SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ave_maria (Back to overview)

Ave Maria

aka: AVE_MARIA, AveMariaRAT, Warzone RAT, avemaria

Actor(s): Anunak

Information stealer which uses AutoIT for wrapping.

References
2021-02-06Clairvoyance Security LabAdvanced threat research team
@online{team:20210206:mo:c85d4df, author = {Advanced threat research team}, title = {{Mo Luoxiu (Confucius) organizes a new round of secret theft attacks on South Asian military enterprises}}, date = {2021-02-06}, organization = {Clairvoyance Security Lab}, url = {https://mp.weixin.qq.com/s/fsesosMnKIfAi_I9I0wKSA}, language = {Chinese}, urldate = {2021-02-09} } Mo Luoxiu (Confucius) organizes a new round of secret theft attacks on South Asian military enterprises
Ave Maria
2021-01-27Youtube (OALabs)Sergei Frankoff
@online{frankoff:20210127:ida:15a720f, author = {Sergei Frankoff}, title = {{IDA Pro Decompiler Basics Microcode and x86 Calling Conventions}}, date = {2021-01-27}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=T0tdj1WDioM}, language = {English}, urldate = {2021-01-27} } IDA Pro Decompiler Basics Microcode and x86 Calling Conventions
Ave Maria
2021-01-21360 Threat Intelligence CenterAdvanced Threat Institute
@online{institute:20210121:disclosure:7709c9e, author = {Advanced Threat Institute}, title = {{Disclosure of Manling Flower Organization (APT-C-08) using Warzone RAT attack}}, date = {2021-01-21}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/C09P0al1nhsyyujHRp0FAw}, language = {Chinese}, urldate = {2021-01-26} } Disclosure of Manling Flower Organization (APT-C-08) using Warzone RAT attack
Ave Maria
2021-01-12UptycsAbhijit Mohanta, Ashwin Vamshi
@online{mohanta:20210112:confucius:865bcc8, author = {Abhijit Mohanta and Ashwin Vamshi}, title = {{Confucius APT deploys Warzone RAT}}, date = {2021-01-12}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat}, language = {English}, urldate = {2021-01-13} } Confucius APT deploys Warzone RAT
Ave Maria Confucius
2020-12-21Cisco TalosJON MUNSHAW
@online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-11-30Medium Asuna AmawakaAsuna Amawaka
@online{amawaka:20201130:do:ff3adb4, author = {Asuna Amawaka}, title = {{Do you want to bake a donut? Come on, let’s go update~ Go away, Maria.}}, date = {2020-11-30}, organization = {Medium Asuna Amawaka}, url = {https://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1}, language = {English}, urldate = {2021-02-18} } Do you want to bake a donut? Come on, let’s go update~ Go away, Maria.
Ave Maria
2020-11-25UptycsShilpesh Trivedi, Abhijit Mohanta
@online{trivedi:20201125:warzone:bb2219a, author = {Shilpesh Trivedi and Abhijit Mohanta}, title = {{Warzone RAT comes with UAC bypass technique}}, date = {2020-11-25}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique}, language = {English}, urldate = {2020-12-16} } Warzone RAT comes with UAC bypass technique
Ave Maria
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-09-02Cisco TalosHolger Unterbrink, Edmund Brumaghin
@online{unterbrink:20200902:salfram:74ae3c9, author = {Holger Unterbrink and Edmund Brumaghin}, title = {{Salfram: Robbing the place without removing your name tag}}, date = {2020-09-02}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html}, language = {English}, urldate = {2020-09-03} } Salfram: Robbing the place without removing your name tag
Ave Maria ISFB SmokeLoader Zloader
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-05-21MalwarebytesMalwarebytes Labs
@techreport{labs:20200521:cybercrime:d38d2da, author = {Malwarebytes Labs}, title = {{Cybercrime tactics and techniques}}, date = {2020-05-21}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf}, language = {English}, urldate = {2020-06-03} } Cybercrime tactics and techniques
Ave Maria Azorult DanaBot Loki Password Stealer (PWS) NetWire RC
2020-02-28PWC UKPWC UK
@techreport{uk:20200228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2020-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-02} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Ransomware Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Ransomware Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2020-02-03Check Point ResearchYaroslav Harakhavik
@online{harakhavik:20200203:warzone:18606cf, author = {Yaroslav Harakhavik}, title = {{Warzone: Behind the enemy lines}}, date = {2020-02-03}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/}, language = {English}, urldate = {2020-02-03} } Warzone: Behind the enemy lines
Ave Maria
2019-07-25Team CymruTeam Cymru
@online{cymru:20190725:unmasking:91638f6, author = {Team Cymru}, title = {{Unmasking AVE_MARIA}}, date = {2019-07-25}, organization = {Team Cymru}, url = {https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/}, language = {English}, urldate = {2020-01-08} } Unmasking AVE_MARIA
Ave Maria
2019-05-08Kaspersky LabsYury Namestnikov, Félix Aime
@online{namestnikov:20190508:fin75:443b111, author = {Yury Namestnikov and Félix Aime}, title = {{FIN7.5: the infamous cybercrime rig “FIN7” continues its activities}}, date = {2019-05-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/}, language = {English}, urldate = {2019-12-20} } FIN7.5: the infamous cybercrime rig “FIN7” continues its activities
Griffon Ave Maria Anunak
2019-05-08Kaspersky LabsKaspersky Labs
@online{labs:20190508:fin7:6874fc6, author = {Kaspersky Labs}, title = {{Fin7 hacking group targets more than 130 companies after leaders’ arrest}}, date = {2019-05-08}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest}, language = {English}, urldate = {2020-03-22} } Fin7 hacking group targets more than 130 companies after leaders’ arrest
Ave Maria ANTHROPOID SPIDER
2019-04-11ReaqtaReaqta
@online{reaqta:20190411:avemaria:d6cd904, author = {Reaqta}, title = {{Ave_Maria Malware: there's more than meets the eye}}, date = {2019-04-11}, organization = {Reaqta}, url = {https://reaqta.com/2019/04/ave_maria-malware-part1/}, language = {English}, urldate = {2020-01-07} } Ave_Maria Malware: there's more than meets the eye
Ave Maria
2019-03-01MorphisecAlon Groisman
@online{groisman:20190301:threat:aaf612e, author = {Alon Groisman}, title = {{Threat Alert: AVE Maria infostealer on the rise}}, date = {2019-03-01}, organization = {Morphisec}, url = {http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery}, language = {English}, urldate = {2020-01-09} } Threat Alert: AVE Maria infostealer on the rise
Ave Maria
2019-01-11Cybaze-Yorio Z-LabAntonio Farina, Luca Mella, Antonio Pirozzi
@online{farina:20190111:avemaria:a3fd77c, author = {Antonio Farina and Luca Mella and Antonio Pirozzi}, title = {{The “AVE_MARIA” Malware}}, date = {2019-01-11}, organization = {Cybaze-Yorio Z-Lab}, url = {https://blog.yoroi.company/research/the-ave_maria-malware/}, language = {English}, urldate = {2019-11-26} } The “AVE_MARIA” Malware
Ave Maria
Yara Rules
[TLP:WHITE] win_ave_maria_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_ave_maria_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 68???????? 6a67 33db 53 ff15???????? 8bf0 56 }
            // n = 7, score = 400
            //   68????????           |                     
            //   6a67                 | push                0x67
            //   33db                 | xor                 ebx, ebx
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   56                   | push                esi

