SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ave_maria (Back to overview)

Ave Maria

aka: AVE_MARIA, AveMariaRAT, Warzone RAT, avemaria

Actor(s): Anunak

Information stealer which uses AutoIT for wrapping.

References
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-09-02Cisco TalosHolger Unterbrink, Edmund Brumaghin
@online{unterbrink:20200902:salfram:74ae3c9, author = {Holger Unterbrink and Edmund Brumaghin}, title = {{Salfram: Robbing the place without removing your name tag}}, date = {2020-09-02}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html}, language = {English}, urldate = {2020-09-03} } Salfram: Robbing the place without removing your name tag
Ave Maria ISFB SmokeLoader Zloader
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-05-21MalwarebytesMalwarebytes Labs
@techreport{labs:20200521:cybercrime:d38d2da, author = {Malwarebytes Labs}, title = {{Cybercrime tactics and techniques}}, date = {2020-05-21}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf}, language = {English}, urldate = {2020-06-03} } Cybercrime tactics and techniques
Ave Maria Azorult DanaBot Loki Password Stealer (PWS) NetWire RC
2020-02-03Check Point ResearchYaroslav Harakhavik
@online{harakhavik:20200203:warzone:18606cf, author = {Yaroslav Harakhavik}, title = {{Warzone: Behind the enemy lines}}, date = {2020-02-03}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/}, language = {English}, urldate = {2020-02-03} } Warzone: Behind the enemy lines
Ave Maria
2019-07-25Team CymruTeam Cymru
@online{cymru:20190725:unmasking:91638f6, author = {Team Cymru}, title = {{Unmasking AVE_MARIA}}, date = {2019-07-25}, organization = {Team Cymru}, url = {https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/}, language = {English}, urldate = {2020-01-08} } Unmasking AVE_MARIA
Ave Maria
2019-05-08Kaspersky LabsYury Namestnikov, Félix Aime
@online{namestnikov:20190508:fin75:443b111, author = {Yury Namestnikov and Félix Aime}, title = {{FIN7.5: the infamous cybercrime rig “FIN7” continues its activities}}, date = {2019-05-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/}, language = {English}, urldate = {2019-12-20} } FIN7.5: the infamous cybercrime rig “FIN7” continues its activities
Griffon Ave Maria Anunak
2019-05-08Kaspersky LabsKaspersky Labs
@online{labs:20190508:fin7:6874fc6, author = {Kaspersky Labs}, title = {{Fin7 hacking group targets more than 130 companies after leaders’ arrest}}, date = {2019-05-08}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest}, language = {English}, urldate = {2020-03-22} } Fin7 hacking group targets more than 130 companies after leaders’ arrest
Ave Maria ANTHROPOID SPIDER
2019-04-11ReaqtaReaqta
@online{reaqta:20190411:avemaria:d6cd904, author = {Reaqta}, title = {{Ave_Maria Malware: there's more than meets the eye}}, date = {2019-04-11}, organization = {Reaqta}, url = {https://reaqta.com/2019/04/ave_maria-malware-part1/}, language = {English}, urldate = {2020-01-07} } Ave_Maria Malware: there's more than meets the eye
Ave Maria
2019-03-01MorphisecAlon Groisman
@online{groisman:20190301:threat:aaf612e, author = {Alon Groisman}, title = {{Threat Alert: AVE Maria infostealer on the rise}}, date = {2019-03-01}, organization = {Morphisec}, url = {http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery}, language = {English}, urldate = {2020-01-09} } Threat Alert: AVE Maria infostealer on the rise
Ave Maria
2019-01-11Cybaze-Yorio Z-LabAntonio Farina, Luca Mella, Antonio Pirozzi
@online{farina:20190111:avemaria:a3fd77c, author = {Antonio Farina and Luca Mella and Antonio Pirozzi}, title = {{The “AVE_MARIA” Malware}}, date = {2019-01-11}, organization = {Cybaze-Yorio Z-Lab}, url = {https://blog.yoroi.company/research/the-ave_maria-malware/}, language = {English}, urldate = {2019-11-26} } The “AVE_MARIA” Malware
Ave Maria
Yara Rules
[TLP:WHITE] win_ave_maria_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_ave_maria_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8945ec e8???????? 8d857cfdffff 50 ff7508 ff15???????? }
            // n = 6, score = 200
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   e8????????           |                     
            //   8d857cfdffff         | lea                 eax, [ebp - 0x284]
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     

