SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ave_maria (Back to overview)

Ave Maria

aka: AVE_MARIA, AveMariaRAT, Warzone RAT, WarzoneRAT, avemaria

Actor(s): Anunak


Information stealer which uses AutoIT for wrapping.

References
2023-09-08Gi7w0rm
@online{gi7w0rm:20230908:uncovering:e0089d9, author = {Gi7w0rm}, title = {{Uncovering DDGroup — A long-time threat actor}}, date = {2023-09-08}, url = {https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4}, language = {English}, urldate = {2023-09-08} } Uncovering DDGroup — A long-time threat actor
AsyncRAT Ave Maria BitRAT DBatLoader NetWire RC Quasar RAT XWorm
2023-08-25Github (muha2xmad)Muhammad Hasan Ali
@online{ali:20230825:warzone:c3a141c, author = {Muhammad Hasan Ali}, title = {{Warzone RAT configuration extractor}}, date = {2023-08-25}, organization = {Github (muha2xmad)}, url = {https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/warzonerat/warzonerat_config_extraction.ipynb}, language = {English}, urldate = {2023-08-25} } Warzone RAT configuration extractor
Ave Maria
2023-08-25Github (muha2xmad)Muhammad Hasan Ali
@online{ali:20230825:technical:f86126a, author = {Muhammad Hasan Ali}, title = {{Technical analysis of WarZoneRAT malware}}, date = {2023-08-25}, organization = {Github (muha2xmad)}, url = {https://muha2xmad.github.io/malware-analysis/warzonerat/}, language = {English}, urldate = {2023-08-25} } Technical analysis of WarZoneRAT malware
Ave Maria
2023-07-11SpamhausSpamhaus Malware Labs
@techreport{labs:20230711:spamhaus:4e2885e, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2023}}, date = {2023-07-11}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2023-07-22} } Spamhaus Botnet Threat Update Q2 2023
Hydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee
2023-06-23SecuronixDen Iyzvyk, Tim Peck, T. Peck, O. Kolesnikov, D. Iuzvyk
@online{iyzvyk:20230623:detecting:bdc70ce, author = {Den Iyzvyk and Tim Peck and T. Peck and O. Kolesnikov and D. Iuzvyk}, title = {{Detecting New MULTI#STORM Attack Campaign Involving Python-based Loader Masquerading as OneDrive Utilities to Drop Multiple RAT Payloads With Security Analytics}}, date = {2023-06-23}, organization = {Securonix}, url = {https://www.securonix.com/securonix-threat-labs-security-advisory-multistorm-leverages-python-based-loader-as-onedrive-utilities-to-drop-rat-payloads/}, language = {English}, urldate = {2023-07-02} } Detecting New MULTI#STORM Attack Campaign Involving Python-based Loader Masquerading as OneDrive Utilities to Drop Multiple RAT Payloads With Security Analytics
Ave Maria
2023-04-24Kaspersky LabsPierre Delcher, Ivan Kwiatkowski
@online{delcher:20230424:tomiris:2d65352, author = {Pierre Delcher and Ivan Kwiatkowski}, title = {{Tomiris called, they want their Turla malware back}}, date = {2023-04-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/}, language = {English}, urldate = {2023-04-26} } Tomiris called, they want their Turla malware back
KopiLuwak Andromeda Ave Maria GoldMax JLORAT Kazuar Meterpreter QUIETCANARY RATel Roopy Telemiris tomiris Topinambour
2023-04-12SpamhausSpamhaus Malware Labs
@techreport{labs:20230412:spamhaus:aa309d1, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q1 2023}}, date = {2023-04-12}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2023-04-18} } Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2023-03-25kienmanowar BlogTran Trung Kien, m4n0w4r
@online{kien:20230325:quicknote:c2b9de4, author = {Tran Trung Kien and m4n0w4r}, title = {{[QuickNote] Decrypting the C2 configuration of Warzone RAT}}, date = {2023-03-25}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2023/03/25/quicknote-decrypting-the-c2-configuration-of-warzone-rat/}, language = {English}, urldate = {2023-03-27} } [QuickNote] Decrypting the C2 configuration of Warzone RAT
Ave Maria
2023-02-03Huntress LabsChad Hudson
@online{hudson:20230203:ave:688ad0d, author = {Chad Hudson}, title = {{Ave Maria and the Chambers of Warzone RAT}}, date = {2023-02-03}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/ave-maria-and-the-chambers-of-warzone-rat}, language = {English}, urldate = {2023-02-03} } Ave Maria and the Chambers of Warzone RAT
Ave Maria
2023-01-17QianxinRed Raindrop Team
@online{team:20230117:kasablanka:d2d13e1, author = {Red Raindrop Team}, title = {{Kasablanka Group Probably Conducted Compaigns Targeting Russia}}, date = {2023-01-17}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/}, language = {English}, urldate = {2023-01-18} } Kasablanka Group Probably Conducted Compaigns Targeting Russia
Ave Maria Loda
2022-11-24ExploitReversingAlexandre Borges
@techreport{borges:20221124:malware:a5021aa, author = {Alexandre Borges}, title = {{Malware Analysis Series (MAS): Article 6}}, date = {2022-11-24}, institution = {ExploitReversing}, url = {https://exploitreversing.files.wordpress.com/2022/11/mas_6-1.pdf}, language = {English}, urldate = {2022-11-25} } Malware Analysis Series (MAS): Article 6