        $sequence_1 = { 56 8bf1 c745fc29bb66e4 57 6a04 8d45fc 8d7e08 }
            // n = 7, score = 400
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   c745fc29bb66e4       | mov                 dword ptr [ebp - 4], 0xe466bb29
            //   57                   | push                edi
            //   6a04                 | push                4
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   8d7e08               | lea                 edi, [esi + 8]

        $sequence_2 = { ff750c ff7508 50 50 ff15???????? 33c9 8906 }
            // n = 7, score = 400
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   50                   | push                eax
            //   50                   | push                eax
            //   ff15????????         |                     
            //   33c9                 | xor                 ecx, ecx
            //   8906                 | mov                 dword ptr [esi], eax

        $sequence_3 = { 8bc8 e8???????? eb02 8bc7 8bce 8906 e8???????? }
            // n = 7, score = 400
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   eb02                 | jmp                 4
            //   8bc7                 | mov                 eax, edi
            //   8bce                 | mov                 ecx, esi
            //   8906                 | mov                 dword ptr [esi], eax
            //   e8????????           |                     

        $sequence_4 = { 6a1a 5a 8d4c240c e8???????? 8b0f e8???????? 8b0f }
            // n = 7, score = 400
            //   6a1a                 | push                0x1a
            //   5a                   | pop                 edx
            //   8d4c240c             | lea                 ecx, [esp + 0xc]
            //   e8????????           |                     
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   e8????????           |                     
            //   8b0f                 | mov                 ecx, dword ptr [edi]

        $sequence_5 = { 7409 8b01 51 ff5008 897e34 8b4e18 85c9 }
            // n = 7, score = 400
            //   7409                 | je                  0xb
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   51                   | push                ecx
            //   ff5008               | call                dword ptr [eax + 8]
            //   897e34               | mov                 dword ptr [esi + 0x34], edi
            //   8b4e18               | mov                 ecx, dword ptr [esi + 0x18]
            //   85c9                 | test                ecx, ecx

        $sequence_6 = { 8975fc e8???????? ffb5b0fdffff 56 6800100000 ff15???????? 8bf0 }
            // n = 7, score = 400
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   e8????????           |                     
            //   ffb5b0fdffff         | push                dword ptr [ebp - 0x250]
            //   56                   | push                esi
            //   6800100000           | push                0x1000
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_7 = { 5d c20400 56 8bf1 57 8b4e34 85c9 }
            // n = 7, score = 400
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   57                   | push                edi
            //   8b4e34               | mov                 ecx, dword ptr [esi + 0x34]
            //   85c9                 | test                ecx, ecx

        $sequence_8 = { 33c2 894de4 33c6 c1c105 034db0 81c3a1ebd96e 03c8 }
            // n = 7, score = 400
            //   33c2                 | xor                 eax, edx
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   33c6                 | xor                 eax, esi
            //   c1c105               | rol                 ecx, 5
            //   034db0               | add                 ecx, dword ptr [ebp - 0x50]
            //   81c3a1ebd96e         | add                 ebx, 0x6ed9eba1
            //   03c8                 | add                 ecx, eax

        $sequence_9 = { 57 8bf9 33db 57 895c2424 895c2428 895c2410 }
            // n = 7, score = 400
            //   57                   | push                edi
            //   8bf9                 | mov                 edi, ecx
            //   33db                 | xor                 ebx, ebx
            //   57                   | push                edi
            //   895c2424             | mov                 dword ptr [esp + 0x24], ebx
            //   895c2428             | mov                 dword ptr [esp + 0x28], ebx
            //   895c2410             | mov                 dword ptr [esp + 0x10], ebx

    condition:
        7 of them and filesize < 237568
}
Download all Yara Rules