        $sequence_1 = { 57 895df8 8b4308 3b4304 7278 8d7001 }
            // n = 6, score = 200
            //   57                   | push                edi
            //   895df8               | mov                 dword ptr [ebp - 8], ebx
            //   8b4308               | mov                 eax, dword ptr [ebx + 8]
            //   3b4304               | cmp                 eax, dword ptr [ebx + 4]
            //   7278                 | jb                  0x7a
            //   8d7001               | lea                 esi, [eax + 1]

        $sequence_2 = { 7504 b301 eb02 32db 8b4dfc e8???????? 84db }
            // n = 7, score = 200
            //   7504                 | jne                 6
            //   b301                 | mov                 bl, 1
            //   eb02                 | jmp                 4
            //   32db                 | xor                 bl, bl
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   e8????????           |                     
            //   84db                 | test                bl, bl

        $sequence_3 = { ff75e8 ff5760 59 85c0 7415 8b4de8 e8???????? }
            // n = 7, score = 200
            //   ff75e8               | push                dword ptr [ebp - 0x18]
            //   ff5760               | call                dword ptr [edi + 0x60]
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax
            //   7415                 | je                  0x17
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   e8????????           |                     

        $sequence_4 = { 7516 09430c 33ff 8b4d08 e8???????? 8bc7 5f }
            // n = 7, score = 200
            //   7516                 | jne                 0x18
            //   09430c               | or                  dword ptr [ebx + 0xc], eax
            //   33ff                 | xor                 edi, edi
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8bc7                 | mov                 eax, edi
            //   5f                   | pop                 edi

        $sequence_5 = { e8???????? 68???????? 8d4f20 e8???????? 8d4d08 51 8bc8 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   68????????           |                     
            //   8d4f20               | lea                 ecx, [edi + 0x20]
            //   e8????????           |                     
            //   8d4d08               | lea                 ecx, [ebp + 8]
            //   51                   | push                ecx
            //   8bc8                 | mov                 ecx, eax

        $sequence_6 = { 8d45fc 50 6a05 e8???????? 83c40c }
            // n = 5, score = 200
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   6a05                 | push                5
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_7 = { 33c6 c1c105 034dd0 23c7 33d0 c1cf02 }
            // n = 6, score = 200
            //   33c6                 | xor                 eax, esi
            //   c1c105               | rol                 ecx, 5
            //   034dd0               | add                 ecx, dword ptr [ebp - 0x30]
            //   23c7                 | and                 eax, edi
            //   33d0                 | xor                 edx, eax
            //   c1cf02               | ror                 edi, 2

        $sequence_8 = { 7409 ff770c ff15???????? 5f 8bc3 5b c9 }
            // n = 7, score = 200
            //   7409                 | je                  0xb
            //   ff770c               | push                dword ptr [edi + 0xc]
            //   ff15????????         |                     
            //   5f                   | pop                 edi
            //   8bc3                 | mov                 eax, ebx
            //   5b                   | pop                 ebx
            //   c9                   | leave               

        $sequence_9 = { 56 8d45f8 50 6a00 ff33 ff37 ff15???????? }
            // n = 7, score = 200
            //   56                   | push                esi
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   ff33                 | push                dword ptr [ebx]
            //   ff37                 | push                dword ptr [edi]
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 237568
}
Download all Yara Rules