Ave Maria
2022-10-13SpamhausSpamhaus Malware Labs
@techreport{labs:20221013:spamhaus:43e3190, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q3 2022}}, date = {2022-10-13}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2022-12-29} } Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-09-19Recorded FutureInsikt Group®
@techreport{group:20220919:russianexus:e07ed8e, author = {Insikt Group®}, title = {{Russia-Nexus UAC-0113 Emulating Telecommunication Providers in Ukraine}}, date = {2022-09-19}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0919.pdf}, language = {English}, urldate = {2022-09-26} } Russia-Nexus UAC-0113 Emulating Telecommunication Providers in Ukraine
Ave Maria Colibri Loader DCRat
2022-07-21ASECASEC Analysis Team
@online{team:20220721:malware:6c62ac8, author = {ASEC Analysis Team}, title = {{Malware Being Distributed by Disguising Itself as Icon of V3 Lite}}, date = {2022-07-21}, organization = {ASEC}, url = {https://asec.ahnlab.com/en/36629/}, language = {English}, urldate = {2022-07-25} } Malware Being Distributed by Disguising Itself as Icon of V3 Lite
Ave Maria
2022-05-31UptycsPritam Salunkhe, Shilpesh Trivedi
@online{salunkhe:20220531:warzonerat:2f3eeae, author = {Pritam Salunkhe and Shilpesh Trivedi}, title = {{WarzoneRAT Can Now Evade Detection With Process Hollowing}}, date = {2022-05-31}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing}, language = {English}, urldate = {2022-06-08} } WarzoneRAT Can Now Evade Detection With Process Hollowing
Ave Maria
2022-05-19BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220519:net:ecf311c, author = {The BlackBerry Research & Intelligence Team}, title = {{.NET Stubs: Sowing the Seeds of Discord (PureCrypter)}}, date = {2022-05-19}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord}, language = {English}, urldate = {2022-06-09} } .NET Stubs: Sowing the Seeds of Discord (PureCrypter)
Aberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer Formbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine Stealer WhisperGate
2022-05-12MorphisecHido Cohen
@online{cohen:20220512:new:6e12278, author = {Hido Cohen}, title = {{New SYK Crypter Distributed Via Discord}}, date = {2022-05-12}, organization = {Morphisec}, url = {https://blog.morphisec.com/syk-crypter-discord}, language = {English}, urldate = {2022-06-09} } New SYK Crypter Distributed Via Discord
AsyncRAT Ave Maria Nanocore RAT NjRAT Quasar RAT RedLine Stealer
2022-05-12FortiGuard LabsXiaopeng Zhang
@online{zhang:20220512:phishing:2e3122c, author = {Xiaopeng Zhang}, title = {{Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC – Part I}}, date = {2022-05-12}, organization = {FortiGuard Labs}, url = {https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware}, language = {English}, urldate = {2022-08-05} } Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC – Part I
Ave Maria BitRAT Pandora RAT
2022-05-02cocomelonccocomelonc
@online{cocomelonc:20220502:malware:4384b01, author = {cocomelonc}, title = {{Malware development: persistence - part 3. COM DLL hijack. Simple C++ example}}, date = {2022-05-02}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 3. COM DLL hijack. Simple C++ example
Agent.BTZ Ave Maria Konni Mosquito TurlaRPC
2021-12-16BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20211216:threat:c968a64, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: Warzone RAT Breeds a Litter of ScriptKiddies}}, date = {2021-12-16}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/12/threat-thursday-warzone-rat-breeds-a-litter-of-scriptkiddies}, language = {English}, urldate = {2021-12-17} } Threat Thursday: Warzone RAT Breeds a Litter of ScriptKiddies
Ave Maria
2021-10-21NetskopeGustavo Palazolo
@online{palazolo:20211021:dbatloader:7074875, author = {Gustavo Palazolo}, title = {{DBatLoader: Abusing Discord to Deliver Warzone RAT}}, date = {2021-10-21}, organization = {Netskope}, url = {https://www.netskope.com/blog/dbatloader-abusing-discord-to-deliver-warzone-rat}, language = {English}, urldate = {2021-10-26} } DBatLoader: Abusing Discord to Deliver Warzone RAT
Ave Maria DBatLoader
2021-09-23TalosAsheer Malhotra, Vanja Svajcer, Justin Thattil
@online{malhotra:20210923:operation:056c76c, author = {Asheer Malhotra and Vanja Svajcer and Justin Thattil}, title = {{Operation “Armor Piercer:” Targeted attacks in the Indian subcontinent using commercial RATs}}, date = {2021-09-23}, organization = {Talos}, url = {https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html}, language = {English}, urldate = {2021-10-05} } Operation “Armor Piercer:” Targeted attacks in the Indian subcontinent using commercial RATs
Ave Maria NetWire RC
2021-09-20Trend MicroAliakbar Zahravi, William Gamazo Sanchez
