
2019-04-11ReaqtaReaqta
@online{reaqta:20190411:avemaria:d6cd904, author = {Reaqta}, title = {{Ave_Maria Malware: there's more than meets the eye}}, date = {2019-04-11}, organization = {Reaqta}, url = {https://reaqta.com/2019/04/ave_maria-malware-part1/}, language = {English}, urldate = {2020-01-07} } Ave_Maria Malware: there's more than meets the eye
Ave Maria
2019-03-01MorphisecAlon Groisman
@online{groisman:20190301:threat:aaf612e, author = {Alon Groisman}, title = {{Threat Alert: AVE Maria infostealer on the rise}}, date = {2019-03-01}, organization = {Morphisec}, url = {http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery}, language = {English}, urldate = {2020-01-09} } Threat Alert: AVE Maria infostealer on the rise
Ave Maria
2019-01-11Cybaze-Yorio Z-LabAntonio Farina, Luca Mella, Antonio Pirozzi
@online{farina:20190111:avemaria:a3fd77c, author = {Antonio Farina and Luca Mella and Antonio Pirozzi}, title = {{The “AVE_MARIA” Malware}}, date = {2019-01-11}, organization = {Cybaze-Yorio Z-Lab}, url = {https://blog.yoroi.company/research/the-ave_maria-malware/}, language = {English}, urldate = {2019-11-26} } The “AVE_MARIA” Malware
Ave Maria
Yara Rules
[TLP:WHITE] win_ave_maria_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_ave_maria_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffd0 83bdf4feffff02 7508 8b85e8feffff c9 c3 33c0 }
            // n = 7, score = 400
            //   ffd0                 | call                eax
            //   83bdf4feffff02       | cmp                 dword ptr [ebp - 0x10c], 2
            //   7508                 | jne                 0xa
            //   8b85e8feffff         | mov                 eax, dword ptr [ebp - 0x118]
            //   c9                   | leave               
            //   c3                   | ret                 
            //   33c0                 | xor                 eax, eax

        $sequence_1 = { 57 e8???????? 83c40c 85c0 7505 895e04 eb36 }
            // n = 7, score = 400
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   7505                 | jne                 7
            //   895e04               | mov                 dword ptr [esi + 4], ebx
            //   eb36                 | jmp                 0x38

        $sequence_2 = { 8b08 6a01 50 ff510c 85c0 0f8437ffffff }
            // n = 6, score = 400
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   6a01                 | push                1
            //   50                   | push                eax
            //   ff510c               | call                dword ptr [ecx + 0xc]
            //   85c0                 | test                eax, eax
            //   0f8437ffffff         | je                  0xffffff3d

        $sequence_3 = { 8bfa 8bd9 e8???????? 33c9 3bc3 8d45f0 50 }
            // n = 7, score = 400
            //   8bfa                 | mov                 edi, edx
            //   8bd9                 | mov                 ebx, ecx
            //   e8????????           |                     
            //   33c9                 | xor                 ecx, ecx
            //   3bc3                 | cmp                 eax, ebx
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax

        $sequence_4 = { c20800 55 8bec 8b4508 56 8bf1 894508 }
            // n = 7, score = 400
            //   c20800               | ret                 8
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   894508               | mov                 dword ptr [ebp + 8], eax

        $sequence_5 = { c1ca02 c1c908 03fb 8b5dec 81e100ff00ff c1c008 25ff00ff00 }
            // n = 7, score = 400
            //   c1ca02               | ror                 edx, 2
            //   c1c908               | ror                 ecx, 8
            //   03fb                 | add                 edi, ebx
            //   8b5dec               | mov                 ebx, dword ptr [ebp - 0x14]
            //   81e100ff00ff         | and                 ecx, 0xff00ff00
            //   c1c008               | rol                 eax, 8
            //   25ff00ff00           | and                 eax, 0xff00ff

        $sequence_6 = { 8d3cb1 85f6 7412 8d7ffc 8b0f e8???????? 832700 }
            // n = 7, score = 400
            //   8d3cb1               | lea                 edi, [ecx + esi*4]
            //   85f6                 | test                esi, esi
            //   7412                 | je                  0x14
            //   8d7ffc               | lea                 edi, [edi - 4]
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   e8????????           |                     
            //   832700               | and                 dword ptr [edi], 0

        $sequence_7 = { 8bd6 e8???????? 833e00 0f8453010000 8d7324 56 }
            // n = 6, score = 400
            //   8bd6                 | mov                 edx, esi
            //   e8????????           |                     
            //   833e00               | cmp                 dword ptr [esi], 0
            //   0f8453010000         | je                  0x159
            //   8d7324               | lea                 esi, [ebx + 0x24]
            //   56                   | push                esi

        $sequence_8 = { 8b4508 6a00 ff7004 ff30 ff710c ff15???????? }
            // n = 6, score = 400
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   6a00                 | push                0
            //   ff7004               | push                dword ptr [eax + 4]
            //   ff30                 | push                dword ptr [eax]
            //   ff710c               | push                dword ptr [ecx + 0xc]
            //   ff15????????         |                     

        $sequence_9 = { 5e 5b c9 c3 83611800 83611400 }
            // n = 6, score = 400
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c3                   | ret                 
            //   83611800             | and                 dword ptr [ecx + 0x18], 0
            //   83611400             | and                 dword ptr [ecx + 0x14], 0

    condition:
        7 of them and filesize < 237568
}
Download all Yara Rules