@online{zahravi:20210920:water:63df486, author = {Aliakbar Zahravi and William Gamazo Sanchez}, title = {{Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads}}, date = {2021-09-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html}, language = {English}, urldate = {2021-09-22} } Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads
Ave Maria BitRAT LimeRAT Nanocore RAT NjRAT Quasar RAT
2021-09-13Trend MicroJaromír Hořejší, Daniel Lunghi
@online{hoej:20210913:aptc36:d6456f8, author = {Jaromír Hořejší and Daniel Lunghi}, title = {{APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)}}, date = {2021-09-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt}, language = {English}, urldate = {2021-09-14} } APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos
2021-09-13Trend MicroJaromír Hořejší, Daniel Lunghi
@online{hoej:20210913:aptc36:9b97238, author = {Jaromír Hořejší and Daniel Lunghi}, title = {{APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs}}, date = {2021-09-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html}, language = {English}, urldate = {2021-09-14} } APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos
2021-07-21Youtube (OALabs)OALabs
@online{oalabs:20210721:warzone:d391d61, author = {OALabs}, title = {{Warzone RAT Config Extraction With Python and IDA Pro}}, date = {2021-07-21}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=-G82xh9m4hc}, language = {English}, urldate = {2021-07-22} } Warzone RAT Config Extraction With Python and IDA Pro
Ave Maria
2021-07-12IBMMelissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:1f66418, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {IBM}, url = {https://securityintelligence.com/posts/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-12Cipher Tech SolutionsMelissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:a3c66bf, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {Cipher Tech Solutions}, url = {https://www.ciphertechsolutions.com/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-01Quick HealAyush Puri
@online{puri:20210701:warzone:becd74e, author = {Ayush Puri}, title = {{WARZONE RAT – Beware Of The Trojan Malware Stealing Data Triggering From Various Office Documents}}, date = {2021-07-01}, organization = {Quick Heal}, url = {https://blogs.quickheal.com/warzone-rat-beware-of-the-trojan-malware-stealing-data-triggering-from-various-office-documents/}, language = {English}, urldate = {2021-07-11} } WARZONE RAT – Beware Of The Trojan Malware Stealing Data Triggering From Various Office Documents
Ave Maria
2021-05-19Youtube (OALabs)Sergei Frankoff
@online{frankoff:20210519:reverse:f2f9d20, author = {Sergei Frankoff}, title = {{Reverse Engineering Warzone RAT - Part 1}}, date = {2021-05-19}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=81fdvmGmRvM}, language = {English}, urldate = {2021-05-26} } Reverse Engineering Warzone RAT - Part 1
Ave Maria
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-02-06Clairvoyance Security LabAdvanced threat research team
@online{team:20210206:mo:c85d4df, author = {Advanced threat research team}, title = {{Mo Luoxiu (Confucius) organizes a new round of secret theft attacks on South Asian military enterprises}}, date = {2021-02-06}, organization = {Clairvoyance Security Lab}, url = {https://mp.weixin.qq.com/s/fsesosMnKIfAi_I9I0wKSA}, language = {Chinese}, urldate = {2021-02-09} } Mo Luoxiu (Confucius) organizes a new round of secret theft attacks on South Asian military enterprises
Ave Maria
2021-01-27Youtube (OALabs)Sergei Frankoff
@online{frankoff:20210127:ida:15a720f, author = {Sergei Frankoff}, title = {{IDA Pro Decompiler Basics Microcode and x86 Calling Conventions}}, date = {2021-01-27}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=T0tdj1WDioM}, language = {English}, urldate = {2021-01-27} } IDA Pro Decompiler Basics Microcode and x86 Calling Conventions
Ave Maria
2021-01-21360 Threat Intelligence CenterAdvanced Threat Institute
@online{institute:20210121:disclosure:7709c9e, author = {Advanced Threat Institute}, title = {{Disclosure of Manling Flower Organization (APT-C-08) using Warzone RAT attack}}, date = {2021-01-21}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/C09P0al1nhsyyujHRp0FAw}, language = {Chinese}, urldate = {2021-01-26} } Disclosure of Manling Flower Organization (APT-C-08) using Warzone RAT attack
Ave Maria
2021-01-12UptycsAbhijit Mohanta, Ashwin Vamshi
@online{mohanta:20210112:confucius:865bcc8, author = {Abhijit Mohanta and Ashwin Vamshi}, title = {{Confucius APT deploys Warzone RAT}}, date = {2021-01-12}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat}, language = {English}, urldate = {2021-01-13} } Confucius APT deploys Warzone RAT
Ave Maria Confucius
2020-12-21Cisco TalosJON MUNSHAW
@online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-11-30Medium Asuna AmawakaAsuna Amawaka
@online{amawaka:20201130:do:ff3adb4, author = {Asuna Amawaka}, title = {{Do you want to bake a donut? Come on, let’s go update~ Go away, Maria.}}, date = {2020-11-30}, organization = {Medium Asuna Amawaka}, url = {https://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1}, language = {English}, urldate = {2021-02-18} } Do you want to bake a donut? Come on, let’s go update~ Go away, Maria.
Ave Maria
2020-11-25UptycsShilpesh Trivedi, Abhijit Mohanta
@online{trivedi:20201125:warzone:bb2219a, author = {Shilpesh Trivedi and Abhijit Mohanta}, title = {{Warzone RAT comes with UAC bypass technique}}, date = {2020-11-25}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique}, language = {English}, urldate = {2020-12-16} } Warzone RAT comes with UAC bypass technique
Ave Maria
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-09-02Cisco TalosHolger Unterbrink, Edmund Brumaghin
@online{unterbrink:20200902:salfram:74ae3c9, author = {Holger Unterbrink and Edmund Brumaghin}, title = {{Salfram: Robbing the place without removing your name tag}}, date = {2020-09-02}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html}, language = {English}, urldate = {2020-09-03} } Salfram: Robbing the place without removing your name tag
Ave Maria ISFB SmokeLoader Zloader
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-05-21MalwarebytesMalwarebytes Labs
@techreport{labs:20200521:cybercrime:d38d2da, author = {Malwarebytes Labs}, title = {{Cybercrime tactics and techniques}}, date = {2020-05-21}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf}, language = {English}, urldate = {2020-06-03} } Cybercrime tactics and techniques
Ave Maria Azorult DanaBot Loki Password Stealer (PWS) NetWire RC
2020-02-03Check Point ResearchYaroslav Harakhavik
@online{harakhavik:20200203:warzone:18606cf, author = {Yaroslav Harakhavik}, title = {{Warzone: Behind the enemy lines}}, date = {2020-02-03}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/}, language = {English}, urldate = {2020-02-03} } Warzone: Behind the enemy lines
Ave Maria
2019-07-25Team CymruTeam Cymru
@online{cymru:20190725:unmasking:91638f6, author = {Team Cymru}, title = {{Unmasking AVE_MARIA}}, date = {2019-07-25}, organization = {Team Cymru}, url = {https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/}, language = {English}, urldate = {2020-01-08} } Unmasking AVE_MARIA
Ave Maria
2019-05-08Kaspersky LabsKaspersky Labs
@online{labs:20190508:fin7:6874fc6, author = {Kaspersky Labs}, title = {{Fin7 hacking group targets more than 130 companies after leaders’ arrest}}, date = {2019-05-08}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest}, language = {English}, urldate = {2020-03-22} } Fin7 hacking group targets more than 130 companies after leaders’ arrest
Ave Maria ANTHROPOID SPIDER
2019-05-08Kaspersky LabsYury Namestnikov, Félix Aime
@online{namestnikov:20190508:fin75:443b111, author = {Yury Namestnikov and Félix Aime}, title = {{FIN7.5: the infamous cybercrime rig “FIN7” continues its activities}}, date = {2019-05-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/}, language = {English}, urldate = {2019-12-20} } FIN7.5: the infamous cybercrime rig “FIN7” continues its activities
Griffon Ave Maria FIN7
2019-04-11ReaqtaReaqta
@online{reaqta:20190411:avemaria:d6cd904, author = {Reaqta}, title = {{Ave_Maria Malware: there's more than meets the eye}}, date = {2019-04-11}, organization = {Reaqta}, url = {https://reaqta.com/2019/04/ave_maria-malware-part1/}, language = {English}, urldate = {2020-01-07} } Ave_Maria Malware: there's more than meets the eye
Ave Maria
2019-03-01MorphisecAlon Groisman
@online{groisman:20190301:threat:aaf612e, author = {Alon Groisman}, title = {{Threat Alert: AVE Maria infostealer on the rise}}, date = {2019-03-01}, organization = {Morphisec}, url = {http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery}, language = {English}, urldate = {2020-01-09} } Threat Alert: AVE Maria infostealer on the rise
Ave Maria
2019-01-11Cybaze-Yorio Z-LabAntonio Farina, Luca Mella, Antonio Pirozzi
@online{farina:20190111:avemaria:a3fd77c, author = {Antonio Farina and Luca Mella and Antonio Pirozzi}, title = {{The “AVE_MARIA” Malware}}, date = {2019-01-11}, organization = {Cybaze-Yorio Z-Lab}, url = {https://blog.yoroi.company/research/the-ave_maria-malware/}, language = {English}, urldate = {2019-11-26} } The “AVE_MARIA” Malware
Ave Maria
Yara Rules
[TLP:WHITE] win_ave_maria_auto (20230715 | Detects win.ave_maria.)
rule win_ave_maria_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.ave_maria."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 52 6a01 8b08 50 ff510c 85c0 74db }
            // n = 7, score = 400
            //   52                   | push                edx
            //   6a01                 | push                1
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   50                   | push                eax
            //   ff510c               | call                dword ptr [ecx + 0xc]
            //   85c0                 | test                eax, eax
            //   74db                 | je                  0xffffffdd

        $sequence_1 = { 72bf 83fe28 7656 83fe2e 7451 ebb3 81feb3000000 }
            // n = 7, score = 400
            //   72bf                 | jb                  0xffffffc1
            //   83fe28               | cmp                 esi, 0x28
            //   7656                 | jbe                 0x58
            //   83fe2e               | cmp                 esi, 0x2e
            //   7451                 | je                  0x53
            //   ebb3                 | jmp                 0xffffffb5
            //   81feb3000000         | cmp                 esi, 0xb3

        $sequence_2 = { 8bd9 57 6a05 58 6a14 33ff 89460c }
            // n = 7, score = 400
            //   8bd9                 | mov                 ebx, ecx
            //   57                   | push                edi
            //   6a05                 | push                5
            //   58                   | pop                 eax
            //   6a14                 | push                0x14
            //   33ff                 | xor                 edi, edi
            //   89460c               | mov                 dword ptr [esi + 0xc], eax

        $sequence_3 = { c9 c3 3c02 7408 3c03 0f859a000000 83bde8feffff05 }
            // n = 7, score = 400
            //   c9                   | leave               
            //   c3                   | ret                 
            //   3c02                 | cmp                 al, 2
            //   7408                 | je                  0xa
            //   3c03                 | cmp                 al, 3
            //   0f859a000000         | jne                 0xa0
            //   83bde8feffff05       | cmp                 dword ptr [ebp - 0x118], 5

        $sequence_4 = { 741c e8???????? 8906 8bc8 ff7704 8b17 }
            // n = 6, score = 400
            //   741c                 | je                  0x1e
            //   e8????????           |                     
            //   8906                 | mov                 dword ptr [esi], eax
            //   8bc8                 | mov                 ecx, eax
            //   ff7704               | push                dword ptr [edi + 4]
            //   8b17                 | mov                 edx, dword ptr [edi]

        $sequence_5 = { 85c0 7507 68???????? eb1c 8d45fc 50 56 }
            // n = 7, score = 400
            //   85c0                 | test                eax, eax
            //   7507                 | jne                 9
            //   68????????           |                     
            //   eb1c                 | jmp                 0x1e
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   56                   | push                esi

        $sequence_6 = { 55 8bec 56 57 8b7d08 832700 83670400 }
            // n = 7, score = 400
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   832700               | and                 dword ptr [edi], 0
            //   83670400             | and                 dword ptr [edi + 4], 0

        $sequence_7 = { 50 ff510c 85c0 0f8437ffffff 8b4dfc 85c9 7409 }
            // n = 7, score = 400
            //   50                   | push                eax
            //   ff510c               | call                dword ptr [ecx + 0xc]
            //   85c0                 | test                eax, eax
            //   0f8437ffffff         | je                  0xffffff3d
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   85c9                 | test                ecx, ecx
            //   7409                 | je                  0xb

        $sequence_8 = { ff7510 03550c 8bcf e8???????? 8b7508 83c404 8bce }
            // n = 7, score = 400
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   03550c               | add                 edx, dword ptr [ebp + 0xc]
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   83c404               | add                 esp, 4
            //   8bce                 | mov                 ecx, esi

        $sequence_9 = { c1c105 33c2 c1cf02 33c6 81c2d6c162ca 05d6c162ca 0345d0 }
            // n = 7, score = 400
            //   c1c105               | rol                 ecx, 5
            //   33c2                 | xor                 eax, edx
            //   c1cf02               | ror                 edi, 2
            //   33c6                 | xor                 eax, esi
            //   81c2d6c162ca         | add                 edx, 0xca62c1d6
            //   05d6c162ca           | add                 eax, 0xca62c1d6
            //   0345d0               | add                 eax, dword ptr [ebp - 0x30]

    condition:
        7 of them and filesize < 237568
}
Download all Yara Rules